How To Secure Nginx with Let’s Encrypt SSL on Debian 9

How To Secure Nginx with Let’s Encrypt SSL on Debian 9

Install Let’s Encrypt on Debian

By using Let’s Encrypt you can get a free valid SSL certificate. Let’s Encrypt is the Certificate Authority (CA) which provides free SSL certificate. To get SSL certificate Certbot client is used which fetches and deploys SSL certificate on your server. In this tutorial, you are going to learn how to install Let’s Encrypt SSL on Debian 9.

Before we begin

Let’s Encrypt certificate can only be requested from the server the domain is pointing to. Let’s Encrypt checks if the domain is pointed to the current server and if successful, it issues the certificate.

Prerequisites

1. Before you start to install Let’s Encrypt SSL on Debian 9 using the Certbot client. You must have the non-root user account on your server with sudo privileges.

2. Make it sure your domain is pointing to the current server.

1. Install Certbot Client

To install Certbot client you need to add PPA on the server then you will need to update the package manager index. After that, you will install the Certbot client.

Add PPA by typing following in the terminal

sudo add-apt-repository ppa:certbot/certbot

Update package manager index by typing following

sudo apt update

Now install Certbot client by executing following command

sudo apt install python-certbot-nginx

Confirm the installation by typing

certbot --version

2. Setting Up Firewall

If you have enabled UFW firewall then you need to adjust the settings to allow HTTPS traffic.

To check current status type following command

sudo ufw status
Output
Output
Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere                  
Nginx HTTP                 ALLOW       Anywhere                  
OpenSSH (v6)               ALLOW       Anywhere (v6)             
Nginx HTTP (v6)            ALLOW       Anywhere (v6)

Now to get HTTPS traffic in, you should add ‘WWW Full’ rule and delete ‘WWW’ rule which will become redundant.

sudo ufw allow 'Nginx Full'
sudo ufw delete allow 'Nginx HTTP'

Now the status should be:

Output
Output
Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere                  
Nginx Full                 ALLOW       Anywhere                  
OpenSSH (v6)               ALLOW       Anywhere (v6)             
Nginx Full (v6)            ALLOW       Anywhere (v6)

3. Setting up Let’s Encrypt SSL on Nginx

Let’s Encrypt do a strong domain validation for ownership of the domain. After successful verification, it issues the certificate. In below command replace example with your domain name

sudo certbot --apache -d example.com -d www.example.com

If you are first time installing certificate then Certbot will ask you to enter Email ID and agree terms and conditions.

After above step Certbot will ask you to configure HTTPS settings.

Output
Output
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter](press 'c' to cancel):

Select your choice and continue to next step. We recommend to choose Redirect Option if you dont want to modify configuration file manually.

5. Autorenewal For SSL Certificates

All of these Let’s Encrypt certificates are short-lived and expires after 90 days. So you will have to update these certificates before they expire by running the following command.

sudo certbot renew

You can automate this process by adding a cronjob. Enter the following command to open crontab

sudo crontab -e

Add following lines to end of the file. It will run the command twice a day and renews if the certificate is about to expire.

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

4. Installing Let’s Encrypt Wildcard Certificates

Let’s Encrypt now supports wildcard certificate using new ACME2 protocol. By using wildcard certificate \*.example.com like this, you can use one certificate for multiple sub-domains like site1.example.com, site2.example.com, site3.example.com etc. To install the wildcard certificate type following command.

sudo certbot certonly --manual -d *.example.com --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

NOTE: Now you will see the message at center in output to add TXT record. So make DNS changes to your domain and add specific TXT record with given value inside output of above command

Conclusion

You have learned how to install Let’s Encrypt SSL on Debian 9 by using Certbot. If you have any queries regarding this please don’t forget to comment below.

Secure Nginx with Let’s Encrypt SSL on CentOS 7

Secure Nginx with Let’s Encrypt SSL on CentOS 7

Secure Nginx with Let’s Encrypt SSL on CentOS 7

By using Let’s Encrypt you can get a free valid SSL certificate. Let’s Encrypt is the Certificate Authority (CA) which provides free SSL certificate. To get SSL certificate Certbot client is used which fetches and deploys SSL certificate on your server. In this tutorial, you are going to learn how to secure Nginx with Let’s Encrypt SSL on CentOS.

Before we begin

Let’s Encrypt certificate can only be requested from the server the domain is pointing to. Let’s Encrypt checks if the domain is pointed to the current server and if successful, it issues the certificate.

