so this is the path to security for my web apps. after troubleshooting authentik and zammad, i am left in a state of securing my web apps. specifically through proper ssl certificates with lets encrypt. so after bashing my head into the wall, i decided to spin up a fresh debian server and mess around with nginx. the process was fairly easy and as long as you follow documentation, it is simple.

when installing nginx, there may or may not be contents within /etc/nginx/conf.d/. i say this since the guide i followed from nginx has those files, but upon installing it on debian 12, it was not there. i found out that the same can be configured within the sites-available folder in /etc/nginx/. so here is where the nginx configuration lies within. it defines what port the server listens on, the server name, location of the web files, and more. and upon installing, if you navigate to a browser and type in the server’s ip address, you will see the nginx welcome page. this confirms that nginx was installed and is working on port eighty, or http. now where security comes in is with the ssl certificates. you can either generate your own self signed certificates with openssl, generate a free certificate with lets encrypt and certbot, or buy one. i personally generated it through lets encrypt with nginx proxy manager. it ensures that i use ssl internally and externally. this is what i wanted since i am currently experiencing issues with ssl pass through and how my servers talk to each other.

right now i have zammad behind npm, but when it is accessing authentik, it is through non ssl means and even though i have certificates uploaded, there is still conflicts somewhere. hence why i am testing nginx web servers with ssl certificates.

this is essentially the setup for adding ssl certificates to nginx web servers. first you want to add/change the ‘server_name’ to your fqdn such as ‘web.domain.com’. underneath that, there needs to be this option:
return 301 https://$server_name$request_uri

this ensures that nginx goes to https and not http. after that is where you create another ‘server’ section below, which specifies https and ssl.
server {
listen 443 ssl;
server_name web.domain.com;

ssl_certificate /etc/nginx/ssl/cert.pem;
ssl_certificate_key /etc/nginx/privkey.pem;

location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}

where to get these .pem files and the ssl folder? well first you have to create a new ssl folder if there is not one created. then you have to change the permissions of the folder to ‘700’ with chmod 700 ssl. next go into that folder and paste in the contents into each file from the certificate generated from npm. i explain how i did this in my npm post, but i will explain again.

go into ‘ssl certificates’ and click ‘add ssl certificate’ then ‘lets encrypt’. next you will enter the desired domain name(s) and use a dns challenge. this token or api key will be given from your domain registrar, in my case, i created a cloudflare api token. ensure to keep this secure as anyone with this can create certificates with your domain. if you do not have a domain, i recommend duckdns domains. next i like to change the propagation time to two minutes and let dns do its thing. once the certificate is created, you can download the contents.

this will give you a zipped file of the certificates. they go as followed:
cert.pem = public key
chain.pem = intermediate certificates
fullchain.pem = combines the ssl certificate and chain
privkey.pem = private key

the two you want is the cert.pem and privkey.pem.

now once you have pasted those into the ssl folder and it is reflected in your nginx configuration file, ensure that you can access your web server from the domain name. be sure that this domain name exists within dns, whether it be through your domain registrar or local dns server. yes, you can point your sub domain to a local ip address from cloudflare or whatever domain provider you have. in my case, i put all my locally accessed dns records in my ad guard instance. once the record is made: web.domain.com > nginx ip address, you can now access that domain name and it will give you a nice https feed of the website. this now ensures that the internal web server is protected with this ssl certificate.

we can take this further and move the access behind a reverse proxy, like npm. the process is straight forward, create a new proxy host with the same fqdn as your web server. assign the host https and the nginx server ip and port 443. now in the ssl section, select the generated certificate from before, the same one you downloaded. now force ssl and check http/2 support. from there change your dns record to point to the ip address of the reverse proxy. wait for dns to update and open a new private window and type in the fqdn of the server. now if done correctly, it will now be accessing the website from the reverse proxy, and there will be no warning. ensuring this works is usually done best by opening a private browser tab, or doing a ctrl+shift+r to do a hard refresh.

this whole process was really to get me familiar with how ssl certificates are used for communication, whether internal or external. along with how it is combined with web servers like nginx.