poster-cockroachdb.jpg

https://www.cockroachlabs.com/docs/stable/install-cockroachdb.html

https://www.cockroachlabs.com/docs/stable/secure-a-cluster.html

https://github.com/denisgolius/cockroach-installer

https://www.digitalocean.com/community/tutorials/how-to-create-an-ssl-certificate-on-nginx-for-ubuntu-14-04

https://www.digitalocean.com/community/tutorials/how-to-set-up-password-authentication-with-nginx-on-ubuntu-14-04

My ufw block all requests from Internet to 7005 port, so WEBUI will be run as subdomain by nginx:

cat /etc/systemd/system/cockroach.service

[Unit]
Description=Cockroach db auto starter

[Install]
WantedBy=multi-user.target

[Service]
ExecStart=/usr/local/bin/cockroach start --certs-dir=/opt/cocroach/certs --store=/var/data/cockroachdb/ --port=26257 --http-port=7005 --logtostderr=ERROR
ExecStop=/usr/local/bin/cockroach quit --certs-dir=/opt/cockroach/certs
SyslogIdentifier=cockroachdb
Restart=always
LimitNOFILE=35000

upstream cocroach  {
        server localhost:7005;
}

server {
    listen your_ip:443 ssl;
    server_name your_domain;

    ssl_certificate /etc/nginx/ssl/nginx.crt;
    ssl_certificate_key /etc/nginx/ssl/nginx.key;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"; # managed by Certbot


    location / {
    auth_basic "Restricted Content";
    auth_basic_user_file /etc/nginx/.htpasswd;
    proxy_pass https://localhost:7005;
    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
    proxy_redirect default;
    proxy_buffering off;
    client_max_body_size 50m;
    client_body_buffer_size 512k;
    proxy_set_header	Host	$host;
    proxy_set_header	X-Real-IP	$remote_addr;
    proxy_set_header	X-Forwarded-For	$proxy_add_x_forwarded_for;
#	fastcgi_read_timeout 6000;
    }

    location = /favicon.ico {
    log_not_found off;
    }

    location = /robots.txt {
       add_header Content-Type text/plain;
       return 200 "User-agent: *\nDisallow: /\n";
    }

    location ~ /\. { deny all; }

    access_log /var/log/nginx/cocroach-webui.access.log;
    error_log /var/log/nginx/cocroach-webui.error.log;


}

server {
    listen your_ip:80;
    server_name your_domain;
    return 301 https://your_domain$request_uri;
}