Installation of a free Let's Encrypt SSL certificate with automatic renewal for the domain of the CRYSTAL v1.0 project.

Before working with this instruction, you must connect the domain.

1. Changing the .env.prodDomain file in the frontend part to work via the 'https' protocol, and building the project for domain.

Change the sample text to the name of your domain and enter the command:

cd /var/www/crystal/frontend && rm -vr ./env/.env.prodDomain && echo VITE_API_BASE_URL=https://YourDomain/api > ./env/.env.prodDomain && npm run buildProdDomain

Example:

cd /var/www/crystal/frontend && rm -vr ./env/.env.prodDomain && echo VITE_API_BASE_URL=https://crysty.ru/api > ./env/.env.prodDomain && npm run buildProdDomain

2. Changing the .env.prodDomain file in the backend part of the project.

Enter the command:

cd /var/www/crystal/backend && nano env/.env.prodDomain

In the window that opens, change the value of the variable - 'CORS_ORIGIN', from 'http://YourDomain' to 'https://YourDomain':

Next, add the variable - 'COOKIE_SECURE_STATUS':

COOKIE_SECURE_STATUS=true

After adding the code, press sequentially - 'ctrl + x', 'y', 'Enter'.

* If set to 'Secure: true', cookies are sent only via HTTPS, which ensures that the entire request content, including the authorization JWT, is encrypted. This protects the token from being intercepted on open or insecure networks, such as public Wi-Fi, where attackers can analyze unencrypted traffic. It also prevents MITM attacks, when an attacker inserts himself between the client and the server and intercepts or replaces data if the connection is not over HTTPS.

Enter the command:

systemctl restart nginx && pm2 restart 0

3. Installing certbot.

Enter the command:

apt-get install certbot && apt install python3-certbot-nginx

4. Generating a Let's Encrypt SSL certificate.

Enter the command and replace the sample text with your domain:

certbot --nginx -d YourDomain -d www.YourDomain

example:

certbot --nginx -d crysty.ru -d www.crysty.ru

Next, enter your email address. After entering the email, you need to read the questions and give some consent.

* If there is an error during generation:
An unexpected error occurred:
AttributeError: can't set attribute

Enter the command - 'certbot --nginx -d YourDomain -d www.YourDomain', again.

When the certificate is ready, you will see a text like this in the console:

Successfully received certificate.

Nginx will reboot with the new settings.

Twice a day, the timer - certbot, will check the status of the certificate, and automatically renew the certificate if its expiration time is approaching.

You can make sure that the timer is present by entering the command:

systemctl status certbot.timer

After entering the command, you should see a message like this:

● certbot.timer - Run certbot twice daily Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; preset: enabled) Active: active (waiting) since Tue 2024-01-23 04:50:45 UTC; 1h 23min ago Trigger: Tue 2024-01-23 20:06:16 UTC; 13h left Triggers: ● certbot.service Jan 23 04:50:45 crystal-vm-1 systemd[1]: Started certbot.timer - Run certbot twice daily.

5. Restarting the certbot timer after rebooting the VM.

Enter the command:

systemctl enable --now certbot.timer

Open the project site with your domain, via the protocol - 'https', the SSL certificate should work.

Note: For easier understanding and quick installation, this instruction is simplified. When running the command to check the web server configuration:

nginx -t

a warning may appear:

[warn] 1672995#1672995: conflicting server name "www.YourDomain" on 0.0.0.0:443, ignored

This is not an error and does not affect the operation of the site. The server will continue to function correctly, and the SSL certificate will work and be updated automatically.

6. Enabling HTTP/2 protocol support in Nginx.

HTTP/2 is a modern version of the HTTP protocol designed to address the limitations of HTTP/1.1 and improve the performance of web applications.

Key technical improvements:

• Multiplexing: multiple requests and responses are transmitted simultaneously over a single TCP connection, without blocking.
• Header Compression (HPACK): reduces data redundancy and speeds up data exchange.
• Server Push: allows the server to pre-send resources such as styles, scripts, and images before the browser itself requests them. This reduces latency and speeds up page loading.
• Binary format: simplifies parsing HTTP messages on the server and client side, which reduces overhead and speeds up data transfer.
• Prioritization: critical resources (such as CSS or JavaScript) are transferred to the client with priority, speeding up page rendering.

In addition to improving performance, HTTP/2 improves site security by mandating the use of TLS in most browsers, modern cryptographic algorithms, and protecting against a number of attacks relevant to HTTP/1.1.

To enable support for the HTTP/2 protocol, run the commands below in sequence:

nano /etc/nginx/sites-available/crystal

In the window that opens, find all lines of the following type:

listen 443 ssl;

and replace them with:

listen 443 ssl http2;

After replacing, press sequentially - 'ctrl + x', 'y', 'Enter'.

Next, enter the command:

systemctl restart nginx && curl -I --http2 https://YourDomain

The first line of the output should contain - 'HTTP/2 200', this means that the protocol connection - HTTP/2, successful.

You can make the site much more secure by adding some rules to the Nginx server, according to this instructions.