Prerequisites

1. Before you start to secure Nginx with Let’s Encrypt SSL on CentOS 7 using the Certbot client. You must have the non-root user account on your server with sudo privileges.
2. Make it sure your domain is pointing to the current server.

1. Install Certbot Client

To install Certbot client you need to add EPEL reposiory, to do so type:

sudo yum install epel-release

Now install Certbot client by executing following command

sudo yum install httpd mod_ssl python-certbot-nginx

Confirm the installation by typing

certbot --version

2. Setup Firewall

If you are not running the firewall skip this step.

You need to make it sure port 80 and 443 are open in your firewall. To open ports inside firewalld using following commands.

sudo firewall-cmd --add-service=http
sudo firewall-cmd --add-service=https
sudo firewall-cmd --runtime-to-permanent

If your system is running iptables then you can run following basic commands to enable traffic on port 80 and port 443.

sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT

3. Setting up Let’s Encrypt SSL on Nginx

Let’s Encrypt do a strong domain validation for ownership of the domain. After successful verification, it issues the certificate. In below command replace example with your domain name

sudo certbot --nginx -d example.com -d www.example.com

If you are the first time to install certificate then Certbot will ask you to enter Email ID and agree to terms and conditions.

After the above step, Certbot will ask you to configure HTTPS settings.

Output
Output
Please choose whether HTTPS access is required or optional.
-------------------------------------------------------------------------------
1: Easy - Allow both HTTP and HTTPS access to these sites
2: Secure - Make all requests redirect to secure HTTPS access
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter](press 'c' to cancel):

Select your choice and continue to next step. We recommend you to choose Secure option if you don’t want to change the configuration file manually.

NOTE: All generated files stored inside /etc/letsencrypt/live directory.

Generate Strong Diffie-Hellman Parameters

For securely exchanging cryptographic keys over an unsecured communication channel Diffie–Hellman key exchange (DH) method is used. Generate strong D-H parameters by using the following command. It will generate dhparam.pem file.

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Now you need to edit Nginx configuration file

sudo nano /etc/nginx/nginx.conf

You should paste the following code inside the server block.

/etc/nginx/nginx.conf
ssl_dhparam /etc/ssl/certs/dhparam.pem;

Now check if the syntax is ok, to do so type:

sudo nginx -t

If there is no problem in syntax reload Nginx configuration file

sudo systemctl reload nginx

4. Autorenewal For SSL Certificates

All of these Let’s Encrypt certificates are short-lived and expires after 90 days. So you will have to update these certificates before they expire by running the following command.

sudo certbot renew

You can automate this process by adding a cronjob. Enter the following command to open crontab

sudo crontab -e

Add following lines to end of the file. It will run the command twice a day and renews if the certificate is about to expire.

0 */12 * * * /usr/bin/certbot renew >> /var/log/le-renew.log

Conclusion

You have learned how to secure Nginx with Let’s Encrypt SSL on CentOS 7 by using Certbot. If you have any queries regarding this please don’t forget to comment below.

Secure Nginx with Let’s Encrypt SSL on Ubuntu 18.04

Secure Nginx with Let’s Encrypt SSL on Ubuntu 18.04

Install Let’s Encrypt on Ubuntu

By using Let’s Encrypt you can get a free valid SSL certificate. Let’s Encrypt is the Certificate Authority (CA) which provides free SSL certificate. To get SSL certificate Certbot client is used which fetches and deploys SSL certificate on your server. In this tutorial, you are going to learn how to install Let’s Encrypt SSL on Ubuntu 18.04.

Before we begin

Let’s Encrypt certificate can only be requested from the server the domain is pointing to. Let’s Encrypt checks if the domain is pointed to the current server and if successful, it issues the certificate.

Prerequisites

1. Before you start to install Let’s Encrypt SSL on Ubuntu 18.04 using the Certbot client. You must have the non-root user account on your server with sudo privileges.

2. Make it sure your domain is pointing to the current server.

1. Install Certbot Client

To install Certbot client you need to add PPA on the server then you will need to update the package manager index. After that, you will install the Certbot client.

Add PPA by typing following in the terminal

sudo add-apt-repository ppa:certbot/certbot

Update package manager index by typing following

sudo apt update

Now install Certbot client by executing following command

sudo apt install python-certbot-nginx

Confirm the installation by typing

certbot --version

2. Setting Up Firewall

If you have enabled UFW firewall then you need to adjust the settings to allow HTTPS traffic.

To check current status type following command

sudo ufw status
Output
Output
Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere                  
Nginx HTTP                 ALLOW       Anywhere                  
OpenSSH (v6)               ALLOW       Anywhere (v6)             
Nginx HTTP (v6)            ALLOW       Anywhere (v6)

Now to get HTTPS traffic in, you should add ‘WWW Full’ rule and delete ‘WWW’ rule which will become redundant.

sudo ufw allow 'Nginx Full'
sudo ufw delete allow 'Nginx HTTP'

Now the status should be:

Output
Output
Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere                  
Nginx Full                 ALLOW       Anywhere                  
OpenSSH (v6)               ALLOW       Anywhere (v6)             
Nginx Full (v6)            ALLOW       Anywhere (v6)

3. Setting up Let’s Encrypt SSL on Nginx

Let’s Encrypt do a strong domain validation for ownership of the domain. After successful verification, it issues the certificate. In below command replace example with your domain name

sudo certbot --apache -d example.com -d www.example.com

If you are first time installing certificate then Certbot will ask you to enter Email ID and agree terms and conditions.

After above step Certbot will ask you to configure HTTPS settings.

Output
Output
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter](press 'c' to cancel):

Select your choice and continue to next step. We recommend to choose Redirect Option if you dont want to modify configuration file manually.

5. Autorenewal For SSL Certificates

All of these Let’s Encrypt certificates are short-lived and expires after 90 days. So you will have to update these certificates before they expire by running the following command.

sudo certbot renew

You can automate this process by adding a cronjob. Enter the following command to open crontab

sudo crontab -e

Add following lines to end of the file. It will run the command twice a day and renews if the certificate is about to expire.

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

4. Installing Let’s Encrypt Wildcard Certificates

Let’s Encrypt now supports wildcard certificate using new ACME2 protocol. By using wildcard certificate \*.example.com like this, you can use one certificate for multiple sub-domains like site1.example.com, site2.example.com, site3.example.com etc. To install the wildcard certificate type following command.

sudo certbot certonly --manual -d *.example.com --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

NOTE: Now you will see the message at center in output to add TXT record. So make DNS changes to your domain and add specific TXT record with given value inside output of above command

Conclusion

You have learned how to install Let’s Encrypt SSL on Ubuntu 18.04 by using certbot. If you have any queries regarding this please don’t forget to comment below.

How to install Nginx on CentOS 7

How to install Nginx on CentOS 7

Install Nginx on CentOS 7

Nginx is free, high performance and opensource web server available today. Nginx is used as the standalone web server or as the reverse proxy server for Apache (or other web servers). This tutorial outlines to install Nginx on CentOS 7.

Prerequisites

Before you start installing Nginx on CentOS 7. You must have the non-root user account on your server with sudo privileges.

1. Install Nginx

First, you will need to update system software packages to the latest version. Then you can install Nginx.

Update system software packages by typing

sudo yum -y update

Nginx packages for CentOS are provided through EPEL repository. Enter the following command to install EPEL repository.

sudo yum install epel-release

Now install Nginx by typing

sudo yum install nginx

If you are installing packages through EPEL repository first time then you may be prompted to import EPEL GPG key. You should type ==y== and hit ==Enter== to continue.

After completing installation Enable and Start Nginx server by typing following command

sudo systemctl enable nginx
    sudo systemctl start nginx

Check the status of Nginx server by typing

sudo systemctl status nginx

The output should be:

● nginx.service - The nginx HTTP and reverse proxy server
      Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
      Active: active (running) since Mon 2018-10-24 18:45:48 UTC; 2s ago
      Process: 1677 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)
      Process: 1675 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=0/SUCCESS)
      Process: 1673 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS)
    Main PID: 1680 (nginx)
      CGroup: /system.slice/nginx.service
          ├─1680 nginx: master process /usr/sbin/nginx
          └─1681 nginx: worker process

2. Managing Firewall

If your server is protected by firewall then you will need to open ==HTTP== and ==HTTPS== ports

Open HTTP port by typing

sudo firewall-cmd --permanent --zone=public --add-service=http

Open HTTPS port by typing

sudo firewall-cmd --permanent --zone=public --add-service=https

Now reload firewall configuration files by typing

sudo firewall-cmd --reload

Now verify installation of Nginx by visiting the following URL

http://YOUR_SERVER_IP_ADDRESS

3. Managing Nginx Web Server Operations

You can manage Nginx Web Server Operations by using following commands.

