Hi everyone, i originally wrote my guide in [swedish](https://www.sweclockers.com/forum/post/18019307).
But i wanted to translate it into english so that more people can benefit from my guide 🙂
I have for a long time been thinking about giving out a detailed guide,
On how to generate Let's Encrypt SSL certificate on windows, and how to fully secure nginx, and put it in Reverse Proxy with Cloudflare CDN.
I choose to release my guide, because i want to share my knowledge, and help others who have problem getting their nginx server working properly.
I know I had hard time getting everything working when I first started 😋
What I found online, was lots of people combining linux and windows config for nginx.
Inaccurate information, outdated videos, and a lot of guides that just did not work as intended.
I promised myself that if i ever got everything working on windows, with a flawless config that suited my needs.
I would create a detailed and fully working guide for everyone who wants to use windows as their main OS for their site.
And since there are many people who prefer to use windows as their main OS for their web server, this guide will be the only guide you will ever need 🙂
*\*\* I had no idea there was a limit on reddit to max add 20 images in one post* 😕 *\*\**
*\*\*So some of the images was replaced with imgur links instead \*\**
*This guide will consist of.*
\- **What software you should be using.**
\- **Complete configuration for nginx in reverse proxy.**
\- **Complete configuration for SSL & auto redirect to https://**
\- **How to generate Let's Encrypt, SSL certificate on Windows.**
\- **How to register free domain, & connect it to Cloudflare CDN.**
\- **And more** 😊
*If you have these programs, good!*
*If you don't ? then download.*
*Download* [7-zip](https://www.7-zip.org/) will be used for unpacking. (select 64bit)
*Download* [Notepad++](https://notepad-plus-plus.org/download/v7.6.3.html) will be used for config. (select 64bit)
*Download* [Nginx](https://nginx.org/en/download.html) <- Select **Legacy version** **nginx / Windows-1.14.2** *Download* [Let's Encrypt (PKISharp / win-acme)](https://github.com/PKISharp/win-acme/releases/download/v18.104.22.168/win-acme.v22.214.171.124.zip) *(Higher version available, I prefer v126.96.36.199)* *Download* [.NETframworks](https://dotnet.microsoft.com/download/thank-you/net472) latest <--- Direct link *Download* [Nssm](https://nssm.cc/release/nssm-2.24.zip) you should have **nssm 2.24 (2014-08-31)** <--- Direct link *Download* [Php](https://windows.php.net/download/) Here you can choose from a few, for example **Non Thread Safe** or **Thread Safe**\* ( What's the difference between non thread safe & thread safe? Simply google it\* *)* 🙂 I chose was \*\*VC15 x64 Thread Safe (2019-Feb-06 02:14:58)\*\* Download [VC CRT 14 (Visual Studio 2015)](https://www.microsoft.com/en-us/download/details.aspx?id=48145) if you haven't already. *(This is required for php 7.x to work)* *\*\*Make sure your Windows is up to date and you have the latest updates!\*\** **Folders in C:** Navigate to **C:\\** And create **4** folders, **nginx, Letsencrypt, php,** & **www** *When done should look like this.* https://preview.redd.it/sn3sq08ur5g31.png?width=760&format=png&auto=webp&s=2248aadc082f4bceba64939780bd69b5e18bb571 unzip the contents of [nginx-1.14.2.zip](https://nginx-1.14.2.zip) to **C:\\nginx** unzip the contents of [php-7.3.2-Win32-VC15-x64.zip](https://php-7.3.2-Win32-VC15-x64.zip) to **C:\\php** We're going to use the "**www**" folder to host our site, instead of "**html**" folder which is the default for **nginx**. Navigate to **C:\\nginx\\conf** and open up **nginx.conf** in **notepad++** and go down to line **44**, change from **html** to **www** \> save.
Navigate back to **C:\\**
unzip [win-acme.v188.8.131.52.zip](https://win-acme.v184.108.40.206.zip) to **C:\\Letsencrypt**
*Should look like this.*
unzip the contents of [nssm-2.24.zip](https://nssm-2.24.zip) to **C:\\Windows**
*(If you have a 64bit OS choose win64, if you have 32bit OS choose win32)*
*Should look like this.*
We need to create 2 new services in windows, 1 for **nginx** and the other for **php**.
