Hugo Part 2
2024-12-05
Configuring HTTPS access to your blog is free and effortless. Even for websites like blogs that do not handle sensitive information, there are notable benefits to do so:
- Show your professionalism: How am I going to trust your contents if you can not even get this little thing done. This one especially applied to engineers.
- Browser Trust: Modern browers often mark HTTP as “Not Secure,” discourage or even block visitors to access it.
- Search Ranking: It is a small factor but yes, sites that use HTTPS will have a higher search rankings.
Step by Step Guide
This guide assume you using RHEL based Linux and Nginx.
1. Install cerbot and nginx plugin.
# update your system
sudo yum update -y
# install cerbot
sudo yum install -y cerbot pthon3-cerbot-nginx
# check nginx configuration
cat /etc/nginx/conf.d/yourdomain.conf
Your basic configuration should looks like this:
server {
listen 80;
server_name yourdomain.com;
root /path/to/your/blog;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
2. Obtain an SSL certificate
# run cerbot with nginx plugin and follow the instruction
sudo cerbot --nginx
3. Enhancement
Disable IP direct access and redirect HTTP to HTTPS
# modify config file with your favorite editor
sudo -e /etc/nginx/conf.d/yourdomain.conf
Add something like this:
server {
listen 80;
server_name yourdomain.com;
# block ip direct access
if ($host ~* ^\d+\.\d+\.\d+\.\d+$) {
return 444;
}
# redirect HTTP to HTTPS
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name yourdomain.com;
if ($host ~* ^\d+\.\d+\.\d+\.\d+$) {
return 444;
}
root /var/www/blog;
index index.html;
# SSL
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
# ssl_protocols TLSv1.2 TLSv1.3;
# ssl_prefer_server_ciphers on;
# ssl_ciphers HIGH:!aNULL:!MD5;
location / {
try_files $uri $uri/ /index.html;
}
}
4. Apply configuration
# verify config
sudo nginx -t
# reload nginx
sudo systemctl reload nginx
# restart nginx if needed
sudo systemctl restart nginx
Back to your blog, check if everything is okay.
You might also want go to ssl lab to run the test.
5. Certificate automatic renewal
It should be on already, but you can check it with:
# run test cerbot renewal see if there's any error
sudo certbot renew --dry-run
# or check the systemd timer is there
sudo systemctl list-timers
Although, this might fail if you’re using HTTP chanllenge, you might want to temporarily disable enhancements while renewal or using DNS challenge --preferred-challenges dns
as an alternative.