This is an example deployment of Rafiki on a Linux virtual machine using nginx as a reverse proxy. You must change the values in the examples appropriate for your environment.
Deploy the virutal machine:
sudo apt update && sudo apt install nginx certbot python3-certbot-nginx
Generate the Let’s encrypt certificates:
certbot certonly --manual --preferred-challenges=dns --email EMAIL --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d DOMAIN
As Let’s encrypt certificates are valid for 90 days, you must set up a cron process to renew the certificate on a regular schedule:
Next update the DNS records to point to the static external IP address of the volumes:
service URL example admin admin.DOMAIN admin.myrafiki.com auth auth.DOMAIN auth.myrafiki.com connector connector.DOMAIN connector.myrafiki.com ilp ilp.DOMAIN ilp.myrafiki.com
Create nginx configuration files for every exposed domain:
server_name admin.myrafiki.com ;
ssl_certificate /etc/letsencrypt/live/admin.myrafiki.com/fullchain.pem ;
ssl_certificate_key /etc/letsencrypt/live/admin.myrafiki.com/privkey.pem ;
include /etc/letsencrypt/options-ssl-nginx.conf ;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem ;
proxy_set_header X-Forwarded-Proto $scheme ;
proxy_set_header Upgrade "" ;
proxy_set_header Connection "" ;
proxy_set_header Host $server_name ;
proxy_set_header Accept-Encoding "" ;
proxy_cache_bypass $http_upgrade ;
proxy_pass_request_headers on ;
proxy_pass http://localhost:4010 ;
server_name admin.myrafiki.com ;
if ( $host = admin.myrafiki.com) {
return 301 https:// $host$request_uri ;
server_name auth.myrafiki.com ;
ssl_certificate /etc/letsencrypt/live/auth.myrafiki.com/fullchain.pem ;
ssl_certificate_key /etc/letsencrypt/live/auth.myrafiki.com/privkey.pem ;
include /etc/letsencrypt/options-ssl-nginx.conf ;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem ;
proxy_set_header X-Forwarded-Proto $scheme ;
proxy_set_header Upgrade "" ;
proxy_set_header Connection "" ;
proxy_set_header Host $server_name ;
proxy_set_header Accept-Encoding "" ;
proxy_cache_bypass $http_upgrade ;
proxy_pass_request_headers on ;
proxy_pass http://localhost:3002 ;
server_name auth.myrafiki.com ;
if ( $host = auth.myrafiki.com) {
return 301 https:// $host$request_uri ;
server_name connector.myrafiki.com ;
ssl_certificate /etc/letsencrypt/live/connector.myrafiki.com/fullchain.pem ; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/connector.myrafiki.com/privkey.pem ; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf ;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem ;
proxy_set_header X-Forwarded-Proto $scheme ;
proxy_set_header Upgrade "" ;
proxy_set_header Connection "" ;
proxy_set_header Host $server_name ;
proxy_set_header Accept-Encoding "" ;
proxy_cache_bypass $http_upgrade ;
proxy_pass_request_headers on ;
proxy_pass http://localhost:3002 ;
server_name connector.myrafiki.com ;
if ( $host = connector.myrafiki.com) {
return 301 https:// $host$request_uri ;
server_name ilp.myrafiki.com ;
ssl_certificate /etc/letsencrypt/live/ilp.myrafiki.com/fullchain.pem ;
ssl_certificate_key /etc/letsencrypt/live/ilp.myrafiki.com/privkey.pem ;
include /etc/letsencrypt/options-ssl-nginx.conf ;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem ;
proxy_set_header X-Forwarded-Proto $scheme ;
proxy_set_header Upgrade "" ;
proxy_set_header Connection "" ;
proxy_set_header Host $server_name ;
proxy_set_header Accept-Encoding "" ;
proxy_cache_bypass $http_upgrade ;
proxy_pass_request_headers on ;
proxy_pass http://localhost:4000 ;
server_name ilp.myrafiki.com ;
if ( $host = ilp.myrafiki.com) {
return 301 https:// $host$request_uri ;