We do this by typing the following command in **cmd.**
*Type following command in* ***cmd,*** *see image below.*
*Type following command in* ***cmd,*** *see image below.*
*When done it's going to looks like this when the services are ready and working.*
Navigate to **C:\\nginx\\php** and copy "**php.ini-development**" then rename it to **php.ini**
windows will ask if you want to change the file extension, press yes.
Now open **php.ini** with **notepad++** navigate down to line **905** remove **;** like i have in the image below.
*(Ignore the blue balls, I added them so you would't miss where to change!)*
Save your **php.ini** after making these changes.
There is more you can do in **php.ini** but nothing you need to do now.
Alternatively, you can use my **php.ini** file I uploaded to my github,
*(It's a little different than the standard, but both work, up to you!)*
Now navigate to [127.0.0.1](https://127.0.0.1) in the browser
*When everything works, it will look like this.*
*( A public IP is a required in order for this to work! )*
To open port **80** & **443** log into your router and go to the **portforward** section. *(Port Forwarding)*
*Control Panel\\Network and Internet\\Network and Sharing Center\\change adapter settings* **>** *Network Connection Details* **>**
*right-click your network* **>** *status > Details* **>** *IPv4 Default Gateway*
This is the address you enter to access your router interface.
In my home i have **A class** network address [10.0.0.1](https://10.0.0.1)
But most people have C class, [192.168.0.1](https://192.168.0.1) or [192.168.1.1](https://192.168.1.1)
*You can also check with* ***cmd,*** *just type ipconfig in* ***cmd.***
*Here you can see what my port config looks like.*
To checks if your port are open.
**Domain & SSL.**
Navigate to [dot.tk](http://www.dot.tk/en/index.html?lang=en) and create a domain,
dot.tk domains are completely free for 1-12 months 🙂
I just created a temporary domain [jasmyn.tk](https://jasmyn.tk)
It will be inactive after 30 days as i only choose 1 month.
*Why jasmine?* Just a random name \^\^ \~> [https://www.name-generator.org.uk/](https://www.name-generator.org.uk/) 😋😊
When you have picked your domain name, press next, at checkout, add your information as I have & click on complete order.
Add your public IP, then click continue.
Navigate to [Cloudflare.com](https://dash.cloudflare.com/sign-up) create account and log in.
Add your domain from dot.tk > add site> then select "**Free**" under "**Select a plan"** \> Confirm plan.
Click **DNS** after cloudflare has completed its scan.
Enter your domain and your IP number as I did in the picture below.
If you want [**www**](http://www)**.** add it as an **A** **record** (**A Type**) in cloudflare's **DNS**,
I choose not to use [**www**](http://www)**.** as it is a **subdomain** and i simply did not want it, most people just want their **apex** anyways 😊
Further down under **DNS** where it says **Cloudflare Nameservers**
copy both **NS** from cloudflare and then return to [freenom.com](https://my.freenom.com/clientarea.php)
Then navigate to> *Services> My Domains> Manage Domain> Management Tools> Nameservers*
*And add the* **NS** *as I did in the picture below.*
Back to **freenom |** *Navigate to> Services> My Domains> Manage Domain> Manage Freenom DNS* **|** and delete the **IP** that we added at the beginning.
When cloudflare is done you will receive mail that looks like this.
There are lots of settings you should change in cloudflare but for now head over to **Crypto** \> and set **SSL** to **Full (strict)**
You can now close [freenom.com](https://freenom.com) as everything is managed from [cloudflare.com](https://cloudflare.com)
& in the image below you can see that cloudflare now takes care of ssl on [jasmyn.tk](https://jasmyn.tk)
If you feel like buying a real domain then I recommend [one.com](https://www.one.com/)
their support is excellent & i currently have a domain from one.com
But this guide is not advertisement for one.com
This guide is intended to help anyone who wish to host a site with SSL, nginx on windows.
If you already have a domain and want to point it from your web host to your server, I can help you out with that.
**Now to Let's Encrypt.**
*Why generate your own SSL if we now have SSL from cloudflare?*
Because of applications like, plex, tautulli, sonar, ect these programs require that you have your very own SSL certificate if you want everything to work!
And a reverse proxy would not work with SSL without its own certificate.
Navigate to **C:\\Letsencrypt**\> open **letsencrypt.exe** as **administrator**
and use the same options as I do in the image below, replace my temp domain with your **FQDN**.
If a request pops up and asks for an email, enter one that you want to use. (you usually go with [[email protected]](mailto:[email protected]))
It's up to you if you want to put renewal as a task, I do recommend this.
*(Requires, however, that you have a password on your windows system, and not a direct login.)*
**Important to mention is that you need to add** [**www**](http://www)**. as a subdomain when generating their ssl certificate**
**if you want** [**www.mydomain.com**](https://www.mydomain.com) **to work, not just in cf as they require an A / CNAME record.**
Once you have generated your SSL cert from Let's Encrypt,
navigate as I did in the image below, and verify that the files are there!
Now that we have gotten this far, we need to change the configs for **nginx**.
Go to [zidichy.github](https://github.com/Zidichy/Server)
Download all **.conf** click the green button *(clone or download)* **>** select **download zip**
When the zip is downloaded, pull everything out on the desktop.
Move the **site-confs** & **proxy-confs** folder to **C:\\nginx\\conf**
Move the **.conf** files from the zip in the **Server-master\\nginx** folder to **C:\\nginx\\conf** folder
Open > **site-confs** \> **domain.conf** \> edit in **notepad++** & change where it says [domain.com](https://domain.com) to your domain
Go to > **conf**\> **strongSSL.conf** \> edit in **notepad++** change where it says [domain.com](https://domain.com) to your **domain**,
you also need **#** the **headers** who have "**report**" in the **string** unless you register at [report-uri.com](https://report-uri.com)
When done, you can test the config by running a **nginx -t** in **cmd**, see image below.
And then a **nssm restart nginx** to make sure **nginx** reloads all settings 🙂
*To start nginx via cmd type* **nssm start nginx**
*To stop nginx via cmd type* **nssm stop nginx**
*To start* *php via cmd type* **nssm start php**
*To stop* *php via cmd type* **nssm stop php**
*Same thing with restart* **nginx** *&* **php** *like so,*
**nssm restart nginx**
**nssm restart php**
So how does Reverse Proxy work?
*I do believe Spaceinvader One put it best.*
*But for those of you who missed the video were he explained it in, here is my explanation.*
A reverse proxy allows you to access local applications over the Internet even though they are behind your local firewall.
the proxy forwards the actual request to the server to which the application itself is connected,
and gives you access to the application via internet. We then force the applications to go through port **:443** (SSL **<\~>** HTTPS://)
Which means that all traffic going to and from the application is encrypted.
More info here [https://www.cloudflare.com/learning/cdn/glossary/reverse-proxy/](https://www.cloudflare.com/learning/cdn/glossary/reverse-proxy/)
Navigate to **C:\\nginx\\proxy-confs\\** \> here you will find all my **.confs** for different services, such as **plex**, **sonar**, **tautulli**, etc.
You may need to open up port **32400** for **plex**, if something isn't working.
If you want another application to run in **reverse proxy** other than what is in my **proxy-confs**, you need to create a **.conf** and add the correct code.
*I am planing to create a video guide where I do everything in this guide.*
*This is to make it even easier for anyone who wants a secure* ***nginx*** *server with* ***ssl***, ***reverse proxy*** *&* ***CDN***!
Hope this guide helped someone.
This guide was fun to make & it took awhile to create \^\^ a few hours to be more precise😋
Would love to hear what you guys think about my guide 🙂
What could I have done better?
Was something in the guide unclear?
**Q1:** Why create this for windows and not linux?
**A1:** Because there are already so many different guides out there on the net / youtube for nginx on linux,
besides nginx works very good on windows if you have everything set up correctly. Also not everyone feels comfortable in a linux environment.
And those who choose and stay in a windows environment, but still want a very secure site, should be able to have that!
**Q2:** Why use Windows 7 instead of Windows 10 / Windows Server?
**A2:** Because Windows 7 is stable, simple to secure, resource-efficient, very similar to windows server 2008,
and more people have windows 7 licenses than people who have windows server licenses.
