news
Serverspace launched CDN
DW
January 30, 2023
Updated March 23, 2023

Configuring Nginx security

NGINX

Introduction

To configure Nginx security we are going to use certification authority (CA) to install free sertificates TLS/SSL, thus providing encryption for HTTPS on web servers.

In our instruction we are going to look through abilities of Certbot usage, to receive free SSL-sertificate for Nginx web-sever on Debian 10 and consider configuring automatic update of sertificates.

Preparation

We should do some steps before starting the main task:

  • Start a server with Ubuntu or Debian and configure it with our instruction. Set permissions for the new user and set up a firewall.
  • Register the domain name. In our instruction we are going to use serverspace.tm as our domain name.
  • Install and configure Nginx using instructions.

Installing Certbot

According to the Certbot documentation, it is recommended to install the package via snap. You need to make sure that the snapd kernel is installed and up to date.

snap install core && snap update core

We are going to install certbot package via snap:

snap install --classic certbot

After installation, we are going to create symbolic link for executing certbot from the /usr/bin/ directory:

ln -s /snap/bin/certbot /usr/bin/certbot

After succesfull installation of certbot we can move to Nginx configuration.

Nginx configuration

Certbot searches for the server_name string in the Nginx configuration files and automatically configures SSL:

cp /etc/nginx/sites-avaliable/default /etc/nginx/sites-avaliable/serverspace.tm
vim /etc/nginx/sites-avaliable/serverspace.tm
...
server_name serverspace.tm www.serverspace.tm
...

And exit by saving with:
:wq!
Check configuration status after changing files with:

nginx -t

If you receive the following error message while testing the configuration:
nginx: [emerg] socket() [::]:80 failed (97: Address family not supported by protocol)
Then comment out the line listen [::]:80; in /etc/nginx/sites/avaliable/ file.
After making sure that the code written in our configuration files is correct, we will restart nginx:

service nginx restart

Allow HTTPS via ufw

Ufw the firewall must be configured according to the instructions and allow full access to connect to Nginx:

ufw allow 'Nginx Full'

Delete the old permission Nginx HTTP:

ufw delete allow 'Nginx HTTP'

Check the firewall status via:

ufw status

Next, run certbot and start getting a certificate

SSL-sertificates

Run the following command to obtain a certificate for our domain:

certbot --nginx -d serverspace.tm -d www.serverspace.tm

In the process, you will need to enter an email address and get the results of the path to the certificates and the expiration date of the certificates.
After all the settings, received certificates, our web requests will be redirected to https:// automatically.

Autoupdate Certbot

Let's test the update process by running certbot:

certbot renew --dry-run

If the command ran successfully, then certbot is running without errors.
If automatic renewal fails, we will receive a message to the previously specified email address when configuring certificates.

Conslusion

In our instruction we looked through:

    • Setting up a domain configuration for Nginx;
    • Installing certbot from the snap package manager;
    • Installation of certificates;
    • Running update certbot.
Vote:
5 out of 5
Аverage rating : 5
Rated by: 1
1101 CT Amsterdam The Netherlands, Herikerbergweg 292
+31 20 262-33-82
700 300
ITGLOBAL.COM NL
700 300
We use cookies to make your experience on the Serverspace better. By continuing to browse our website, you agree to our
Use of Cookies and Privacy Policy.