Encryption: How to Secure NGINX web server on Ubuntu 16.04

What is Let’s Encrypt

Let’s Encrypt is a free certificate authority brought by the Internet Security Research Group (ISRG). It provides an easy and automatic way to get a free SSL/TLS certificate – a necessary step to enable encryption and HTTPS traffic on a web server. Most of the steps in obtaining and installing certificates can be automated using a tool called Certbot.

In particular, this software can be used with shell access to the server: in other words, if possible to connect to the server via SSH.

In this tutorial we will see how to use certbot to get a free SSL certificate and use it with Nginx on an Ubuntu 16.04 server.

Install Certbot

The first step is to install certbot, a software client that will automate almost all processes. Certbot developers maintain their Ubuntu software repositories which contain software newer than those in the Ubuntu repositories.

Add the Certbot repository:

# add-apt-repository ppa: certbot / certbot

Next, update the APT source list:

# apt-get update

At this point, it is possible to install certbot with the following apt command:

# apt-get install certbot

Certbot is now installed and ready to use.

Get Certificate

There are various Certbot plugins to get SSL certificates. This plugin helps to get the certificate, while the installation and configuration of the web server is left to the admin.

We will use a plugin called Webroot to get the SSL certificate.

This plugin is recommended if there is an ability to change the content served. There is no need to stop the web server during the certificate issuance process.

Configure NGINX

Webroot works by creating temporary files for each domain in a directory named .well-known, placed within the web root directory. In our case, the web root directory is /var/www/html. Make sure the directory is accessible to Let’s Encrypt for validation. To do so, edit the NGINX configuration. With a text editor, open /etc/nginx/sites-available/default File:

# $ EDITOR /etc/nginx/sites-available/default

In this file, in the server block, place the following contents:

location ~ /.well-known {allow all; }

Save, exit and check the NGINX configuration:

# nginx -t

Without error, it should output:

nginx:config file /etc/nginx/nginx.conf syntax is ok nginx:config file /etc/nginx/nginx.conf test successful

Restart NGINX:

# systemctl restart nginx

Get Certificate with Certbot

The next step is to get a new certificate using Certbot with the Webroot plugin. In this tutorial, we will secure (as an example) the www.example.com domain. It is necessary to specify each domain to be secured with a certificate. Run the following command:

# certbot certonly –webroot –webroot-path=/var/www/html -d www.example.com

During the process, Cerbot will ask for a valid email address for notification purposes. It will also ask to share it with EFF, but this is not mandatory. After agreeing to the Terms of Service, it will get a new certificate.

In the end, the /etc/letsencrypt/archive directory will contain the following files:

chain.pem: Let’s Encrypt chain certificates.
cert.pem: domain certificate.
fullchain.pem: a combination of cert.pem and chain.pem.
privkey.pem: certificate’s private key.

Certbot will also create a symbolic link to the latest certificate file in /etc/letsencrypt/live/domain_name/. This is the path we will use in the server configuration.

Configure SSL/TLS on NGINX

The next step is server configuration. Create a new snippet in /etc/nginx/snippets/. A snippet is a part of a configuration file that can be included in a virtual host configuration file. So, create a new file:

# $ EDITOR /etc/nginx/snippets/secure-example.conf

The contents of this file will be the directive specifying the location of the certificate and key. Paste the following content:

ssl_certificate / etc / letsencrypt / live /domainname/fullchain.pem; ssl_certificate_key / etc / letsencrypt / live /domainname/privkey.pem;

In our case, domain_name will be example.com.
Edit NGINX Configuration

Edit the default Virtual Hosts file:

# $ EDITOR /etc/nginx/sites-available/default

As follows:

server { listen 80 default_server; listen [::]: 80 default_server; server_name www.example.com returns 301 https://$server_name $request_uri; # SSL configuration #
listen 443 ssl default_server;
Listen [::]: 443 ssl default_server;
include snippet / secure-example.conf
# # Note: You must disable gzip for SSL traffic. # See: https://bugs.debian.org/773332 …

This will enable encryption on NGINX.

Save, exit and check the NGINX configuration file:

# nginx -t nginx: configuration file /etc/nginx/nginx.conf syntax ok nginx: configuration file /etc/nginx/nginx.conf test successful

Restart NGINX:

# systemctl restart nginx


Following all the steps above, at this point we have a secure NGINX based web server, with encryption provided by Certbot and Let’s Encrypt. This is just a basic configuration, of course, and it’s possible to use a lot of NGINX’s configuration parameters to personalize everything, but that depends on the specific web server requirements.

This entry was posted in Computer Network, Tips and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *