Contents

Demo

In this post we explore how to add SSL suport to Hugo website by combining NGINX

Hugo + Nginx

0. checklist

  • Internet -> AT&T fiber at home with external IP 23.45.67.89
  • Domain name -> 1genomics.com
  • DNS server -> AWS Route 53. Establish the connection 1genomics.com to 23.45.67.89
  • Hosting machine -> A Pi4 board running Ubuntu OS, with subnet IP 10.0.0.100 at home
  • Router -> Netgear that supports port forwarding

1. install hugo

1
sudo apt install hugo

2. create a new website

1
cd /home/ubuntu; hugo new site hugo-www

3. go to router settings, set “port forwarding”

1
2
external 80, internal 10.0.0.100:80
external 443, internal 10.0.0.100:443

4. install certbot

open a termal to connect to the Pi4’s ubuntu

1
2
ssh ubuntu@10.0.0.100
sudo apt install certbot

5. start a temporary http server for certbot

1
2
cd /home/ubuntu/hugo-www
sudo python -m 'http.server' 80

6. generate the cert

Open another terminal

1
2
3
4
5
sudo apt install certbot
sudo certbot certonly --webroot

Please enter in your domain name(s): 1genomics.com
Input the webroot for 1genomics.com: /home/ubuntu/hugo-www

The output message should be like this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/1genomics.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/1genomics.com/privkey.pem
   Your cert will expire on 2023-03-15. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

7. cleanup

Ctrl-C to terminate the python application “sudo python -m ‘http.server’ 80”

8. use NGINX to handle SSL

1
2
3
4
sudo apt install -y nginx
sudo cp /etc/letsencrypt/live/1genomics.com/fullchain.pem /etc/nginx/ssl/
sudo cp /etc/letsencrypt/live/1genomics.com/privkey.pem /etc/nginx/ssl/
sudo vim /etc/nginx/sites-available/www.1genomics.com

Should be like this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
server {
        listen 80;
        listen 443 ssl;
        server_name 1genomics.com www.1genomics.com;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_certificate /etc/nginx/ssl/fullchain.pem;
        ssl_certificate_key /etc/nginx/ssl/privkey.pem;
        root /home/ubuntu/hugo-www/public;
        index index.html index.htm;
        location / {
                try_files $uri $uri/ =404;
        }
}

9. copy the config

1
ln -s /etc/nginx/sites-available/www.1genomics.com /etc/nginx/sites-enabled/

10. check out firewall

1
2
3
4
5
6
ubuntu@ubuntu:~/hugo-www$ sudo ufw app list
Available applications:
  Nginx Full
  Nginx HTTP
  Nginx HTTPS
  OpenSSH

11. restart NGINX

1
sudo systemctl restart nginx

12. generate static content to serve by NGINX

1
cd /home/ubuntu/hugo-www; hugo

you should see the static files are generated under ‘/home/ubuntu/hugo-www/public/’

13. open a web browser to validate

https://www.1genomics.com

14. refresh the cert every 3 months

1
sudo systemctl stop nginx

Repeat step 5 and step 6

1
2
sudo cp /etc/letsencrypt/live/1genomics.com/fullchain.pem /etc/nginx/ssl/
sudo cp /etc/letsencrypt/live/1genomics.com/privkey.pem /etc/nginx/ssl/
1
sudo systemctl start nginx

Comments