Nginx Config For Mattermost with SSL Certification Generated By CertBot

Step-by-Step Guide to Configure NGINX with Mattermost and Certbot

This guide outlines the steps to configure NGINX as a reverse proxy for Mattermost, including SSL setup using Certbot. Follow these instructions carefully to ensure a secure and efficient configuration.

Step 1: Check Installed Versions

1. Check NGINX Version:

   nginx -v
   

   • Expected output: nginx version: nginx/1.18.0 (Ubuntu)

2. Check Mattermost Version:

   /opt/mattermost/bin/mattermost version
   

   • Expected output includes:
     • Version: 7.4.0
     • Build Number: 7.4.0
     • Build Date: Wed Oct 12 19:37:03 UTC 2024
     • Build Hash: 8cb6718a9bcc45186f62baed2304248d3cabaa50
     • Build Enterprise Ready: true

3. Check Certbot Installation:

   apt-cache policy certbot | grep -i Installed
   

   • Expected output: Installed: 0.40.0-1ubuntu0.1

Step 2: Configure NGINX for Mattermost

1. Open NGINX Configuration File:
   Edit the configuration file located at /etc/nginx/sites-enabled/mm.yourdomain.com.

2. Define Upstream Server Block:
   Add the following upstream block to define the Mattermost backend:

   upstream backend {
       server 127.0.0.1:8065;
       keepalive 32;
   }
   

3. Set Proxy Cache Path:
   Define the cache path for NGINX:

   proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mattermost_cache:10m max_size=3g inactive=120m use_temp_path=off;
   

4. Configure HTTP to HTTPS Redirection:
   Add the following server block to redirect HTTP traffic to HTTPS:

   server {
       listen 80;
       server_name mm.yourdomain.com;
       return 301 https://$server_name$request_uri;
   }
   

5. Configure HTTPS Server Block:
   Add the HTTPS configuration:

   server {
       listen 443 ssl http2;
       server_name mm.yourdomain.com;
   
       http2_push_preload on;
   
       ssl_certificate /etc/letsencrypt/live/mm.yourdomain.com/fullchain.pem; # managed by Certbot
       ssl_certificate_key /etc/letsencrypt/live/mm.yourdomain.com/privkey.pem; # managed by Certbot
       ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
       ssl_session_timeout 1d;
   
       ssl_protocols TLSv1.2 TLSv1.3;
       ssl_early_data on;
   
       ssl_ciphers '{copy this data from /etc/letsencrypt/options-ssl-nginx.conf}';
       ssl_prefer_server_ciphers on;
       ssl_session_cache shared:SSL:50m;
   
       add_header Strict-Transport-Security max-age=15768000;
       ssl_stapling on;
       ssl_stapling_verify on;
   
       add_header X-Early-Data $tls1_3_early_data;
   
       location ~ /api/v[0-9]+/(users/)?websocket$ {
           proxy_set_header Upgrade $http_upgrade;
           proxy_set_header Connection "upgrade";
           client_max_body_size 50M;
           proxy_set_header Host $http_host;
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header X-Forwarded-Proto $scheme;
           proxy_set_header X-Frame-Options SAMEORIGIN;
           proxy_buffers 256 16k;
           proxy_buffer_size 16k;
           client_body_timeout 60;
           send_timeout 300;
           lingering_timeout 5;
           proxy_connect_timeout 90;
           proxy_send_timeout 300;
           proxy_read_timeout 90s;
           proxy_http_version 1.1;
           proxy_pass http://backend;
       }
   
       location / {
           client_max_body_size 50M;
           proxy_set_header Connection "";
           proxy_set_header Host $http_host;
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header X-Forwarded-Proto $scheme;
           proxy_set_header X-Frame-Options SAMEORIGIN;
           proxy_buffers 256 16k;
           proxy_buffer_size 16k;
           proxy_read_timeout 600s;
           proxy_cache mattermost_cache;
           proxy_cache_revalidate on;
           proxy_cache_min_uses 2;
           proxy_cache_use_stale timeout;
           proxy_cache_lock on;
           proxy_http_version 1.1;
           proxy_pass http://backend;
       }
   }
   

Step 3: Test and Reload NGINX Configuration

1. Test NGINX Configuration for Errors:

   sudo nginx -t
   

2. Reload NGINX to Apply Changes:

   sudo systemctl reload nginx
   

Step 4: Setting Up SSL with Certbot

1. Install Certbot (if not already installed):

   sudo apt install certbot python3-certbot-nginx
   

2. Obtain SSL Certificate Using Certbot:
   Run the following command to automatically obtain and configure your SSL certificate:

   sudo certbot --nginx -d mm.yourdomain.com
   

3. Verify Automatic Renewal of Certificates:
   Certbot sets up a cron job for automatic renewal, but you can manually test it with:

   sudo certbot renew --dry-run
   

Conclusion

By following these steps, you have successfully configured NGINX as a reverse proxy for Mattermost with SSL encryption using Certbot, ensuring secure communication between your server and clients. Always remember to keep your software up to date for optimal security and performance.