I installed Let’s Encrypt via these instructions, but it changed my root path from /var/www/html to /usr/share/nginx/html – is there any way to reverse this?
I modified my sites-available default server block to the following (and restarted it), but it didn’t help:
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
# root /usr/share/nginx/html;
root /var/www/html;
index index.html index.htm;
# Make site accessible from http://localhost/
#server_name localhost;
server_name MYDOMAINHERE;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
# Uncomment to enable naxsi on this location
# include /etc/nginx/naxsi.rules
}
}
Any ideas?
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Accepted Answer
Definitely not best practice, but in an effort to get things working, I gave up on trying to change the root and just moved everything to the /usr/share/nginx/html path.
Before anything, verify do you have above block enabled. You should have symlink from sites-available to sites-enabled for config file containing server block, to be in effect.
Following your previous question, problem could be in server block you added to nginx.conf.
Also, Server Block you provided is not configured for SSL and Let’s Encrypt.
I assume that Nginx follows rules from nginx.conf, which should have higher priority than rules in sites-available. Open that file again and try to find server block for you site. That Server Block should be setup to listen on port 443. Once you find it, add/change root directive to it, like you have in above provide file.
Restart nginx and try again.
You should have a server block that’s listening on port 443, which is the port that is used for SSL. If each server block is listening on port 80, then SSL will not work.
So the first thing to do would be to check /etc/nginx/sites-available to see if there are any other server blocks (configuration files) that contain a listen 443; directive.
The NGINX plugin for CertBot is still in alpha, so there’s a chance it may not work as expected, thus it’s often better to use certonly and manually make the chances to your configuration.
…
Ideally, all server blocks should be placed within the ./sites-available directory and symlinked to the ./sites-enabled directory instead of placing them directly in the nginx.conf file.
That being said, I’m not a big fan of symlinking files, so I change the include line in nginx.conf to use the ./sites-available directory instead of ./sites-enabled.
…
As far as configuration goes, the end result for a properly configured SSL-enabled server block will look something like this:
server {
listen 80;
listen [::]:80;
server_name domain.com www.domain.com;
return 301 https://$server_name$request_uri;
}
server
{
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name domain.com www.domain.com;
root /path/to/content;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
ssl on;
ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
#ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_session_tickets off;
ssl_session_timeout 5m;
location /
{
try_files $uri $uri/ =404;
}
}
The above redirects all requests on port 80 to 443 (HTTP => HTTPS), defines a few security headers, and sets the path to your Let’s Encrypt (CertBot) certificate and private key.
In the above, you’d change instances of domain.com to your actual domain as well as:
root /path/to/content;
You’d replace /path/to/content with your actual storage path (where index.html, index.php, etc is).
…
This line:
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
… is commented out, thus inactive, as not all NGINX installations have this file generated by default. It takes a little bit of time to generate, though I recommend it as it’s part of a complete SSL setup.
To create the file, you can run:
mkdir -p /etc/nginx/ssl
then
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096
It could take anywhere from 5-6 minutes up to 10-15 depends on CPU. While it’s generating, you’ll see a series of:
.......+....+...+........................+............+
```
That'll fill up the screen line over line. Once it's done, it'll return you to the prompt. You can then uncomment that line by removing the `#` and restart NGINX.
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.