NodeBB

Securing your Nginx server with a free SSL certificate from Let's Encrypt is a great step to ensure your website traffic is encrypted and secure. We will use Certbot, the officially recommended tool by the Electronic Frontier Foundation (EFF), to automate the issuance and installation process.

Here is a complete step-by-step guide. This guide assumes you are using Ubuntu or Debian, which are the most common distributions for this setup.

Prerequisites

Before you begin, ensure you have:

1. An Nginx server installed and running.
2. A registered domain name (e.g., example.com).
3. DNS Records configured: Your domain's A record must point to your server's public IP address.
4. Root or sudo access to your server.

Step 1: Configure the Nginx Server Block

Certbot is smart enough to find your Nginx configuration and automatically inject the SSL settings, but only if your server_name directive is set correctly.

• Open your Nginx configuration file for your site. Depending on your OS, this is typically located in /etc/nginx/sites-available/example.com or /etc/nginx/conf.d/example.com.conf.

• Ensure the server_name explicitly lists the domains you want certificates for.

Here is a minimal example of what that server block should look like before Certbot touches it:

server {
    listen 80;
    listen [::]:80;
    
    # Certbot looks for this line to know which file to update
    server_name example.com www.example.com; 

    root /var/www/yourdomain.com/html;
    index index.html index.htm;

    location / {
        try_files $uri $uri/ =404;
    }
}

• After verifying or making any changes, always test your Nginx config for syntax errors:

sudo nginx -t

• If the test is successful, reload Nginx to apply the changes:

sudo systemctl reload nginx

Step 2: Install Certbot

I will walk you through the official installation method recommended by the Electronic Frontier Foundation (the creators of Let's Encrypt).

They recommend using Snap to install Certbot. This method ensures you always have the latest, most secure version of Certbot, and it works universally across almost all modern Linux distributions (Ubuntu, Debian, etc.).

1. Ensure Snap is Installed and Updated :

sudo snap install core
sudo snap refresh core

2. Remove Old Versions of Certbot (If Applicable)
   If you previously tried to install or had an older version of Certbot, you should remove it before going any further to prevent conflicts.

sudo apt-get remove certbot

3. Now, install the Certbot package itself using Snap. The --classic flag is required because Certbot needs broader system access to read and modify your Nginx configuration files.

sudo snap install --classic certbot

4. Next, create a symbolic link so you can easily run the certbot command from anywhere in your terminal:

sudo ln -s /snap/bin/certbot /usr/bin/certbot

Step 3: Allow HTTPS Through the Firewall

If you have the Uncomplicated Firewall (ufw) enabled, you need to allow HTTPS traffic.

Check the current status:

sudo ufw status

It will probably look like this, meaning that only HTTP traffic is allowed to the web server :

OutputStatus: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere                  
Nginx HTTP                 ALLOW       Anywhere                  
OpenSSH (v6)               ALLOW       Anywhere (v6)             
Nginx HTTP (v6)            ALLOW       Anywhere (v6)

Allow Nginx Full (which covers both HTTP on port 80 and HTTPS on port 443) and delete the redundant Nginx HTTP profile allowance :

sudo ufw allow 'Nginx Full'
sudo ufw delete allow 'Nginx HTTP'

Your status should now look like this :

sudo ufw status

OutputStatus: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere
Nginx Full                 ALLOW       Anywhere
OpenSSH (v6)               ALLOW       Anywhere (v6)
Nginx Full (v6)            ALLOW       Anywhere (v6)

Step 4: Obtain and Install the SSL Certificate

Now, run certbot with the --nginx plugin. This will automatically obtain the certificate and modify your Nginx configuration to serve it.

Run the following command, using -d to specify the domain names we’d like the certificate to be valid for, replacing those domain names with your own:

sudo certbot --nginx -d example.com -d www.example.com

During the setup, Certbot will ask you a few questions:

• Enter an email address (used for urgent renewal and security notices).
• Agree to the Terms of Service.
• Choose whether or not you want to share your email with the Electronic Frontier Foundation (EFF).

After going through the above process, you should see a message confirming that it was successful. This message will also indicate where your certificates are stored:

OutputIMPORTANT NOTES:
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/your_domain/fullchain.pem
Key is saved at: /etc/letsencrypt/live/your_domain/privkey.pem
This certificate expires on 2022-06-01.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le

Once completed, Certbot will download the certificate, apply it to your Nginx configuration, and automatically set up redirects so all HTTP traffic is forced to HTTPS. You can now visit https://example.com (replace with your own domain) in your browser and notice your browser’s security indicator. It should indicate that the site is properly secured, usually with the secure padlock icon.

