Blogpost

Published: 2020-06-14

Config Nginx to serve over https using certbot on Ubuntu

How to install and configure nginx and certbot to server your static files and act as reverse proxy on Ubuntu. Nginx is a high performance load balancer, web server and reverse proxy. Certbot uses free let's encrypt certificates and auto-renews them.

As in the last tutoriol I am working on Ubuntu 20.04 LTS. Make sure you have sudo-rights on your machine. If you are starting from scratch on a fresh Ubunto installation click here for basic setup before starting with this guide. Jump in.

This article is part of a series:

Server drawing

Table of contents

Install Nginx

  • update your package list sudo apt update
  • install nginx sudo apt install nginx
    • confirm typing "-y" and smashing enter if you are willing to install

Now we have to configure the firewall in order to allow nginx to communicate with the outside:

  • sudo ufw app list gives you a list of available firewall configurations for your server
  • sudo ufw allow 'Nginx Full' to allow traffic at port 80 (HTTP) and 443 (HTTPS)

Try to insert your servers ip in the web browser of your choice and you should see the answer from Nginx!

Configuring Nginx

Hosting static content

Its common practice to store your website static data in "/srv/www/example.com". For a brief example just store a file named index.html with the content "hi" in the path mentioned before.

In order to serve the files at that location add the following config to "/etc/nginx/sites-available/example.com" using sudo nano /etc/nginx/sites-available/example.com.

server {
        listen 80;
        listen [::]:80;

        root /srv/www/example.com;
        index index.html;

        server_name example.com www.example.com;

        location / {
                try_files $uri $uri/ =404;
        }

        location ~ /\. {
            deny all;
        }
}

The second "location" property denies serving hidden files.

Now create a link in the folder "/etc/nginx/sites-enabled" executing sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/.

When serving multiple server names from one nginx instance you should also access sudo nano /etc/nginx/nginx.conf and uncomment the line "server_names_hash_bucket_size".

Check if your Nginx config is correct sudo nginx -t.

Lets restart Nginx to apply our modifcations: sudo systemctl restart nginx.

Now type your url in the browser "example.com".

For static file hosting it could also be good to activate gzip compression in order to reduce the network traffic. If you want to enable gzip compression add the following lines to the server section of your Nginx config file. ´´´ gzip on; gzip_types text/htm text/css; ´´´ You can add further mime types you want to be compressed to the "gzip_types" property.

More on the linux filesystem hierarchy.

Reverse proxy config

A minimalistic reverse proxy config can look like this:

server {
        listen 80;
        listen [::]:80;

        server_name www.example.com;

        location / {
            proxy_pass http://localhost:3000;
        }
}

Redirect non-www to www

Add this to your config file and remove "example.com" from the "server_name" in the already existing server config.

server {
    listen 80;
    listen [::]:80;

    server_name example.com;
    return 301 https://www.$server_name$request_uri;
}

Your config should now look like this:

server {
        listen 80;
        listen [::]:80;

        root /srv/www/example.com;
        index index.html;

        server_name www.example.com;

        location / {
                try_files $uri $uri/ =404;
        }

        location ~ /\. {
            deny all;
        }
}

server {
    listen 80;
    server_name example.com;
    return 301 https://www.$server_name$request_uri;
}

An advanced config example

https://www.nginx.com/resources/wiki/start/topics/examples/full/

HTTPS using certbot

Install certbot

From the official docu:

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot

Create a certificate

From the nicely hidden official page:

Install the Nginx plugin for certbot sudo apt install python-certbot-nginx.

sudo certbot --nginx and follow the instructions in order to install a certificate.

List of commands

Nginx

  • install nginx sudo apt install nginx
  • sudo ufw allow 'Nginx Full' to allow traffic at port 80 (HTTP) and 443 (HTTPS)
  • check config file sudo nginx -t
  • restart nginx sudo systemctl restart nginx

Git

  • install git sudo apt install git

Links

Sources

Tags

#linux #tutorial #nginx #security