SSD Nodes: 1-Click Applications’ Primer Document

If you’re reading this article, there’s a big chance you’ve chosen one of our 1 Click Applications (aka 1-CAs), with an awesome application ready to be used as soon as your server is up and running. This article is your guide to understand how to use your 1-Click app, set up a domain name, and secure it.

Table of Contents

• Understanding 1-Click Applications
• Understanding Built-in Self-signed Certificates
• Adding a Domain Name
• Securing Your Application with Let’s Encrypt

Understanding 1-Click Applications

What Are 1-Click Applications?

SSD Nodes' 1-Click Applications (1-CAs) are pre-configured software packages that come ready to use on your server. Each application comes with:

• Latest stable version
• Pre-configured security settings
• Built-in self-signed SSL certificate
• Optimized server configurations
• An active HTTPS self-signed certificate.

Available Applications

• WordPress
• Zabbix
• phpMyAdmin
• Webmin
• Nextcloud
• LAMP Stack
• LEMP Stack
• Grafana
• And more...

Step 1: Understanding Built-in Self-signed Certificates

A self-signed certificate is a security certificate that's generated and signed by your server rather than a trusted certificate authority. While it provides the same encryption as commercial certificates, browsers don't automatically trust it. Here is how these certificates work:

When you first access your site, add https:// before your server's IP address or domain, like this:

https://your-server-ip

You’ll likely encounter a security warning in your browser, which is expected when using self-signed certificates. In browsers like Google Chrome and Firefox, click "Advanced" or "More information," then select "Proceed to [your-site]." This allows your site to load securely.

What the Warning Means

Don't worry, this security warning isn't a big deal. It indicates that your connection is encrypted, and the certificate is valid, but it’s not issued by an authority that browsers trust. This is actually safe for development and testing purposes, but not good for production applications. After accepting the certificate, you may notice a "Not secure" icon in the browser’s address bar, even though the connection remains encrypted.

Recommended Next Steps

For development and testing, continue using the self-signed certificate and ensure team members document the security warning in your development guides.

For production sites, it is important to upgrade to a trusted SSL certificate, such as Let's Encrypt certificate, which we’ll cover in this article.

For more:

• What are SSL Server Certificates
• Secure Your Site Using HTTPS

Step 2: Adding a Domain Name to Your Server

Before You Begin

• Purchase a domain name from a registrar (SSD Nodes, GoDaddy, Namecheap, etc.)
• Add an A record pointing to your server IP
• Access your SSD Nodes server via SSH

Our 1-click apps use either Apache or Nginx to serve web requests. The following sections will walk you through setting up your domain name for each server.

Adding a Domain Name for Your Apache-based App

Edit Apache’s default configuration file:

nano /etc/apache2/sites-enabled/000-default.conf

For the moment, you will see that the “servername” attribute is the IP address automatically assigned to you. As an example:

<VirtualHost *:80>
        Define servername 192.0.0.1
        ServerName ${SERVERNAME}
        RewriteEngine on
        RewriteRule ^/.*$ https://\${SERVERNAME}%{SCRIPT_FILENAME}?%{QUERY_STRING} [R=301]
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:443>
        SSLEngine On
        SSLCertificateFile /etc/ssl/certs/apache-selfsigned.pem
        SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
        ServerName ${SERVERNAME}
        DocumentRoot /var/www/html
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Replace the existing IP with your domain name by replacing the yellow highlighted part below:

<VirtualHost *:80>
        Define servername www.example.com
        ServerName ${SERVERNAME}
        RewriteEngine on
        RewriteRule ^/.*$ https://\${SERVERNAME}%{SCRIPT_FILENAME}?%{QUERY_STRING} [R=301]
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:443>
        SSLEngine On
        SSLCertificateFile /etc/ssl/certs/apache-selfsigned.pem
        SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
        ServerName ${SERVERNAME}
        DocumentRoot /var/www/html
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Enable the SSL and RewriteEngine modules on Apache:

sudo a2enmod ssl rewrite

Test for configuration errors:

sudo apache2ctl configtest

The below output means you can safely reload Apache, otherwise, you will get a specific description pointing out the error you have to fix.

Syntax OK

Restart Apache:

sudo systemctl restart apache2

Adding a Domain Name for Your Nginx-based App

 

Edit Nginx’s default configuration file:

nano /etc/nginx/sites-enabled/default

For the moment, you will see that the “server_name” attribute is your server's IP:

server {    
    listen 80;
    listen [::]:80;
    server_name 192.0.0.1;
    access_log off;
    location / {
        rewrite ^ https://$host$request_uri? permanent;
    }
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name 192.0.0.1;
    root /var/www/html;
    index index.php index.html index.htm index.nginx-debian.html;
    autoindex off;
    ssl_certificate /etc/ssl/certs/apache-selfsigned.pem;
    ssl_certificate_key /etc/ssl/private/apache-selfsigned.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!MD5;

    location ~ \.php$ {
         include snippets/fastcgi-php.conf;
         fastcgi_pass unix:/var/run/php/php-fpm.sock;
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
         include fastcgi_params;
    }
}

Replace the existing IP with your domain name:

server {
    listen 80;
    listen [::]:80;
    server_name www.example.com;
    access_log off;
    location / {
        rewrite ^ https://$host$request_uri? permanent;
    }
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name www.example.com;
    autoindex off;
    ssl_certificate /etc/ssl/certs/apache-selfsigned.pem;
    ssl_certificate_key /etc/ssl/private/apache-selfsigned.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!MD5;

    location ~ \.php$ {
         include snippets/fastcgi-php.conf;
         fastcgi_pass unix:/var/run/php/php-fpm.sock;
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
         include fastcgi_params;
    }
}

Restart Nginx:

sudo systemctl restart nginx

Setting up a Domain Name for NextCloud with Nginx

For NextCloud, you also need to add your domain name to your NextCloud’s trusted domain list. This is in addition to configuring it in your Nginx configuration file.

First open the NextCloud configuration file:

nano /var/www/nextcloud/config/config.php

Then modify the trusted_domains array to include your new domain name:

  'trusted_domains' => 
  array (
    0 => 'your_ip_address',
    1 => 'yourdomain.com',
  ),

Make sure you’ve added your domain name to your Nginx configuration, then restart it:

sudo systemctl restart nginx

Access your Domain Name

Open your browser, and type your website’s domain name with the HTTPS prefix:

https://www.example.com

With your domain set up, you can now upgrade your self-signed certificate to a valid Let's Encrypt certificate. This is especially useful if your application is production-ready.

Step 3: Upgrading Your Self-signed Certificate to a Valid Let's Encrypt Certificate

Although you can use many other valid Certificate Authority issuers to generate your certificate, Let's Encrypt is by far the most convenient.

To get a Let's Encrypt certificate, follow the instructions below.

Generate a Let's Encrypt Certificate with Certbot

First, install certbot:

sudo apt install -y certbot

This installs the Certbot tool, which automates the process of obtaining and renewing Let's Encrypt SSL certificates.

Then generate a certificate:

sudo certbot certonly --standalone

The --standalone option tells Certbot to use its own web server to verify domain ownership.

You will be asked to answer a few questions, input the following for each prompt:

1. (Your email)
2. (Y)
3. (N)
4. your_domain_name

These prompts are for:

1. Your email address (for important notifications about your certificate)
2. Agreeing to the Let's Encrypt terms of service
3. Declining to share your email with the Electronic Frontier Foundation
4. The domain name you want to secure with SSL

Then you will receive your Let's Encrypt certificate file and a private key:

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/your_domain.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/your_domain.com/privkey.pem
This certificate expires on 2024-11-25.

Installing your Let's Encrypt Certificate for the APACHE Web Server

• Edit Apache’s default configuration file

nano /etc/apache2/sites-enabled/000-default.conf

• Replace the key and the certificate paths to the new values (highlighted in yellow  in the below code).

<VirtualHost *:80>
        Define servername www.example.com
        ServerName ${SERVERNAME}
        RewriteEngine on
        RewriteRule ^/.*$ https://\${SERVERNAME}%{SCRIPT_FILENAME}?%{QUERY_STRING} [R=301]
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:443>
        SSLEngine On
        SSLCertificateFile /etc/letsencrypt/live/www.example.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/www.example.com/privkey.pem
        ServerName ${SERVERNAME}
        DocumentRoot /var/www/html
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

• Restart Apache

sudo systemctl restart apache2

• Reload your browser and you will notice a secured padlock with a valid certificate message as follows. Below is an example from Google Chrome.

