Lately I had a peculiar issue, I wanted to secure a web server running NGINX with HTTPS using Let’s Encrypt, but almost all traffic to said web server request the web page using the IP address of the server, since the web server is only there to tell people about the primary service running on the server. (Yes, this is a public NTP server that’s part of the NTP Pool Project if you had figured that out).

As you might know, Let’s Encrypt needs to have a server name defined in the web server configuration to make autoconfiguration of the web server work, so that rules out the “direct IP” traffic. Also, I’m fairly certain that Let’s Encrypt won’t issue a certificate directly to an IP. This puts us into somewhat of a dilemma, we can either serve the direct IP traffic over HTTP, and traffic that has the DNS name of the server defined in the HTTP request over HTTPS, but that’s not rather elegant.

The solution I settled on is to do what certbot does for HTTP-to-HTTPS redirects. Basically, any traffic that arrives on port 80 without specifying a hostname in the request gets redirected to HTTPS.

All you have to do is to insert the following server block above what certbot already put in the server configuration.

server {
   if ($host = PUBLIC_IP) {
       return 301 https://server1.example.com$request_uri;
   }

       listen 80;
       listen [::]:80;

       server_name PUBLIC_IP;

   return 404;
}

As you can see, what we do for all incoming traffic to the public IP on port 80 is to send a 301 Moved Permanently with the URL and specifying HTTPS at the same time. This is coincidentally the best practice for upgrading incoming sessions from HTTP to HTTPS as well.

Categories: Tech

Tags: certbot, https, Internet, letsencrypt, linux, nginx, technology, web server