Guide to DevSecOps

Appearance

Step 3: Set Up SSL Certificates

Adding a Subdomain in Nginx

1. Create a New Server Block Configuration

Create a new configuration file for your subdomain:

bash
sudo nano /etc/nginx/sites-available/subdomain.your_domain

Add the following configuration:

nginx
server {
    listen 80;
    server_name subdomain.your_domain;
    root /var/www/subdomain.your_domain;
    index index.html index.htm index.nginx-debian.html;

    location / {
        try_files $uri $uri/ =404;
    }
}

2. Create the Document Root Directory

bash
sudo mkdir -p /var/www/subdomain.your_domain
sudo chown -R $USER:$USER /var/www/subdomain.your_domain
sudo chmod -R 755 /var/www/subdomain.your_domain

3. Create a Sample Page

bash
echo "<h1>Welcome to subdomain.your_domain!</h1>" | sudo tee /var/www/subdomain.your_domain/index.html

echo "<h1>Welcome to IVE domain!</h1>" | sudo tee /var/www/ive.localhost/index.html
sudo ln -s /etc/nginx/sites-available/ive.localhost /etc/nginx/sites-enabled/

4. Enable the New Configuration

bash
sudo ln -s /etc/nginx/sites-available/subdomain.your_domain /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx

SSL Certificates for Multiple Domains

Using Let's Encrypt

Install Certbot:

bash
sudo apt install certbot python3-certbot-nginx

Obtain an SSL certificate for your main domain and subdomain:

bash
sudo certbot --nginx -d your_domain -d www.your_domain -d subdomain.your_domain

To add SSL to an additional subdomain later:

bash
sudo certbot --nginx -d new.your_domain

Follow the prompts to complete the installation. Certbot will automatically configure SSL for your Nginx configurations.

Using Wildcard Certificates

For multiple subdomains, consider using a wildcard certificate:

bash
sudo certbot certonly --manual --preferred-challenges dns -d your_domain -d *.your_domain

sudo certbot certonly --manual --preferred-challenges dns -d hanapko.com -d *.hanapko.com

This requires DNS verification by adding a TXT record to your domain. After obtaining the wildcard certificate, update your Nginx configurations to use it:

nginx
server {
    listen 443 ssl;
    server_name subdomain.your_domain;
    
    ssl_certificate /etc/letsencrypt/live/your_domain/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/your_domain/privkey.pem;
    
    # Other SSL settings...
    
    root /var/www/subdomain.your_domain;
    index index.html index.htm;
    
    location / {
        try_files $uri $uri/ =404;
    }
}

Renewing SSL Certificates

Certbot automatically renews certificates. To test the renewal process, you can run:

bash
sudo certbot renew --dry-run

Verifying SSL Configuration

Check your SSL configuration security:

bash
sudo openssl s_client -connect your_domain:443 -tls1_3

You can also use online tools like SSL Labs to verify your SSL configuration quality: https://www.ssllabs.com/ssltest/