Skip to content

HTTPS support with an Nginx Let's Encrypt reverse proxy on Ubuntu

Chris O'Neill edited this page Feb 23, 2020 · 5 revisions

These instructions have been tested on a DigitalOcean droplet running Ubuntu 18.04, with Assetto Server Manager 1.7.3 (Premium) installed.


  • A modern Ubuntu (or similar) host, running Assetto Server Manager
  • a registered (sub)domain, correctly configured to send browsers to your Assetto Server Manager host on the default port 8772, e.g.
  • Any firewall is configured to permit ports 80 and 443 inbound to your host (and 8772 initially for testing)
  • A user account on your host with sudo privileges. Otherwise, run all sudo commands below as the root user and remove the prefix sudo.
  • No other servers already listening on ports 80 or 443 on the same host
  • Nginx not already installed

First let's install Nginx

sudo apt update && sudo apt -y install nginx

Set up a basic reverse proxy to Server Manager on port 80 first

Create this file using your preferred text editor: /etc/nginx/conf.d/assetto-server-manager.conf

Add the following contents to that file:

server {
  listen 80;
  listen [::]:80;

  client_max_body_size 256m;

  location / {
    proxy_pass http://localhost:8772;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

Restart Nginx with:

sudo systemctl restart nginx.service

At this point you should be able to load (without the port 8772) and everything should be working.

Next we install Let's Encrypt TLS certificates with Certbot

sudo apt -y install python-certbot-nginx

Run the configurator like this, and answer the questions:

sudo certbot --nginx

If you've done things correctly, you should be all set. I elected to say "yes" to the automatic redirection from port 80 (http) to 443 (https).

A tiny bit of (optional) hardening

Nearly nobody needs TLS older than 1.2 any more, so we can strip out TLSv1 and TLSv1.1 support.

sudo sed -i 's/TLSv1 TLSv1.1 //' /etc/letsencrypt/options-ssl-nginx.conf
sudo systemctl restart nginx.service

If you are concerned about the warning at the top of that file that CertBot won't work, please read the explanation.

Firewall tidy-up

Now you can block direct access to port 8772 through your firewall, then verify the following: