Hugo Part 2

󰃭 2024-12-05

Configuring HTTPS access to your blog is free and effortless. Even for websites like blogs that do not handle sensitive information, there are notable benefits to do so:

  1. Show your professionalism: How am I going to trust your contents if you can not even get this little thing done. This one especially applied to engineers.
  2. Browser Trust: Modern browers often mark HTTP as “Not Secure,” discourage or even block visitors to access it.
  3. Search Ranking: It is a small factor but yes, sites that use HTTPS will have a higher search rankings.

Step by Step Guide

This guide assume you using RHEL based Linux and Nginx.

1. Install cerbot and nginx plugin.

# update your system
sudo yum update -y

# install cerbot
sudo yum install -y cerbot pthon3-cerbot-nginx

# check nginx configuration
cat /etc/nginx/conf.d/yourdomain.conf

Your basic configuration should looks like this:

server {
    listen 80;
    server_name yourdomain.com;

    root /path/to/your/blog;
    index index.html;

    location / {
        try_files $uri $uri/ =404;
    }
}

2. Obtain an SSL certificate

# run cerbot with nginx plugin and follow the instruction
sudo cerbot --nginx

3. Enhancement

Disable IP direct access and redirect HTTP to HTTPS

# modify config file with your favorite editor
sudo -e /etc/nginx/conf.d/yourdomain.conf

Add something like this:

server {
    listen 80;
    server_name yourdomain.com;

    # block ip direct access
    if ($host ~* ^\d+\.\d+\.\d+\.\d+$) {
        return 444;
    }

    # redirect HTTP to HTTPS
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name yourdomain.com;

    if ($host ~* ^\d+\.\d+\.\d+\.\d+$) {
        return 444;
    }

    root /var/www/blog;
    index index.html;

    # SSL
    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    # ssl_protocols TLSv1.2 TLSv1.3;
    # ssl_prefer_server_ciphers on;
    # ssl_ciphers HIGH:!aNULL:!MD5;

    location / {
        try_files $uri $uri/ /index.html;
    }
}

4. Apply configuration

# verify config
sudo nginx -t

# reload nginx
sudo systemctl reload nginx

# restart nginx if needed
sudo systemctl restart nginx

Back to your blog, check if everything is okay.

You might also want go to ssl lab to run the test.

5. Certificate automatic renewal

It should be on already, but you can check it with:

# run test cerbot renewal see if there's any error
sudo certbot renew --dry-run

# or check the systemd timer is there
sudo systemctl list-timers

Although, this might fail if you’re using HTTP chanllenge, you might want to temporarily disable enhancements while renewal or using DNS challenge --preferred-challenges dns as an alternative.