If you have made any changes to the configuration file and want to reload configuration file then use the following command

sudo systemctl reload nginx

To start Nginx server enter following command

sudo systemctl start nginx

To stop Nginx server enter the following command

sudo systemctl stop nginx

Restart Nginx server you can use the following command

sudo systemctl restart nginx

Check the status of the Nginx server by typing

sudo systemctl status nginx

If you want to disable Nginx to auto start after boot then type following.

sudo systemctl disable nginx

And to enable auto starting service after boot use following command

sudo systemctl enable nginx

4. Nginx Important Files and Directories

* Root directory for Nginx files is ==etc/nginx==.
* Nginx main configuration file is available at ==etc/nginx/nginx.conf==.
* Virtual hosts(Server Blocks) Configuration files should be added in == etc/nginx/conf.d.
* The default server document root directory for web files is located at ==/usr/share/nginx/html==.
* Nginx log files both ==access.log== and ==error.log== are located inside ==/var/log/nginx/== directory.

Conclusion

You have learned successfully how to install Nginx on CentOS 7. If you have any queries please don’t forget to comment below.

How to install Nginx on Debian 9

How to install Nginx on Debian 9

Installing Nginx On Debian 9

Nginx is one of the best free, opensource and High-performance web server available today. It is used as a reverse proxy web server for Apache and other web servers. Nginx can handle the bigger amount of connection than apache consuming low memory power. So it can be used for high traffic websites. In this tutorial, you are going to learn how to install Nginx on Debian 9.

Prerequisites

Before you start to install Nginx on Debian 9. You must have the non-root user account on your server with sudo privileges.

1. Install Nginx on Debian

Here first you will need to update the package manager index and then you will install Nginx.

Update package manager index by typing

sudo apt update

Now install Nginx by typing

sudo apt install nginx

Nginx web server automatically starts after installation complete. To check the status of Nginx server and confirm installation type following in the terminal

sudo systemctl status nginx

The output should be:

● nginx.service - A high performance web server and a reverse proxy server
    Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
    Active: active (running) since Sat 2018-10-22 11:44:12 CDT; 4min 10s ago
    Docs: man:nginx(8)
    Process: 6412 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
    Process: 6409 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
    Main PID: 6413 (nginx)
    CGroup: /system.slice/nginx.service
    ├─6413 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
    ├─6414 nginx: worker process
    └─6415 nginx: worker process

2. Managing Nginx web server

There are some useful commands using **systemctl** you can manage your Nginx web server easily.

Make it sure Nginx started on system reboot by typing

sudo systemctl enable nginx

If you want to disable automatic startup on system reboot enter following command

sudo systemctl disable nginx

To check the status on Nginx enter the following command

sudo systemctl status nginx

You can start server by typing

sudo systemctl start nginx

You can stop Nginx server using the following command

sudo systemctl stop nginx

In case, If you want to restart Nginx server type following command

sudo systemctl restart nginx

3. Set up Nginx configuration file

Now you should create a directory inside var/www named example.com (you can also use your domain name)

sudo mkdir -p /var/www/example.com

Now you should remove the default configuration file provided. Delete default Nginx configuration file by typing.

sudo rm -f /etc/nginx/sites-enabled/default

Configuration files for the website are stored inside /etc/nginx/sites-available directory so you need to create configuration file inside this directory named example.com.conf. Then enter following code inside the file by replacing example.com with your domain name.

/etc/nginx/sites-available/example.com.conf
    server {
        listen         80 default_server;
        listen         [::]:80 default_server;
        server_name    example.com www.example.com;
        root           /var/www/html/example.com;
        index          index.html;

        location / {
          try_files $uri $uri/ =404;
        }
        
    }

Create a symbolic link of the above configuration file inside /etc/nginx/sites-enabled/ directory by entering

sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/

Now you will need to reload Nginx configuration file as you have made changes in Nginx configuration directory. Type following command to reload Nginx

sudo nginx -s reload

You can check the status of Nginx by typing following

sudo nginx -t

Create an index.html file inside /var/www/example.com directory and enter following code inside the file

<html>
    <head>
        <title>Index Page</title>
    </head>
    <body>
        <h1>Success!</h1>
    </body>
</html>

Now visit [http://example.com](http://example.com). Replacing example with your domain name where you can see the output as given: ==Success!==

Conclusion

You have successfully learned how to install Nginx on Debian 9. If you have any queries regarding this please don’t forget to comment below.