These instructions will allow you to secure HTTP traffic from your standalone infrastructure, using a reverse proxy with Nginx.
- Your standalone infrastructure is running with the docker configuration.
- You have downloaded the
nginxfiles to your repository server. - You have configured a domain name (or subdomain) to point to your server's IP address.
First we download the readme files:
+--- conf.d
| +--- standardnotes-files.conf
| +--- standardnotes.conf
+--- mime.types
+--- nginx.confYou can download the files again for nginx:
wget https://github.com/JuanRodenas/server-mariadb/raw/main/nginx.zip && unzip nginx.zip
We modify the server_name of the files:
nginx/conf.d
+--- standardnotes-files.conf
+--- standardnotes.conf
Replace fqdn.example.org or fqdn1.example.org with your actual domain
Replace port 80 for the server and 3125 for the files you have specified in the docker compose, if you have changed it. Here the docker-compose snippet, changed to 81 and 8080.
ports:
- 81:80
- 8080:3125
There may be different ways to restart Nginx. If you installed Nginx from Ubuntu's default repository just type:
docker compose down && docker compose rm && sleep 2 && docker compose up -d- Test your
Nginxconfiguration with:
docker exec -u root -t -i stand_nginx /bin/bash
nginx -tnginx useful command:
nginx -s reload: Reloads the nginx configuration without interrupting the service.nginx -t: Checks the nginx configuration syntax.nginx -T: Displays the current nginx configuration.
In order to use HTTPS on your standard note server, you have two options, use your standard notes server locally or use your standard notes server with a reverse proxy. I will explain both options.
HTTPS on your standard note server locally
HTTPS on your standard note server locally:
-
In order to use nginx and https locally, we must use the server ip and a certificate, I will explain with cerbot (lets encrypt). 1.1 First we will use port 443 instead of port 80.
ports: - 443:443 - 3125:3125
1.2 Then we will modify the server_name to be able to redirect to our local IP. Change the IP of the example to your server ip.
- standardnotes.conf
server_name 127.0.0.1;- standardnotes-files.conf
server_name 127.0.0.1;If you use
server_name _;it will send all the requests.1.3 We will add the ssl to be able to use the certificates that we will create:
- We will modify the nginx file in the
conf.dfolder namedstandardnotes.conf. We replace the listen 80 by 443.
listen 443 ssl http2; listen [::]:443 ssl http2;
- We will add the ssl configuration in the files in the
conf.dfolder to be able to use the certificates we will create in the next step.
# SSL Certificates ssl_certificate /etc/nginx/certs/fullchain.pem; ssl_certificate_key /etc/nginx/certs/privkey.pem; ssl_session_cache shared:le_nginx_SSL:1m; ssl_session_timeout 1440m; ssl_session_tickets off; ssl_verify_client off; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
-
Setting up Certbot for HTTPS configuration: Go to certbot to get and install your HTTPS certificate. Certbot should automatically update your Nginx configuration and create SSL certificates for you. If you have not used cerbot, I have a tutorial in my adguard home repository to create a certificate with cerbot, in the following link:
-
Once the certificates have been created, we will proceed to send the files in the docker compose to the container as in the example:
volumes: - /etc/localtime:/etc/localtime:ro - /etc/timezone:/etc/timezone:ro - /path/to/data/nginx:/etc/nginx - /path/to/data/certs:/etc/nginx/certs
If you want to send the lets encrypt folder, change the /path/to/data/certs: to /etc/letsencrypt/live/yourdomain.com:.
HTTPS on your standard note server with a reverse proxy
HTTPS on your standard note server with a reverse proxy:
- We can install a reverse proxy, such as traefik. Traefik puede utilizar un proveedor ACME (como Let's Encrypt) para la generación automática de certificados. Creará el certificado e intentará renovarlo automáticamente 30 días antes de su vencimiento. Uno de los grandes beneficios de usar desafíos DNS es que nos permitirá usar certificados comodín; por otro lado, puede crear un riesgo de seguridad ya que requiere otorgar derechos a Traefik para crear y eliminar algunos registros DNS.
-
You can install Traefik from the repository I have created for this purpose.
If you install Traefik, check the repository sample configuration with your configuration, they may not match.
-
Then we will modify the server_name to be able to redirect to our local IP.
Example:
- standardnotes.conf
server_name fqdn.example.org;- standardnotes-files.conf
server_name fqdn1.example.org; -
When the service is up, it will depend on the reverse proxy you have selected. If you have chosen Traefik, simply download the file from the repository called docker-compose.traefik.yml and execute the following.
docker-compose -f docker-compose.yml -f docker-compose.traefik.yml up -d docker-compose logs -f
After completing the above instructions, your Sync server should be HTTPS enabled!
In the account menu, choose Advanced Options and enter the address of your new server in Sync Server Domain.
Then, register for a new account or log into an existing account and begin using your private new secure Standard Notes server!
When using CloudFlare in conjuction with Nginx you might encounter an issue about missing Accept-Ranges header which is required for file downloading. As a fix please add this to your Nginx configuration:
proxy_cache off;