DNS Configuration, SSL Certificates, and HTTP Setup

📅 March 20, 2024 ⏱️ 12 min read ✍️ Ravi Kumawat
DNS SSL/TLS Let's Encrypt HTTPS Security
← Back to Blogs

Setting up a secure, production-ready web application requires proper DNS configuration and SSL certificates. This comprehensive guide walks through the essential steps to configure DNS, obtain SSL certificates, and set up HTTPS for your web application.

Understanding DNS and HTTPS

Before diving into the configuration, let's understand the key components:

1. Domain Registration and DNS Setup

Choosing a Domain Registrar

Popular domain registrars include:

Configuring DNS Records

After registering your domain, configure the following DNS records:

A Record:
Name: @
Type: A
Value: your-ec2-public-ip
TTL: 3600

CNAME Record:
Name: www
Type: CNAME
Value: yourdomain.com
TTL: 3600

Note: DNS propagation can take up to 48 hours, though it typically completes within a few hours.

2. Installing Certbot for SSL Certificates

Certbot is a free, open-source tool for obtaining Let's Encrypt SSL certificates:

sudo apt update
sudo apt install certbot python3-certbot-nginx -y

3. Obtaining SSL Certificates

Using Certbot with Nginx

Certbot can automatically configure SSL for Nginx:

sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

Follow the prompts to:

  1. Enter your email address for renewal notifications
  2. Agree to the Terms of Service
  3. Choose whether to redirect HTTP to HTTPS (recommended)

Manual Configuration

If you prefer manual configuration, obtain certificates only:

sudo certbot certonly --nginx -d yourdomain.com -d www.yourdomain.com

4. Configuring Nginx for HTTPS

Update your Nginx configuration to use SSL:

server {
    listen 80;
    server_name yourdomain.com www.yourdomain.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    server_name yourdomain.com www.yourdomain.com;

    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    location / {
        proxy_pass http://unix:/home/ubuntu/your-app/app.sock;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

5. Setting Up Automatic Certificate Renewal

Let's Encrypt certificates expire after 90 days. Set up automatic renewal:

sudo systemctl status certbot.timer

Test the renewal process:

sudo certbot renew --dry-run

6. Security Best Practices

Enable HSTS

HTTP Strict Transport Security forces browsers to use HTTPS:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

Configure Security Headers

Add these headers to your Nginx configuration:

add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;

7. Verifying Your Setup

After configuration, verify your setup:

8. Troubleshooting Common Issues

DNS Not Resolving

Certificate Errors

Mixed Content Warnings

9. AWS Route 53 Integration

If using AWS, Route 53 provides additional benefits:

aws route53 create-hosted-zone --name yourdomain.com --caller-reference $(date +%s)
aws route53 change-resource-record-sets --hosted-zone-id YOUR_ZONE_ID --change-batch file://dns-records.json

Conclusion

You now have a secure, production-ready web application with:

Next Steps: Consider setting up monitoring, logging, and CDN integration for enhanced performance and security.