WebsitesWeb ServersNginxSetting up Nginx

Getting Started with Nginx

Install Nginx

apt install nginx

Generating SSL/TLS Certificates

Downloading Certbot

To begin, we will install certbot, a simple script that automatically renews our certificates and allows much easier creation of them. The command below is for Ubuntu distributions, but you can always check Certbot’s official site for installation instructions. We have also included a command below to install certbot’s Apache plugin so you won’t have to stop your webserver.

apt update
apt install -y certbot python3-certbot-nginx

Completing the HTTP Challenge

  1. Make sure you have port 80 open on your firewall
  2. Request a certificate from Let’s Encrypt, you should replace example.com with the domain you would like to generate a certificate for.
certbot certonly --nginx -d example.com

Automatically Renewing SSL/TLS certificates

  1. Install crontab:
apt install cron
  1. Create a crontab rule for the automatic renewal:
(crontab -l ; echo "0 23 * * * certbot renew --quiet --deploy-hook \"systemctl restart nginx\"")| crontab -

Webserver Configuration

Remove the default configuration:

rm /etc/nginx/sites-enabled/default
  1. Create a new Nginx site configuration like website.conf in /etc/nginx/sites-available using a text editor like nano or vim.
  2. Paste the text below into the file, replacing <domain> with your domain:
website.conf
server_tokens off;
 
server {
  listen 80;
  server_name <domain>;
  return 301 https://$server_name$request_uri;
}
 
server {
  listen 443 ssl http2;
  server_name <domain>;
 
  root /var/www/html;
  index index.html;
 
  # allow larger file uploads and longer script runtimes
  client_max_body_size 100m;
  client_body_timeout 120s;
 
  sendfile off;
 
  # SSL Configuration - Replace the example <domain> with your domain
  ssl_certificate /etc/letsencrypt/live/<domain>/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/<domain>/privkey.pem;
  ssl_session_cache shared:SSL:10m;
  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
  ssl_prefer_server_ciphers on;
 
  # See https://hstspreload.org/ before uncommenting the line below.
  # add_header Strict-Transport-Security "max-age=15768000; preload;";
  add_header X-Content-Type-Options nosniff;
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Robots-Tag none;
  add_header Content-Security-Policy "frame-ancestors 'self'";
  add_header X-Frame-Options DENY;
  add_header Referrer-Policy same-origin;
}

Link Config and Restart Nginx

Enable your new Nginx website configuration and restart Nginx:

ln -s /etc/nginx/sites-available/website.conf /etc/nginx/sites-enabled/website.conf
systemctl restart nginx
Reverse ProxyAlternate Data Streams