Hosting your own Killing Floor 2 Server - Part 4 - Configuring Let's Encrypt SSL certs for the WebUI

In part 4 we'll be installing certbot so that we can generate free and legitimate SSL certificates to protect our WebUI.

This portion of the guide is completely optional. You can skip this step entirely if you do not have a domain name or do not wish to setup SSL.

Important note: You must have a registered domain name to generate certificates with Let's Encrypt. Make sure that you setup a DNS entry that points to your Vultr VPS.

Video Guide

Instructions

  1. SSH into your server
ssh root@kf2.teachnixlab.com
  1. Install certbot and the Nginx web server. Make sure you are logged in as root and not the steam user.
add-apt-repository ppa:certbot/certbot
apt-get update
apt-get install -y python-certbot-nginx nginx
  1. Modify the Nginx config so we can generate our certificates
vi /etc/nginx/sites-available/default

Set the server name so our web server can pass the certbot challenge

server_name kf2.teachnixlab.com;

  1. Reload the Nginx server
systemctl reload nginx
  1. Generate the Let's Encrypt certificates

Change the domain and email to match yours

certbot --nginx certonly --agree-tos --no-eff-email --email lab@teachnix.com  -d kf2.teachnixlab.com
  1. Remove the default site
rm /etc/nginx/sites-available/default
  1. Edit the main Nginx config file
vi /etc/nginx/nginx.conf
worker_processes  1;
error_log  /var/log/nginx-error.log;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;

    # nginx may need to resolve domain names at run time
    resolver 8.8.8.8;

    # Load config files from the /etc/nginx/conf.d directory
    include /etc/nginx/conf.d/*.conf;
}
  1. Edit the kf2.conf file to setup the reverse proxy
vi /etc/nginx/conf.d/kf2.conf

This setup will automatically redirect http://kf2.teachnixlab.com to our SSL encrypted https://kf2.teachnixlab.com site. The reverse proxy will connect to the Killing Floor 2 WebUI running on port 8080.

Important: Change all occurences of kf2.teachnixlab.com to your domain name.

server {
    listen 80;
    return 301 https://$host$request_uri;
}

server {

    listen 443;
    server_name kf2.teachnixlab.com;

    ssl_certificate           /etc/letsencrypt/live/kf2.teachnixlab.com/fullchain.pem;
    ssl_certificate_key       /etc/letsencrypt/live/kf2.teachnixlab.com/privkey.pem;

    ssl on;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;

    access_log            /var/log/nginx/kf2.access.log;

    location / {

      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;

      proxy_pass          http://localhost:8080;
      proxy_read_timeout  90;

      proxy_redirect      http://localhost:8080 https://kf2.teachnixlab.com;
    }
  }

Reload the Nginx server

systemctl reload nginx
  1. Enable Nginx to start at boot and start the service
systemctl enable nginx.service
systemctl start nginx.service

Navigate to the WebUI and it should now be protected by Let's Encrypt.

http://kf2.teachnixlab.com (should redirect to https)
https://kf2.teachnixlab.com

  1. Test the renewal of the Let's Encrypt certs
certbot renew --dry-run

Certbot automatically installs a cronjob to /etc/cron.d/certbot that runs twice a day. This job will take care of renewing your certs and it will restart Nginx if the certs are renewned.

Proceed to Part 5 - Configuring the firewall using iptables