NGINX is a powerful, high-performance web server that has become increasingly popular due to its scalability and flexibility. Integrating NGINX with Let’s Encrypt, a free Certificate Authority, allows you to secure your web applications with HTTPS. This complete guide walks you through the process step by step.
Why Use NGINX with Let’s Encrypt?
Before diving into the setup, it’s important to understand why securing your web server with Let’s Encrypt is advantageous:
- Security: Encrypting traffic between your server and clients protects sensitive data from eavesdropping.
- Trust: A TLS certificate from Let’s Encrypt provides validation that your site is authentic and not a phishing replica.
- SEO: Google rewards HTTPS-enabled sites with a ranking boost, potentially increasing your site’s visibility.
- Performance: NGINX, known for its high performance, works seamlessly with TLS, ensuring minimal overhead.
Prerequisites
To follow this guide effectively, ensure you have:
- A server with NGINX installed.
- A registered domain name pointing to your server’s IP address.
- SSH access to your server.
- Basic knowledge of NGINX configuration and the terminal.
Step-by-Step Instructions
Step 1: Install Certbot
Certbot is the recommended tool for obtaining Let’s Encrypt certificates. It automates the certificate issuance and renewal process. Install Certbot and its NGINX plugin using the following commands:
sudo apt update sudo apt install certbot python3-certbot-nginx Step 2: Obtain Your SSL/TLS Certificate
Run Certbot with the NGINX plugin to obtain and install your certificate:
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com Replace yourdomain.com and www.yourdomain.com with your registered domain names. Certbot will modify your NGINX configuration files to include the certificate and setup HTTPS.
Step 3: Test HTTPS Configuration
Navigate to https://yourdomain.com to confirm the SSL/TLS certificate is active. Additionally, use SSL Labs’ SSL Test to thoroughly check your setup for security flaws.
Step 4: Automatic Certificate Renewal
Let’s Encrypt’s certificates are valid for 90 days, after which they require renewal. Luckily, Certbot can set up automatic renewal:
sudo certbot renew --dry-run This command simulates renewal without making any changes, ensuring your renewal process works. The actual renewal is handled by a periodic job set up by Certbot.
Step 5: Adjust Your NGINX Configuration
Customize your NGINX configuration to further enhance security:
server {
listen 443 ssl http2;
server_name yourdomain.com www.yourdomain.com;
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# Modern configuration. CYBERFRAT
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
ssl_stapling on;
ssl_stapling_verify on;
# Add headers to serve security-related headers
# Before enabling Strict-Transport-Security headers please read into this topic first.
# add_header Strict-Transport-Security 'max-age=63072000' always;
# add_header X-Content-Type-Options nosniff always;
# add_header X-Frame-Options SAMEORIGIN always;
# add_header X-XSS-Protection '1; mode=block' always;
# add_header Referrer-Policy no-referrer-when-downgrade always;
# add_header Content-Security-Policy default-src 'self' https:; # upgrade-insecure-requests;
location / {
# Your application configuration
}
}
Ensure you examine and understand each line of the configuration, adapting it to meet your site’s specific needs and security requirements.
Conclusion
This guide provided a comprehensive walkthrough of securing NGINX with a Let’s Encrypt SSL/TLS certificate. As security threats evolve, continue to check for updates to NGINX, Certbot, and best practices for HTTPS configuration. For further reading, consider exploring resources on HTTP/2, server hardening, and NGINX tuning for performance optimizations.
