Question

Postgres 12 on Ubuntu 20.04 SSL installation

I have a fully qualified domain name pointing to the ip of the droplet with Ubuntu 20.04 and Postgres 12 installed. I need to install SSL on the same. Any help is appreciated.

Subscribe
Share

Hi All

Few call outs: The droplet has only Ubuntu 20.04 and Postgres 12 installed along with an app. It does not have apache or nginx (I have checked using nginx -v and apache2 -v). The idea is to only encrypt the traffic between the app and the pg database.


Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Hi @mishrashreya840, I had to start new answer because we already reached too many replies.

[secondary_label @mishrashreya840 wrote] 
Can you point me to the relevant tutorial pls? 

You can install Nginx on Ubuntu following this tutorial: https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-ubuntu-20-04

To configure Nginx as reverse proxy you can base on step 7 of the below tutorial. Obviously, you need to modify settings to fit them to your environment. https://www.digitalocean.com/community/tutorials/how-to-configure-nginx-as-a-web-server-and-reverse-proxy-for-apache-on-one-ubuntu-20-04-server

[secondary_label @mishrashreya840 wrote] 
Also, can installing nginx/apache interfere with the running application as that app does not require these running. 

I do not know that. I could imagine conflicts between dependent packages, e.g. the app might require elder versions than nginx but it is rather not that likely. It may be conflict in using TCP ports as well but it is configurable, at least on Nginx side. First, check what adresses and ports the applications listen on:

sudo netstat -tulpn

Look for your app in the result. Nginx is configured by default to listen on all addresses on TCP port 80.

Hi @communityservice, We reached too many replies, so I started a new answer.

@communityservice wrote
sudo netstat -tulpn | grep -e 6000 -e 6001 resulted in below tcp 0 0 1.2.3.4:6000 0.0.0.0:* LISTEN 24317/./appname

It looks like before. First of all, you need to change the settings in your app configuration to make it listening on localhost (127.0.0.1), not on public IP address (1.2.3.4 in the example). Otherwise, the configuration I sent you will not work, you will have two services listening on your public IP port 6000, the app and nginx.

@communityservice wrote
anything that I did wrong? Or was I supposed to add it to some other file? Or maybe creating sym link?

You can add new server blocks to your existing file as well as to a new file. In the first case you do not have to care about creating a symlink.

@communityservice wrote
nginx: [warn] the “ssl” directive is deprecated, use the “listen … ssl” directive instead in /etc/nginx/sites-enabled/domain.com:48

It is just a warning but it would be good to fix it too. What is your directive in line 48 of the file /etc/nginx/sites-enabled/domain.com ?

And remember to restart nginx service after changing its configuration. First check if the syntax of config files is OK, of course :)

sudo nginx -t

sudo systemctl restart nginx

Hi @communityservice, I had to open new answer again :) Sorry I left you without response but I dived into DO’s API and almost drowned :D :D :D

@communityservice/@unicornomy wrote
I have an app (public facing) on http://domain.com:6000 which has various sub URLs like http://domain.com:6000/subscribe/3423-23452345-fsd-a345-234 and http://domain.com:6000/unsubscribe/341234-2345-fasdf-1453245 etc. These URLs are also sent out to subscribers via email and when they are clicked by customers the insecure version (http) with port number open up which really does not look secure and neat. Thus I need to move them to https://domain.com/subscribe/3423-23452345-fsd-a345-234 and https://domain.com/unsubscribe/341234-2345-fasdf-1453245 with the action of both the URLs remaining unaffected. I feel this needs to be achieved out of server block setting of nginx, but unable to find a working solution for the same.

What is the website server for your app, working on port 6000 ? Can you provide a result of the command below, pls. ?

sudo netstat -tulpn | grep 6000

Hello, @mishrashreya840

I will recommend you to check our existing tutorial on how to secure Apache with Let’s Encrypt:

https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-20-04

If you want to issue and install a LE certificate for your domain name just follow the steps in the article.

Hope that this helps! Regards, Alex

Edit - There’s a binary app that’s using the Postgres DB and is accessible on the domain:port for which I need SSL installed.