Step 5: Verify Certificate Auto-Renewal

Let's Encrypt certificates are only valid for 90 days. Fortunately, the Certbot snap package automatically creates a systemd timer that runs twice a day to renew any certificate within 30 days of expiration.

You can check the status of this background timer with :

sudo systemctl status snap.certbot.renew.service

and see the output :

Output○ snap.certbot.renew.service - Service for snap application certbot.renew
     Loaded: loaded (/etc/systemd/system/snap.certbot.renew.service; static)
     Active: inactive (dead)
TriggeredBy: ● snap.certbot.renew.timer

To guarantee that the automated renewal process will work when the time comes, you can safely simulate a renewal by running a dry run:

sudo certbot renew --dry-run

If you see no errors, you are all set! Certbot will handle the updates and seamlessly reload Nginx in the background before your certificates expire.

Configuring Nginx to host multiple domains on a single server is done using Server Blocks (similar to "Virtual Hosts" in Apache), which define separate configurations for each domain. Nginx looks at the requested domain name (the Host header) and routes the traffic to the corresponding directory.

Here is a step-by-step guide to setting up two domains, which we will call domain1.com and domain2.com

Step 1 : Create Document Root Directories

First, you need to create a document root (the directory where the website files live) for each domain. It is standard practice to put these in the /var/www/ directory.

Now, ceate 2 separate directories to store the website files for each domain:

sudo mkdir -p /var/www/domain1.com
sudo mkdir -p /var/www/domain2.com

Next, assign ownership of the directories to your regular user account (so you can edit files without needing sudo every time):

sudo chown -R $USER:$USER /var/www/domain1.com
sudo chown -R $USER:$USER /var/www/domain2.com

Ensure the permissions are correct so the web server can read the files:

sudo chmod -R 755 /var/www

Step 2 : Create Sample Pages (Optional, for Testing)

To test that everything is working later, create a simple index.html file in each directory.

For domain1.com :

nano /var/www/domain1.com/index.html

Add this HTML:

<html>
    <head><title>Welcome to Domain 1!</title></head>
    <body><h1>Success! The domain1.com server block is working!</h1></body>
</html>

For domain2.com :

nano /var/www/domain2.com/index.html

Add this HTML:

<html>
    <head>
        <title>Welcome to Domain 2!</title>
    </head>
    <body>
        <h1>Success! The domain2.com server block is working!</h1>
    </body>
</html>

Step 3: Create the Server Block Configuration Files

Nginx keeps configuration files for individual sites in /etc/nginx/sites-available/.

Create the first configuration file for domain1.com :

sudo nano /etc/nginx/sites-available/domain1.com

Paste the following configuration block into the file. Be sure to replace domain1.com with your actual domain name:

server {
    listen 80;
    listen [::]:80;

    # The directory where your website files are located
    root /var/www/domain1.com;

    # The default files to serve
    index index.html index.htm;

    # The domain names this server block will respond to
    server_name domain1.com www.domain1.com;

    location / {
        try_files $uri $uri/ =404;
    }
}

Save and close the file.

Now, create the second configuration file for domain2.com :

sudo nano /etc/nginx/sites-available/domain2.com

Add a similar configuration, making sure to update the root path and the server_name directives to match the second domain :

server {
    listen 80;
    listen [::]:80;

    # The directory where your website files are located
    root /var/www/domain2.com;

    # The default files to serve
    index index.html index.htm;

    # The domain names this server block will respond to
    server_name domain2.com www.domain2.com;

    location / {
        try_files $uri $uri/ =404;
    }
}

Save and close the file.

Step 4: Enable the Server Blocks

To enable these configurations, you need to create a symbolic link (symlink) from the files in sites-available to the sites-enabled directory. Nginx reads the sites-enabled directory during startup.

sudo ln -s /etc/nginx/sites-available/domain1.com /etc/nginx/sites-enabled/
sudo ln -s /etc/nginx/sites-available/domain2.com /etc/nginx/sites-enabled/

Note: To avoid memory bucket problems that can arise from adding multiple server names, open the main Nginx configuration file:

sudo nano /etc/nginx/nginx.conf

Find the server_names_hash_bucket_size directive and uncomment it (remove the # symbol):

server_names_hash_bucket_size 64;

Save and close the file.

Step 5: Test and Restart Nginx

Before restarting the web server, it is highly recommended to test your configuration files to make sure there are no syntax errors.

sudo nginx -t

If the test is successful, you will see output confirming that syntax is ok and test is successful. If you see errors, double-check your configuration files for missing semicolons or typos.

Finally, restart Nginx to apply the changes:

sudo systemctl restart nginx

6. Configure DNS Records

Before you can see respective sample pages for domain1.com and domain2.com, ensure your DNS A-records for both domains are pointed to your server's public IP address.

