Step 1 – Installation of Nginx and its configuration
Update and Upgrade Ubuntu Installation if not done and proceed with NGINX installation.
sudo apt-get update && apt-get upgrade -y
sudo apt-get install nginx
Enable Nginx Installation
sudo systemctl enable nginx
Allow HTTP & HTTPS Nginx traffic
sudo ufw allow 'Nginx Full'
Create a new Nginx configuration file for the published site
sudo touch /etc/nginx/sites-available/<conf-file-name>
Create a Symbolic link for the newly created Nginx configuration file
sudo ln -s /etc/nginx/sites-available/<conf-file-name> /etc/nginx/sites-enabled/
Remove the default configuration file
sudo rm /etc/nginx/sites-enabled/default
Edit main Nginx configuration file to remove server version and token details for additional security
sudo vi /etc/nginx/nginx.conf
..
#server_tokens off; to server_tokens off;
Edit the new configuration file with new contents for the website
sudo vi /etc/nginx/sites-available/<conf-file-name>
server {
root /var/www/html;
# add index.php if it is a php site
index index.html index.htm;
server_name <site_name> www.<site_name>;
location / {
try_files $uri $uri/ =404;
}
}
Verify if the configuration file has any errors
sudo nginx -t
Reload Nginx server to reflect the changes
sudo systemctl reload nginx
Remove the default Nginx file
sudo rm /var/www/html/index.nginx-debian.html
Step 2 – Installing Certbot
First, we need to add repository for Certbot
sudo add-apt-repository ppa:certbot/certbot
Next, install the Certbot’s Nginx package using apt
sudo apt install python-certbot-nginx
Step 3 – Verification of configuration before acquiring certificate from Certbot
Verify if the Nginx config file has the server_name field with a domain name.
Two things to note here are –
- DNS for domain name reflects the server IP address.
- Domain name resolves the page on the server.
sudo vi /etc/nginx/sites-available/<conf-file-name>
server {
...
server_name <site_name> <site_name_with_www>;
...
}
Verify if Nginx is allowed over firewall
sudo ufw status
expected output…
Output
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
Nginx HTTP ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Nginx HTTP (v6) ALLOW Anywhere (v6)
Step 4 – Obtaining Certificate
sudo certbot --nginx -d ilostin.com -d www.ilostin.com
Follow the instructions on the screen. At the moment you will be prompted for 2 things before installation –
- Enter your email address to notify about certificate expiry
- Agree to the terms of service
After the certificate is installed, you will be prompted to choose between one of these 2 options to make changes to your Nginx configuration file. I would prefer option 2 to redirect all incoming traffic to HTTPS.
Output
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
Step 5 – Verify Certbot Auto-Renewal and errors
Let’s Encrypt certificates are valid for 90 days. This is to encourage users to renew their certificates on an ongoing basis and remove any certificates that are no longer used. The
In order to know if there will be no errors in renewal dry run withcertbot
sudo certbot renew --dry-run
If no errors found after this execution, you are good to go and all setup for your site to be HTTPS or SSL encrypted.