From dca6dd919cc172886fb465d51fb5cadf2a13323c Mon Sep 17 00:00:00 2001 From: Ken D'Ambrosio Date: Mon, 11 May 2026 12:24:06 +0000 Subject: Add HTTP vs HTTPS setup guide with Certbot instructions to INSTALL.md Co-Authored-By: Claude Sonnet 4.6 --- INSTALL.md | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) (limited to 'INSTALL.md') diff --git a/INSTALL.md b/INSTALL.md index 2a8df29..dae3528 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -75,6 +75,73 @@ ruby /opt/albumen/scripts/update.rb 2024_Hawaii The script is safe to re-run; already-done work is skipped. +## Choosing HTTP (port 80) vs HTTPS (port 443) + +### Port 80 — HTTP + +The nginx config installed by `setup.sh` listens on port 80 and is ready to use +as-is. HTTP is fine when: + +- The server is only reachable on a private/home network, **and** +- You're not worried about traffic being intercepted on that network + +It is **not** appropriate for a server reachable from the public internet — +passwords and session cookies travel in the clear. + +### Port 443 — HTTPS with Let's Encrypt + +HTTPS encrypts all traffic between the browser and the server. It requires a +real domain name (not a bare IP address) that points to the server. +[Let's Encrypt](https://letsencrypt.org/) provides free, automatically-renewed +TLS certificates via the **Certbot** tool. + +**1. Install Certbot:** + +```bash +apt install -y certbot python3-certbot-nginx +``` + +**2. Obtain a certificate and auto-configure nginx:** + +```bash +certbot --nginx -d yourdomain.example.com +``` + +Certbot will: +- Prove ownership of the domain (Let's Encrypt contacts your server on port 80) +- Write a certificate to `/etc/letsencrypt/live/yourdomain.example.com/` +- Edit `/etc/nginx/sites-enabled/albumen` to add a port-443 listener, point it + at the certificate files, and add an HTTP→HTTPS redirect on port 80 +- Reload nginx automatically + +**3. Verify auto-renewal:** + +Certbot installs a systemd timer that renews certificates before they expire +(they last 90 days). Confirm it's active: + +```bash +systemctl status certbot.timer +``` + +You can also do a dry-run to make sure renewal would succeed: + +```bash +certbot renew --dry-run +``` + +That's it — no further configuration is needed. Certbot manages everything +from here. + +**Firewall note:** If the server has a firewall, make sure ports 80 and 443 are +both open. Port 80 must remain open even after switching to HTTPS because +Let's Encrypt uses it for renewal challenges. + +```bash +ufw allow 'Nginx Full' # if using ufw +``` + +--- + ## nginx: real client IPs (optional) If Albumen sits behind an upstream proxy that adds `X-Forwarded-For`, tell -- cgit v1.2.3