Install SSL/HTTPS certificate
Installing the NGINX reverse proxy with an SSL certificate for Umbrel / BTCPay Server
Prerequisites
A fully installed Umbrel node;
The BTCPayServer app is enabled;
You have a domain name configured for your website.
For this manual, I will use the following values for examples;
The home IP is 100.100.100.100;
The internal IP (of Umbrel) is 10.10.10.10;
The domain name is buidlbuidl.com;
The desired domain for BTCPay Server is pay.buidlbuidl.com.
Step 1: Pointing the domain name to your home IP address
Navigate to the control panel your domain owner offers. You should edit its DNS zone and add a new record:
Note: The changes could take up to 24 hours to propagate throughout the internet. It would be best if you only continued with this manual when the update is visible.
Step 2: Verifying the DNS change from step 1
You can use this online tool to check if the DNS update has propagated throughout the internet.
Step 3: Adding a port forwarding to your local router
To accept payments and issue an SSL certificate to your domain, your Umbrel should be partially reachable from the internet. Therefore, we need to open up specific ports on your internet router. The specifics depend on the make and model of your internet router.
First, you need to find out what the internal IP address is of your Umbrel node using SSH.
In this case, 10.10.10.10 is the internal IP address.
umbrel@umbrel:~ $ ip addr show wlan0
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether dc:a6:32:a4:91:8c brd ff:ff:ff:ff:ff:ff
inet 10.10.10.10/24 brd 192.168.121.255 scope global dynamic noprefixroute wlan0Note: This Umbrel installation is connected using WiFi; therefore, the interface name is wlan0. If your Umbrel node is connected using an ethernet cable, the interface name should be eth0.
Next, create two port forwardings in your internet router. The router in this illustration uses a mobile app;
You need the following port forwardings:
Name: BTCPay NGINX HTTP IP address: 10.10.10.10 Source port: 80 Destination port: 15080 Protocol: TCP
Name: BTCPay NGINX HTTPS IP address: 10.10.10.10 Source port: 443 Destination port: 15443 Protocol: TCP
Step 4: Installing NGINX & Certbot
Before installing, update your package repository list.
umbrel@umbrel:~ $ sudo apt updateThen, install the required components.
umbrel@umbrel:~ $ sudo apt install python3-acme python3-certbot python3-mock python3-openssl python3-pkg-resources python3-pyparsing python3-zope.interface python3-certbot-nginx nginxThe installation will fail; this is expected behavior. It is happening because Umbrel is already claiming port 80. Therefore, we need to change this in the configuration and finish the installation.
umbrel@umbrel:~ $ sudo sed -i 's/80 default_server/15080/g' /etc/nginx/sites-available/defaultThen, finish the installation.
umbrel@umbrel:~ $ sudo apt install -fAfter this, you should see a running NGINX welcome page on http://10.10.10.10:15080/
Step 5: Creating the BTCPay Server configuration for NGINX
Create a new configuration file:
umbrel@umbrel:~ $ sudo nano /etc/nginx/sites-available/btcpayPaste in the following contents:
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
client_header_buffer_size 500k;
large_client_header_buffers 4 500k;
http2_max_field_size 500k;
http2_max_header_size 500k;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
server_name pay.buidlbuidl.com;
location / {
proxy_pass http://127.0.0.1:3003;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
listen 15080;
listen [::]:15080;
}
Note: Pay attention to changing the desired domain name in this configuration file.
Save the file (CTRL+O) and exit the editor (CTRL+X).
Then, enable the configuration:
umbrel@umbrel:~ $ sudo ln -s /etc/nginx/sites-available/btcpay /etc/nginx/sites-enabled/Test the validity of the configuration using:
umbrel@umbrel:~ $ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successfulThen, reload the configuration.
umbrel@umbrel:~ $ sudo systemctl reload nginx.serviceStep 6: Request a new SSL certificate from LetsEncrypt
Request a new certificate from LetsEncrypt.
umbrel@umbrel:/etc/nginx/sites-enabled $ sudo certbot --nginx -d pay.buidlbuidl.com -m [email protected] --agree-tos --tls-sni-01-port 15443 --http-01-port 15080When Certbot asks you about redirecting, choose 1: No redirect.
Step 7: Manually add the HTTP-redirect
Open up the configuration file again:
umbrel@umbrel:~ $ sudo nano /etc/nginx/sites-available/btcpayThen, at the end of the file, add this server block:
server {
if ($host = pay.buidlbuidl.com) {
return 301 https://$host$request_uri;
}
listen 15080;
listen [::]:15080;
server_name pay.buidlbuidl.com;
return 404;
}Note: Replace the two occurrences of pay.buidlbuidl.com.
Then, validate & reload the configuration:
umbrel@umbrel:~ $ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
umbrel@umbrel:~ $ sudo systemctl reload nginx.serviceYour BTCPay Server should now be accessible using SSL at: https://pay.buidlbuidl.com/.
The Pay Button
BTCPay Server will now intelligently use the requesting domain and protocol to generate the example code, and you're off to accepting payments on your website.
Last updated
Was this helpful?