cctv
September 29, 2023

Setup Nginx + Let's Encrypt reverse proxy before Yucca

In this tutorial I will describe how to set up Nginx and issue a Let's Encrypt SSL certificate that will be automatically renewed. Nginx will act as a simple Web server in front of Yucca to terminate the SSL session and redirect from port 80 to 443.

Why install Nginx at all, since Yucca itself can terminate SSL and even has flags? This is true, but when you occupy port 443 it will be inaccessible to other software, you will have to use some other one, and there will also be no redirect from HTTP to HTTPS - if this suits you, then you can safely skip the section with installing and configuring Nginx Step 1 and go straight to Step 2 .

I will do all the steps on Ubuntu Server 22.04, but everything will work the same on SUSE, CentOS, Fedora, Debian and so on. Unless everyone will have their own package manager, but I hope you can tell the difference between apt and zypper :)

Step 0. Preparation

And so we need:

  1. Host with a white IP address
  2. Domain or subdomain that looks at this address
  3. Yucca installed

In the instructions I will use the domain foobar.yuccastream.com , your domain will be different.

nslookup foobar.yuccastream.com
Server:		127.0.0.53
Address:	127.0.0.53#53

Non-authoritative answer:
Name:	foobar.yuccastream.com
Address: 128.140.2.103

So I have Yucca, which is available at http://foobar.yuccastream.com:9910

Step 1. Install and configure Nginx

Install nginx:

sudo apt install nginx

Check http://foobar.yuccastream.com

Next, create a configuration file for Yucca:

sudo nano /etc/nginx/conf.d/yucca.conf

⚠️ You need to replace the domain foobar.yuccastream.com with your own.

upstream yucca_upstream {
  server 127.0.0.1:9910 fail_timeout=0;
}

server {
  listen 80;
  server_name foobar.yuccastream.com;
  location / {
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass http://yucca_upstream;
  }
}

Save the file and check the configuration is correct:

sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

If everything is correct you will see syntax is ok

Update nginx configuration:

nginx -s reload

We refresh the page and see the Yucca web interface http://foobar.yuccastream.com

Step 2. Install Certbot and issue a letsencrypt certificate

Install packages:

sudo apt install certbot python3-certbot-nginx

We issue a certificate for our domain:

⚠️ You need to replace the domain foobar.yuccastream.com with your own.

sudo certbot --nginx -d foobar.yuccastream.com

Certbot will ask you to enter your E-mail (1), I recommend entering your real mailbox, if the certificate expires and does not renew automatically Let's Encrypt will send you a notification about this. You will also need to agree to the terms and conditions (2), (3). Next, certbot itself will find the required configuration file with the required domain, configure the SSL section and redirect, and show you a link at the output.

You can see what happened in the end in the file /etc/nginx/conf.d/yucca.conf

upstream yucca_upstream {
  server 127.0.0.1:9910 fail_timeout=0;
}

server {
  server_name foobar.yuccastream.com;
  location / {
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass http://yucca_upstream;
  }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/foobar.yuccastream.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/foobar.yuccastream.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
    if ($host = foobar.yuccastream.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    server_name foobar.yuccastream.com;
    return 404; # managed by Certbot
}

I recommend checking that certbot has created a timer for certificate renewal, it must be active:

sudo systemctl status certbot.timer
● certbot.timer - Run certbot twice daily
     Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
     Active: active (waiting) since Fri 2023-09-22 11:54:02 UTC; 7min ago
    Trigger: Fri 2023-09-22 14:13:25 UTC; 2h 11min left
   Triggers: ● certbot.service

Sep 22 11:54:02 foobar systemd[1]: Started Run certbot twice daily.

We update the page http://foobar.yuccastream.com and see that everything works via HTTPS, the redirect also works.

Step 3. Security setup

We configured access via HTTPS via nginx, but Yucca is still available via HTTP at http://foobar.yuccastream.com:9910 . This is due to this default setting:

listen_address = ":9910"

Go to the Yucca configuration file and edit this parameter:

sudo nano /opt/yucca/yucca.toml

We make Yucca listen only to localhost:

listen_address = "127.0.0.1:9910"

And reboot the Yucca server:

 sudo systemctl restart yucca

We check, now there is nothing at http://foobar.yuccastream.com:9910 , but here https://foobar.yuccastream.com everything works.

Thanks for using Yucca :)

If you have any questions, you can ask them in our community chat on Telegram @yuccastream or email us at info@yucca.app