You should now be able to visit http://domain1.com and http://domain2.com in your browser and see your respective sample pages.

Would you like me to walk you through how to secure these new domains with free SSL/HTTPS certificates using Let's Encrypt (Certbot)?

This tutorial provides a step-by-step guide to installing and configuring the Nginx web server on Ubuntu. Nginx is a high-performance web server known for its stability, rich feature set, and low resource consumption.

Prerequisites
To follow this guide, you will need:

• An Ubuntu server (version 22.04 or later is recommended).
• A non-root user with sudo privileges configured on your server.
• A basic understanding of the Linux command line.

Step 1: Installing Nginx

Nginx is available in Ubuntu’s default software repositories. This means you can use the apt package management system to install it.

First, update your local package index to ensure you have the latest metadata:

sudo apt update

Next, install the Nginx package:

sudo apt install nginx

After the installation is complete, Nginx will start automatically. You can verify the installed version by typing:

nginx -v

Step 2: Adjusting the Firewall

Before you can access your web server, you must adjust your firewall settings to allow external access to the default web ports. Nginx registers itself with ufw (Uncomplicated Firewall) upon installation.

List the available application profiles:

sudo ufw app list

You will see several Nginx profiles:

• Nginx Full : Opens port 80 (HTTP) and port 443 (HTTPS).
• Nginx HTTP : Opens only port 80.
• Nginx HTTPS : Opens only port 443.

For a fresh installation without an SSL certificate, enable the HTTP profile:

sudo ufw allow 'Nginx HTTP'

Verify the status of the firewall:

sudo ufw status

Step 3: Checking your Web Server

At the end of the installation process, Ubuntu starts Nginx automatically. You can verify that the service is active and running using systemd:

systemctl status nginx

To confirm the server is accessible over the network, visit your server’s IP address in your web browser. If you don't know your server's public IP, you can find it via the command line:

curl -4 icanhazip.com

Type the IP address you receive into your web browser:
http://your_server_ip

You should see the default "Welcome to nginx!" landing page, which confirms the software is running correctly.

Step 4: Managing the Nginx Process

Now that the web server is up and running, here are some basic management commands:

• Stop Nginx : sudo systemctl stop nginx
• Start Nginx : sudo systemctl start nginx
• Restart Nginx : sudo systemctl restart nginx
• Reload Nginx (apply config changes without dropping connections) : sudo systemctl reload nginx
• Disable Nginx from starting at server boot : sudo systemctl disable nginx
• Enable Nginx to start at server boot (default behavior) : sudo systemctl enable nginx

Step 5: Setting Up Server Blocks (Recommended)

Server blocks allow you to host more than one domain from a single Nginx server. While the default configuration serves content from /var/www/html, it is better practice to create a separate directory structure for each site.

1. Create the directory for your domain:
Leave the default /var/www/html directory intact and create a new directory for your domain:

sudo mkdir -p /var/www/your_domain/html

2. Assign ownership of the directory:

sudo chown -R $USER:$USER /var/www/your_domain/html

3. Ensure correct permissions:

sudo chmod -R 755 /var/www/your_domain

4. Create a sample index.html page:
Open a new file using your preferred text editor (like nano) :

nano /var/www/your_domain/html/index.html

Paste the following HTML into the file, then save and exit:

<html>
    <head>
        <title>Welcome to your_domain!</title>
    </head>
    <body>
        <h1>Success! The your_domain server block is working!</h1>
    </body>
</html>

5. Create a new server block configuration file:

sudo nano /etc/nginx/sites-available/your_domain

Paste the following configuration, ensuring you update the server_name to match your domain:

server {
    listen 80;
    listen [::]:80;

    root /var/www/your_domain/html;
    index index.html index.htm;

    server_name your_domain www.your_domain;

    location / {
        try_files $uri $uri/ =404;
    }
}

Save and exit the file.

6. Enable the new server block:

Create a symbolic link from your file to the sites-enabled directory:

sudo ln -s /etc/nginx/sites-available/your_domain /etc/nginx/sites-enabled/

7. Resolve potential hash bucket memory issues:

Open the main Nginx configuration file:

sudo nano /etc/nginx/nginx.conf

Find the server_names_hash_bucket_size directive and remove the # symbol to uncomment it. Save and exit.

8. Test and Restart Nginx:

Test your configuration files for syntax errors:

sudo nginx -t

If the test is successful, restart Nginx to apply your changes:

sudo systemctl restart nginx

Nginx should now be serving your new domain name. You can test this by navigating to http://your_domain, where you should see the success page you created in step 4.