For more details, check out Secure Your Site Using HTTPS.

Installing your Let's Encrypt Certificate for the NGINX Web Server

• Edit Nginx’s default configuration file

nano /etc/nginx/sites-enabled/default

• Replace the key and the certificate paths to the new values (highlighted in yellow  in the below code). 

server {
   listen 80;
   listen [::]:80;
   server_name www.example.com;
   access_log off;
   location / {
         rewrite ^ https://$host$request_uri? permanent;
   }
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name www.example.com;
    root /var/www/html;
    index index.php index.html index.htm index.nginx-debian.html;
    autoindex off;
    ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!MD5;

    location ~ \.php$ {
         include snippets/fastcgi-php.conf;
         fastcgi_pass unix:/var/run/php/php-fpm.sock;
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
         include fastcgi_params;
    }
}

• Restart Nginx

sudo systemctl restart nginx

• Reload your browser and you will notice a secured padlock with a valid certificate message as follows:

Verifying your Certificate

In the above pop-up, click on “Certificate is secure” for more details on the CA certificate.

Your website is now a CA certified and you can securely welcome any online transactions, paid subscriptions like eCommerce websites, memberships or charity and online fundraising. For more details, check out Secure Your Site Using HTTPS.

(Grafana): Setting up Let's Encrypt for Grafana

Grafana uses custom configurations for its server, and to add a Let's Encrypt certificate to your Grafana 1-Click application, you'll need to  modify file permissions and the Grafana configuration file. This section will walk you through the process.

1) Set Up Grafana to Use your Let's Encrypt Certificate

Rename the existing self-signed certificate files:

mv /etc/grafana/grafana.key /etc/grafana/grafana_old.key
mv /etc/grafana/grafana.pem /etc/grafana/grafana_old.pem

This backs up the original self-signed certificates in case you need to revert changes.

Set up symlinks for the certificates you generated earlier:

sudo ln -s /etc/letsencrypt/live/your_domain.com/fullchain.pem /etc/grafana/grafana.pem
sudo ln -s /etc/letsencrypt/live/your_domain.com/privkey.pem /etc/grafana/grafana.key

These symlinks allow Grafana to use the Let's Encrypt certificates without modifying its configuration.

Adjust permissions:

sudo chgrp -R grafana /etc/letsencrypt/*
sudo chmod -R g+rx /etc/letsencrypt/*
sudo chown -R grafana /etc/letsencrypt/*
sudo chown grafana /etc/grafana/*
sudo chgrp -R grafana /etc/grafana/grafana.pem /etc/grafana/grafana.key
sudo chmod 400 /etc/grafana/grafana.pem /etc/grafana/grafana.key

This ensures that the Grafana service has the necessary permissions to read the certificate files.

Verify the permissions:

ls -l /etc/grafana/grafana.*

The output should be as follows:

-rw-r----- 1 grafana grafana 67167 May 27 17:11 /etc/grafana/grafana.ini
lrwxrwxrwx 1 root    grafana    50 May 28 11:27 /etc/grafana/grafana.key -> /etc/letsencrypt/live/your_domain.com/privkey.pem
lrwxrwxrwx 1 root    grafana    52 May 28 11:27 /etc/grafana/grafana.pem -> /etc/letsencrypt/live/your_domain.com/fullchain.pem

2) Configure Grafana

Next, open the Grafana config file:

nano /etc/grafana/grafana.ini

Then modify the domain parameter:
[server]


;domain = localhost

Uncomment the parameter and set up your domain:

[server]
domain = your_domain.com

This tells Grafana which domain name to use for HTTPS.

3) Restart Grafana

Finally, restart the Grafana service to apply the changes:

systemctl restart grafana-server
systemctl status grafana-server

The status command will show you if Grafana started successfully with the new configuration.

Grafana will now be served on port 3000 using HTTPS with your new Let's Encrypt certificate:

https://your_domain.com:3000/

Conclusion

That's it, you now have your 1-click application configured with an SSL/TLS certificate from a certificate authority, and a domain name for your 1-click applications.