Skip to content

HTTPS support with an Nginx Let's Encrypt reverse proxy on Ubuntu

Chris O'Neill edited this page Feb 23, 2020 · 5 revisions

These instructions have been tested on a DigitalOcean droplet running Ubuntu 18.04, with Assetto Server Manager 1.7.3 (Premium) installed.

Prerequisites/Assumptions:

  • A modern Ubuntu (or similar) host, running Assetto Server Manager
  • a registered (sub)domain, correctly configured to send browsers to your Assetto Server Manager host on the default port 8772, e.g. http://your.server.here:8772/
  • Any firewall is configured to permit ports 80 and 443 inbound to your host (and 8772 initially for testing)
  • A user account on your host with sudo privileges. Otherwise, run all sudo commands below as the root user and remove the prefix sudo.
  • No other servers already listening on ports 80 or 443 on the same host
  • Nginx not already installed

First let's install Nginx

sudo apt update && sudo apt -y install nginx

Set up a basic reverse proxy to Server Manager on port 80 first

Create this file using your preferred text editor: /etc/nginx/conf.d/assetto-server-manager.conf

Add the following contents to that file:

server {
  listen 80;
  listen [::]:80;

  server_name your.server.here;
  client_max_body_size 256m;

  location / {
    proxy_pass http://localhost:8772;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }
}

Restart Nginx with:

sudo systemctl restart nginx.service

At this point you should be able to load http://your.server.here/ (without the port 8772) and everything should be working.

Next we install Let's Encrypt TLS certificates with Certbot

sudo apt -y install python-certbot-nginx

Run the configurator like this, and answer the questions:

sudo certbot --nginx

If you've done things correctly, you should be all set. I elected to say "yes" to the automatic redirection from port 80 (http) to 443 (https).

A tiny bit of (optional) hardening

Nearly nobody needs TLS older than 1.2 any more, so we can strip out TLSv1 and TLSv1.1 support.

sudo sed -i 's/TLSv1 TLSv1.1 //' /etc/letsencrypt/options-ssl-nginx.conf
sudo systemctl restart nginx.service

If you are concerned about the warning at the top of that file that CertBot won't work, please read the explanation.

Firewall tidy-up

Now you can block direct access to port 8772 through your firewall, then verify the following: