doc(nginx): update templates to be complete after ssl

README.md

@@ -34,7 +34,10 @@ The [`secrets/`](./secrets/) directory needs to be copied to all remote hosts wi
 
 ```bash
 # On the remote host
-mkdir -p {absolute_path_to_secrets}/secrets
+sudo mkdir -p {absolute_path_to_secrets}/secrets
+
+# Change the owner of the newly created directory
+sudo chown -R {remote_user} {absolute_path_to_secrets}
 
 # On the local host
 scp -r secrets/ {remote_user}@{remote_ip}:{absolute_path_to_secrets}/

nginx/templates/game_servers.nginx

@@ -1,7 +1,8 @@
+# Game Servers
 server {
         # Forward WebSocket connection requests.
-        listen [::]:9000-9249;
-        listen 9000-9249;
+        listen [::]:9000-9249 ssl ipv6only=on; # managed by Certbot
+        listen 9000-9249 ssl; # managed by Certbot
         server_name {domain};
 
         location / {
@@ -20,4 +21,9 @@ server {
                 proxy_set_header        Upgrade $http_upgrade;
                 proxy_set_header        Connection "upgrade";
         }
+        
+        ssl_certificate /etc/letsencrypt/live/{domain}/fullchain.pem; # managed by Certbot
+        ssl_certificate_key /etc/letsencrypt/live/{domain}/privkey.pem; # managed by Certbot
+        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
 }

nginx/templates/services.nginx

@@ -1,12 +1,48 @@
+# Services
 server {
         # Forward requests.
-        listen [::]:8000;
-        listen 8000;
-        listen [::]:8100;
-        listen 8100;
+        # authentication
+        listen [::]:8000 ssl ipv6only=on; # managed by Certbot
+        listen 8000 ssl; # managed by Certbot
         server_name {domain};
 
         location / {
                 proxy_pass              http://127.0.0.1:1$server_port;
         }
+
+        ssl_certificate /etc/letsencrypt/live/{domain}/fullchain.pem; # managed by Certbot
+        ssl_certificate_key /etc/letsencrypt/live/{domain}/privkey.pem; # managed by Certbot
+        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+}
+
+# Live Services
+server {
+        # Forward WebSocket connection requests.
+        # matchmaking
+        listen [::]:8100 ssl ipv6only=on; # managed by Certbot
+        listen 8100 ssl; # managed by Certbot
+        server_name {domain};
+
+        location / {
+                proxy_set_header        Host $host;
+                proxy_set_header        X-Real-IP $remote_addr;
+                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+                proxy_set_header        X-Forwarded-Proto $scheme;
+
+                # Fix the "It appears that your reverse proxy set up is broken" error.
+                proxy_pass              http://127.0.0.1:1$server_port;
+                # Prevent dropped WebSocket connections.
+                proxy_read_timeout      1d;
+
+                # Forward the WebSocket upgrade request.
+                proxy_http_version      1.1;
+                proxy_set_header        Upgrade $http_upgrade;
+                proxy_set_header        Connection "upgrade";
+        }
+
+        ssl_certificate /etc/letsencrypt/live/{domain}/fullchain.pem; # managed by Certbot
+        ssl_certificate_key /etc/letsencrypt/live/{domain}/privkey.pem; # managed by Certbot
+        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
 }

nginx/templates/web_client.nginx

@@ -1,10 +1,27 @@
+# Web Client
 server {
         # Forward requests for the web client.
-        listen [::]:443;
-        listen 443;
+        listen [::]:443 ssl ipv6only=on; # managed by Certbot
+        listen 443 ssl; # managed by Certbot
         server_name {domain};
 
         location / {
                 proxy_pass              http://127.0.0.1:10443;
         }
+
+        ssl_certificate /etc/letsencrypt/live/{domain}/fullchain.pem; # managed by Certbot
+        ssl_certificate_key /etc/letsencrypt/live/{domain}/privkey.pem; # managed by Certbot
+        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+}
+
+server {
+        if ($host = {domain}) {
+                return 301 https://$host$request_uri;
+        } # managed by Certbot
+
+        listen 80 default_server;
+        listen [::]:80 default_server;
+        server_name {domain};
+        return 404; # managed by Certbot
 }