Add https

README.md

@@ -17,6 +17,53 @@ Non-exhaustive TODO-list:
 
 ### Production
 
+#### Create SSL certification
+
+To set up HTTPS, you will need valid SSL certificates. If you deploy the app for the first time, follow these instructions:
+
+- Comment or delete the whole server section about 443 in the `nginx.conf` file.
+
+```diff
+- server {
+- listen 443 default_server ssl http2;
+- ...
+- }
+```
+
+> This step is required because the certificates don't exist yet, so they cannot be loaded in the nginx configuration.  
+> **The website has to run with http to respond to certbot challenge**
+
+- (Re)Start the `blog` container:
+
+```bash
+docker compose up --detach --build blog
+```
+
+- Create the certificates with the `certbot` container:
+
+```bash
+docker compose run --rm certbot certonly --webroot --webroot-path /var/www/certbot/ -d yourdomainname.com
+```
+
+- Restore the original `nginx.conf` (with `git restore nginx.conf` for example)
+- Stop the `blog` container:
+
+```bash
+docker compose down
+```
+
+The certificates should have been generated in `certbot/conf/live/yourdomainname.com/`.
+
+#### Renew SSL certification
+
+If you just want to renew existing certificates, use:
+
+```bash
+docker compose run --rm certbot renew
+```
+
+#### Deploy the website itself
+
 Create the blog directory, **it must be writable by users that will write to it: you, builder target, CI user...**
 ```sh
 mkdir build/blog

docker-compose.yml

@@ -20,6 +20,15 @@ services:
     restart: unless-stopped
     ports:
       - 80:80
+      - 443:443
     volumes:
+      - ./certbot/www:/var/www/certbot/:ro
+      - ./certbot/conf/:/etc/nginx/ssl/:ro
       - ./nginx.conf:/etc/nginx/nginx.conf:ro
       - ./build/blog:/blog:rw
+
+  certbot:
+    image: certbot/certbot:latest
+    volumes:
+      - ./certbot/www/:/var/www/certbot/:rw
+      - ./certbot/conf/:/etc/letsencrypt/:rw

nginx.conf

@@ -14,17 +14,41 @@ http {
 
 
     server {
-       listen 80;
-       listen [::]:80;
+        listen 80;
+        listen [::]:80;
 
-       server_name www.iscsc.fr iscsc.fr;
-       #server_name localhost;
+        server_name www.iscsc.fr iscsc.fr;
 
-       root /blog; #Absolute path to where your hugo site is
-       index index.html; # Hugo generates HTML
+        location /.well-known/acme-challenge/ {
+            root /var/www/certbot;
+        }
 
-       location / {
-               try_files $uri $uri/ =404;
-       }
+        location / {
+            return 301 https://iscsc.fr$request_uri;
+        }
     }
-}
+
+
+    server {
+        listen 443 default_server ssl http2;
+        listen [::]:443 ssl http2;
+
+        server_name www.iscsc.fr iscsc.fr;
+
+        ssl_certificate /etc/nginx/ssl/live/iscsc.fr/fullchain.pem;
+        ssl_certificate_key /etc/nginx/ssl/live/iscsc.fr/privkey.pem;
+
+        root /blog; #Absolute path to where your hugo site is
+        index index.html; # Hugo generates HTML
+
+        location / {
+            try_files $uri $uri/ =404;
+        }
+
+        # redirect server error pages to the static page /50x.html
+        error_page 500 502 503 504 /50x.html;
+        location = /50x.html {
+            root /usr/share/nginx/html;
+        }
+    }
+}