-
-
Notifications
You must be signed in to change notification settings - Fork 72
HTTPS support with an Nginx Let's Encrypt reverse proxy on Ubuntu
N.B. Since version 1.7.4, Assetto Server Manager is capable of natively handling TLS. This page is only useful if you need to maintain the server behind a proxy for any reason.
These instructions have been tested on a DigitalOcean droplet running Ubuntu 18.04, with Assetto Server Manager 1.7.3 (Premium) installed.
- A modern Ubuntu (or similar) host, running Assetto Server Manager
- a registered (sub)domain, correctly configured to send browsers to your Assetto Server Manager host on the default port 8772, e.g. http://your.server.here:8772/
- Any firewall is configured to permit ports 80 and 443 inbound to your host (and 8772 initially for testing)
- A user account on your host with
sudoprivileges. Otherwise, run allsudocommands below as therootuser and remove the prefixsudo. - No other servers already listening on ports 80 or 443 on the same host
- Nginx not already installed
sudo apt update && sudo apt -y install nginx
Create this file using your preferred text editor: /etc/nginx/conf.d/assetto-server-manager.conf
Add the following contents to that file:
server {
listen 80;
listen [::]:80;
server_name your.server.here;
client_max_body_size 256m;
location / {
proxy_pass http://localhost:8772;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
Restart Nginx with:
sudo systemctl restart nginx.service
At this point you should be able to load http://your.server.here/ (without the port 8772) and everything should be working.
# if using Ubuntu 18.04 (Bionic)
sudo apt -y install python-certbot-nginx
or
# if using Ubuntu 20.04 (Focal)
sudo apt -y install python3-certbot-nginx
sudo certbot --nginx
If you've done things correctly, you should be all set. I elected to say "yes" to the automatic redirection from port 80 (http) to 443 (https).
Nearly nobody needs TLS older than 1.2 any more, so we can strip out TLSv1 and TLSv1.1 support.
sudo sed -i 's/TLSv1 TLSv1.1 //' /etc/letsencrypt/options-ssl-nginx.conf
sudo systemctl restart nginx.service
If you are concerned about the warning at the top of that file that CertBot won't work, please read the explanation.
Now you can block direct access to port 8772 through your firewall, then verify the following:
- http://your.server.here:8772/ should no longer work
- http://your.server.here/ should redirect you to https
- https://your.server.here/ should load fine