Nginx Configuration with SSL

Created At : 18 Nov 2024

Sharing is Caring, Pls help to share with your friend

Author : Aung Kyaw NyuntSoftware EnginnerContact : aungkyawnyunt2004@gmail.com or akn.cloud86@gmail.com

Setting up NGINX for your website is a great way to improve performance, enhance security, and easily configure server settings.
In this tutorial, I'll guide you step-by-step on how to set up.

NGINX for your website with basic configurations, as well as setting up SSL for secure HTTPS connections.

Step 1: Install NGINX

Before configuring NGINX, you need to ensure that it is installed on your server.
NGINX is typically available via package managers on most Linux distributions.

1.1: Install NGINX on Ubuntu/Debian-based systems

sudo apt update
sudo apt install nginx

1.2: Install NGINX on CentOS/RHEL-based systems

sudo yum install nginx

After installation, you can start the NGINX service and enable it to start on boot:

sudo systemctl start nginx
sudo systemctl enable nginx

Now, you can verify that NGINX is running by visiting your server’s IP address or domain name in the browser (e.g., http://your-server-ip/). You should see the default NGINX welcome page.

Step 2: Basic Configuration of NGINX for Your Website

Now, we’ll configure NGINX to serve your website applix.info.
Assuming your website's files are located in the /var/www/applix.info directory (you can adjust this based on where your actual website files are stored), here’s how you can configure NGINX:

2.1: Create a New Configuration File for Your Website

Navigate to the sites-available directory and create a new config file for your website.

sudo nano /etc/nginx/sites-available/applix.info

In this configuration file, you can define the server block for your site. Here's an example configuration:

server {
    listen 80;
    server_name applix.info www.applix.info;

    root /var/www/applix.info;
    index index.html index.htm index.php;

    # Log settings (Optional)
    access_log /var/log/nginx/applix_info_access.log;
    error_log /var/log/nginx/applix_info_error.log;

    location / {
        try_files $uri $uri/ =404;
    }

    # Additional settings for PHP (if you're using PHP)
    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock; # Adjust PHP version if necessary
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }
}

Explanation:

listen 80;: The server listens on port 80 (HTTP).

server_name applix.info www.applix.info;: This is the domain name for your website.

root /var/www/applix.info;: The root directory where your website files are stored.

index: Default files to load (e.g., index.html, index.php).

location /: Defines how to handle requests to your site. In this case, it will check if the requested file exists, and if not, it will return a 404 error.

If you're using PHP, there's a location block to process PHP files using PHP-FPM.

2.2: Enable the Configuration for Your Website

sudo ln -s /etc/nginx/sites-available/applix.info /etc/nginx/sites-enabled/

2.3: Test NGINX Configuration

Before restarting NGINX, you should test that your configuration file syntax is correct.

sudo nginx -t

If the test passes, you should see syntax is ok and test is successful.

2.4: Restart NGINX

After successfully configuring your website, restart NGINX to apply the changes:

sudo systemctl restart nginx

Now, your website should be accessible by visiting http://applix.info in your browser.

Step 3: Set Up SSL with Let's Encrypt for HTTPS

It's essential to secure your website with SSL (HTTPS). We'll use Let's Encrypt to get a free SSL certificate and set it up with NGINX.

3.1: Install Certbot and NGINX Plugin

Certbot is a tool to automatically get and renew SSL certificates from Let's Encrypt. You need to install Certbot and its NGINX plugin.

For Ubuntu/Debian systems:

sudo apt install certbot python3-certbot-nginx

For CentOS/RHEL:

sudo yum install certbot python3-certbot-nginx

3.2: Obtain an SSL Certificate for Your Domain

Now, run the following command to obtain an SSL certificate for your website:

sudo certbot --nginx -d applix.info -d www.applix.info

Certbot will automatically configure NGINX to use SSL, and it will modify your NGINX configuration to include HTTPS.

3.3: Confirm SSL Installation

After Certbot completes the SSL installation, your website will be available over HTTPS. Test it by navigating to https://applix.info in a browser. You should see the SSL padlock indicating that the connection is secure.

3.4: Automatic SSL Certificate Renewal

Let’s Encrypt SSL certificates are only valid for 90 days. Certbot can automatically renew them for you.

To ensure automatic renewal, add a cron job to check and renew the certificate:

sudo crontab -e

Add the following line to run the Certbot renewal process twice a day:

0 0,12 * * * certbot renew --quiet

This cron job will ensure that your SSL certificate is automatically renewed without you having to manually intervene.

Step 4: Redirect HTTP to HTTPS

While Certbot automatically configures SSL, if you want to force all traffic to be redirected to HTTPS (which is a best practice), you can add the following redirection to your NGINX configuration file:

In your /etc/nginx/sites-available/applix.info file, add the following block before the HTTPS server block:

server {
    listen 80;
    server_name applix.info www.applix.info;
    return 301 https://$host$request_uri;
}

This will ensure that any request coming in over HTTP (port 80) is redirected to HTTPS (port 443).

Step 5: Secure NGINX Configuration

Once you have your SSL certificate set up, you may want to further harden your NGINX configuration to ensure better security. Here are some recommendations for improving the security of your NGINX server:

1 Disable SSLv3 and weak ciphers: In your NGINX SSL configuration (within the HTTPS server block), add the following:

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;

2. HTTP Strict Transport Security (HSTS): Add the following header to your NGINX HTTPS server block to tell browsers to always use HTTPS for your site:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

3 Disable unwanted HTTP methods: To protect against certain HTTP request methods, you can disable methods like DELETE, TRACE, and OPTIONS:

if ($request_method !~ ^(GET|POST|HEAD)$ ) {
    return 444;
}

4 Limit Request Rate: To prevent DoS attacks, consider adding rate limiting to your server:

limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;

Conclusion

At this point, you’ve successfully configured NGINX to serve your website https://www.applix.info with both HTTP and HTTPS (SSL). You’ve also set up Let's Encrypt for free SSL certificates and made a few security enhancements to protect your server and your users.

Key Points: