Upgrading Hugo site and Nginx to a secure configuration
Purpose
Use https with nginx and hugo instead of http.
Much like anything else, encryption on the interwebs is a growing requirement that helps some and irritates others. For me, my hugo site would not show up correctly on firefox as it kept defaulting my webpage to https instead of http. Super irritating for troubleshooting the site as I build it and try to figure out the other configurations to make it work right. So here was my step by step on upgrading my nginx configuration.
- First off, install certbot on Debain 10
sudo apt install certbot
- Stop nginx and start the certbot procedure
sudo systemctl stop nginx
sudo certbot certonly
- It will ask you to agree to the terms of service and also about your email, that stuff is up to the user. I agreed to the terms but did not share my email.
- Eventually you will see the following:
How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
- Select 1 and then put in the domain name that you have choosen. I used andrew.deloco.us
Plugins selected: Authenticator standalone, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): andrew.deloco.us
- If successful you should see this:
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/andrew.deloco.us/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/andrew.deloco.us/privkey.pem
Your cert will expire on 2021-05-08. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
- Copy the
.pemlocation as we will need this for the nginx configuration - open your nginx config. Mine is named hugo
sudo nano -l /etc/nginx/sites-available/hugo
- The non-secure config should look like this:
#Listen for ipv4 on port 80
server {
listen 80;
#Listen for web address
server_name andrew.deloco.us;
#HTML file location
root /var/www/AndrewResume/public/;
#No Idea why this is needed
index index.html;
}
- Change it to look like this using the
.pemdirectories from above:
#Listen for ipv4 on port 80
server {
listen 80;
#Listen for web address
server_name andrew.deloco.us;
#Redireect from Port 80 to 443
location / {
return 301 https://$host$request_uri;
}
}
#Listen on port 443
server {
listen 443 ssl http2;
#Logging
access_log /var/log/nginx/andrew.deloco.us.access.log;
error_log /var/log/nginx/andrew.deloco.us.error.log;
#Site Certificate Locations
ssl_certificate /etc/letsencrypt/live/andrew.deloco.us/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/andrew.deloco.us/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/andrew.deloco.us/chain.pem;
#Web address that is now listening on 443
server_name andrew.deloco.us;
#HTML file location
root /var/www/AndrewResume/public/;
#No Idea why this is needed
index index.html;
}
- The configuration will listen for both secure and non-secure requests and redirect the non-secure to secure. Legit.
- Restart Nginx
sudo systemctl start nginx
- Now we have to change some configurations in the
config.tomlto match the secure site path or you will get errors on the page. - Change directory and open the config file.
cd /var/www/AndrewResume/
nano -l config.toml
- As you can see, the file
BaseURLstates anhttp://that we need to change tohttps://
BaseURL = "http://andrew.deloco.us/"
languageCode = "en"
title = "Andrew DeLorey"
theme = "hugo-initio"
publishDir = "public"
- Change to
BaseURL = "https://andrew.deloco.us/"
languageCode = "en"
title = "Andrew DeLorey"
theme = "hugo-initio"
publishDir = "public"
- reload your hugo files while you are in that directory
hugo