Other than that, older machines have guaranteed drivers for windows 7, but maybe not for windows 10.
Besides this guide works perfect on windows 7, windows server, windows 10 *(All versions)*
**Q3:** Why so much security? Is't it enough with standard ssl from LE?
**A3:** First, it's up to each everyone to decide how much security they want.
But for me, I want as much as i can get, the more security the better.
Unfortunately, it is not enough with just with regular SSL nowadays as I know how much damage you can do by just getting hold of the server's IP,
and check what kind of subdomains the domain has and what headers the web server allows.
Many sites lack for example, protection against hammering login portals. (brute forcing)
Having poor security on my web server is not something I want, as it is connected to a large amount of data I own.
**Q4:** Where's the VPN?
**A4:** This guide is meant to be currency free, the only cost here is time, a good VPN provider cost money.
*But i do have a VPN for my domain. I use AzireVPN.*
**Q5:** Where is Fail2Ban?
**A5:** Very hard to get working on windows \^\^ and I now use **unRaid** so I have f2b installed 🙂
But if you still want f2b for windows, try wail2ban, which is a port of fail2ban for windows!
When I still used windows i had 2FA (Two-factor authentication) on my site, & when logged in,
i had every user set to different level, Organizr is very secure. 😋
**Q6:** Why put nginx in reverse proxy?
**A6:** Because of the high security it gives. To only open 2 ports in the router (80 & 443) and send everything through port 443 which is encrypted,
gives you and all the applications you want available outside your local lan very high security,
and if you add errorpages, HTTP Authentication & Cloudflare CDN HTTP Proxy, you are making it virtually impossible for
anyone without the correct authorization to access your applications you have connected to your site.
As far as i know it's not even possible 😉 This is what happens if you try.
In order to use HTTP authentication with my config you're required to run [Organizr](https://github.com/causefx/Organizr)
But it is possible to configure so that Organizr uses e.g. WordPress or GRAV as the main template.
*(You can use HTTP authentication \*outside of Organizr, but you need to change the config and download other files.)*
So where is the HTTP authentication?
It is located in **C:\\nginx\\auth.conf** and is linked to **errorV2.conf** which in turn is linked to Organizr 🙂
To get it working all you have to do is install Organizr 😋
And to do that, all you need to do is to download the **.7z** file from Organizr's github, unzip the contents and move it to the
root dir of **nginx** the **www** folder @ **C:\\nginx** then start the installation process 😊
In the future i plan to create more guides, including a guide on how to fully secure your windows OS, when using it as a server for your site.
*So I don't forget,*
My config is configured in such a way that google and other search engines can't index the site.
Bots & Crawlers cannot index the site, so you have to change that if you now want it available for SEO.
All headers in my config are configured for high security!
Meaning! | Allow-Origin-Access-Control-Only \~> your domain!
Scan Reports from
[securityheaders.com](https://securityheaders.com) & [immuniweb.com/websec](https://immuniweb.com/websec)
*(This is what my nginx config provides when everything is ready!)*
*If anyone would like to improve on my windows config please do so, feel free to edit / fork it as much as you want.*
*But please inform others what improvements was done to the code and why, so that others can benefit as well :)*
*This guide was written & created by me* [Zidichy](https://www.reddit.com/user/Zidichy) / [xTL](https://www.tenforums.com/members/xtl.html?tab=aboutme#aboutme)
*All configuration happened on my Windows 7 VM* 🙂
*But was written on my primary system, Win10* 😋
*If you have any questions feel free to send me a pm on any platform, or simply comment on reddit :)*
\*\* Well one last thing 😋😊 \*\*
I guess some or all? wonder why I show the IP that I use in my guide.
I do this because the IP belongs to AzireVPN.
It's just a random IP that I got from AzireVPN So I don't mind showing the it 🙂
This is something that many who create guides online avoid showing. I realize this + I understand why.
But I did not want to hide the IP and I solved it like this instead 🙂
*Discord & other Info.*
*The guide was written on February 8, 2019 but was not published until August 9, 2019.*
*\*\*Contents of the guide was slightly altered from the original\*\**