Nginx

How to use SSL on an Nginx Web Server

HTTP, also known as Hypertext Transfer Protocol, allows the web browser to fetch resources from the server over the Internet. Servers around the world have been delivering content to millions of users for decades over HTTP. With the rise of cybercrimes, censorship, and government interference, it was needed to protect people’s browsing activity. HTTPS protocol was introduced as a result of that. HTTPS encrypts the connection between the client and the server and protects the end user’s privacy. Initially, it was limited to a few sites where the security was essential, but later on, with the massive push by Google and free certificate authorities, HTTPS became standard on the Internet. Nowadays, search engines often favour HTTPS websites over HTTP, and not having HTTPS implemented on the website leads the website to be penalized by the mainstream web browsers. This guide demonstrates how to set up SSL/TLS on an Nginx web server with ease.

Update the Server

It’s recommended to upgrade the server packages before touching the SSL configuration. The following two commands update and upgrade the server packages on the Ubuntu server.

$ sudo apt-get update

$ sudo apt-get dist-upgrade

Additionally, it’s recommended to upgrade the snapd background service to manage snap packages. Snapd has been an inbuilt service since Ubuntu 16.04.

$ sudo snap install core

$ sudo snap refresh core

If Snapd is not available on the Ubuntu server for some reason, use the following command to install the Snapd background service swiftly.

$ sudo apt install snapd

Configure the DNS Records

DNS Records are located in the authoritative name server and help convert a specific domain name to its respective IP address. Setting up SSL on an Nginx server requires a domain name and an IP address. After pointing the domain name to its respective IP on the DNS records, the same procedure has to be done in the configuration file of the Nginx server for the site to function correctly.

Navigate to the domain name registrar, and find the advanced DNS records section. The following screenshot shows how a typical DNS records entry looks. Use the IP address of the Nginx server in the Answer textbox, select A address record from the Type drop-down box, and type either nothing or the subdomain of the Nginx server in the Host textbox. The IP address of the host can be found through hostname -I command

Access the server with an SSH client such as Putty or Notepad++ with NppFtp plugin, and navigate to the /etc/Nginx/sites-available/default. Copy the domain name typed in the Host textbox in the previous section, and type it after the server_name directive as server_name subdomain.domain.com. If there is no subdomain, ignore the subdomain. Restart the Nginx server with the systemctl restart the Nginx command for settings to take effect.

Install the SSL/TLS

There are several ways to install an SSL certificate on an Nginx web server. The easiest and most affordable method is to use the Certbot, which makes the whole process relatively easy. It configures the Nginx configuration file automatically and provides an SSL certificate free of charge to renew any number of times. The only catch here is that the Certbot offers a letsencrypt SSL certificate, and it has to be renewed once per 3 months instead of a year as other paid options. Letsencrypt doesn’t verify the organization; hence, it’s not advisable to use it for eCommerce websites, banks, or other commercial entities. It provides zero assurance that the domain name owner is the same as the organization’s owner. However, it’s quite sufficient for a general-purpose website.

Type the following command on the SSH client to install the Certbot in the Ubuntu server.

$ sudo snap install --classic Certbot

Type the following command to make a symbolic link between the snap/bin and usr/bin. So the user doesn’t have to type the full path when calling the Certbot binary.

$ sudo ln -s /snap/bin/Certbot /usr/bin/Certbot

Finally, install the Certbot, and configure the default file of the Nginx. It will ask a series of questions. Make sure all the questions are appropriately answered. Before following this step, the site needs to be accessed with its domain name. If Configure the DNS Records section was followed by now, this should not be a problem.

$ sudo Certbot –nginx

Test the Certbot to ensure it renews the certificate whenever it’s necessary. The Certbot automatically sets up a cron job to renew the certificate once in a while; hence it’s not required to run it ever again, but it’s recommended to run the following command to ensure the certificate is renewed successfully.

$ sudo Certbot renew --dry-run

Type the domain name in the web browser, and access it to see the website works without any problem. If a padlock icon appears before the domain name, and the site gives no error or warning when visiting it, the SSL configuration is successful.

Advanced Nginx SSL Configuration

The advanced Configuration for SSL helps tighten the security and enhance the website’s compatibility with many web browsers. However, the default settings are sufficient for any general-purpose website.

Navigate to the following website.

https://ssl-config.mozilla.org/

Select the Nginx in the Server Software option.

Select one of the options in the Mozilla Configuration. This option determines the web browser’s compatibility with the website. The modern option makes the website less compatible with most web browsers and their older versions while giving high security to the website. In contrast, the Old option provides less security and high compatibility with virtually any web browser. The intermediate option offers a good balance between security and compatibility.

  1. Type the Nginx server version and OpenSSL version in the Environment section. Both versions can be found with the nginx -V command.

Select HTTP Strict Transport Security and OCSP Stapling for better security and efficiency in verifying the SSL certificate.

Copy the configuration generated by the tool, and paste them into the default file of Nginx. Make sure the server_name directive is typed again as the tool doesn’t generate it. After the configuration file was updated, restart the Nginx server with the systemctl restart the nginx command.

Conclusion

Thanks to the Certbot and Letsencrypt nowadays, installing an SSL certificate on an Nginx web server is relatively easy. Certbot makes the whole process of installing, configuring, and renewing the SSL certificate relatively easy. After the basic configuration is completed, It’s recommended to configure the SSL with the Mozilla SSL configuration generator. It provides security and compatibility to the website.

About the author

Nucuta

NUCUTA is a technology blog where various topics about computer hardware, software, mobile phones, gadgets and many other are covered, including but not limited to tutorials, reviews, and topics in business management, finance, accounting, self improvement and technology news.