Securing NGINX using Let’s Encrypt on Ubuntu 18.04

It’s nice to be back, in this event loop on {{ PLP }}, we’re about to learn the importance of securing our NGINX web server with our existing Ubuntu 18.04 LTS provided by the Let’s Encrypt which is a non-profit organization that aims to secure every website with Free SSL certificates.

Today, I will guide you on how to set up the Let’s Encrypt which is a free SSL with an A+ rating to your NGINX web server. Plus, I will guide you on how we can reconfigure a bit our Cloudflare settings, remember, that we set up previously the ipaskil site to Cloudflare technology as the default protection to our web server and bring a lots of benefits to speed up our site to auto-minify all the Javascript, CSS, HTML and many more excellent features plus with their CDN distributed around the globe.

This discussion for today will be very significant for each of us as the developer this will benefit us a lot of overheads and one of the best web securities for our future and existing projects to be fully secured, so stay with me until the end of this topic.

Just a glance at the rear, we have previous discussions about the Django Memcached with Django-Cache-Memoize that aims to cached expensive functions and the Django Queries as well.

Introduction

The most essential part of the web security and the challenges we’re all facing is how we can obtain the free SSL certificate which installed to our NGINX web server and make it auto-renew when it expires.

In the meantime, Cloudflare is giving a one-way free SSL protection only, meaning, the established network connection between your user’s PC to your web server is not encrypted, but, from your web server going to the Cloudflare’s network is fully encrypted.

Although, you can see it’s an https://yourdomain.com when you access it from the web browsers, then under the hood, it’s not a two-way around encryption.

Meanwhile, the Let’s Encrypt technology is the A+ rating free SSL which is the complete two-way encrypted connections between your user’s established connections to your web server and vice-versa.

So, prepare your self once again and stay focus because this would be exciting and fun learning with {{ PLP }}.

Getting Started

In the meantime, I will be using our existing NGINX webserver and have the root privilege to our Ubuntu 18.04 LTS server to start installing the Let’s Encrypt.

Please ensure that you back-up your NGINX folder first before you install this Certbot as it will auto-insert few lines each of your hosted domain in your existing NGINX configurations if you selected auto-configure it for you.

During this discussions, you will learn how to implement the Letsencrypt to obtain the A+ SSL rating to your web server at no cost at all, so you can check out more information from this gist to get more configurations, but with this, I give you the simplest possible for you to configure it.

Step 1. Install the Certbot for NGINX

Make sure you have enough privilege to install the following tools to your web server.

1
2
3
4
5
6
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot python-certbot-nginx

After the successful installation of the above tools, it will create the new folder directory located at the /etc/letsencrypt, later we need to modify a few things only.

1
sudo certbot --nginx

So basically, it will ask you to agree on the terms, enter your email address, which primary domain to install the Cert if you have multiple domains hosted on your NGINX webserver and lastly, redirect an HTTP to HTTPS is a recommended way to secure any requests from your NGINX.

Step 2: Certbot Auto Renewal

You can do some testing of how the auto-renewal works for your Certbot by executing the command below.

1
sudo certbot renew --dry-run

Next, check your existing Certbot certificates by executing the command below.

1
sudo certbot certificates

So, at this point, we now have a working SSL certificate for your NGINX web server. Let’s have a look at your NGINX configs at this directory path /etc/nginx/sites-available/ipaskil.com.

1
2
3
4
5
6
7
8
9
10
...
listen 80; # managed by Certbot
listen [::]:443 ssl http2;
listen 443 ssl http2;
gzip off;
ssl_certificate /etc/letsencrypt/live/ipaskil.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/ipaskil.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
...

The scripts above has been auto-inserted by the Certbot itself.

Step 3: Letsencrypt Options

In addition, you can double check your Letsencrypt options at this directory path /etc/letsencrypt/options-ssl-nginx.conf.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1d;
ssl_session_tickets off;

ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "omitted...";
ssl_ecdh_curve secp384r1;

ssl_stapling on;
ssl_stapling_verify on;

add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload;";
# You can disable this line to allow some cross-origin of your images, js, css, and any static files to be served from your site and display it properly.
# add_header Content-Security-Policy "default-src 'none'; frame-ancestors 'none'; script-src 'self'; img-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self';";
add_header Referrer-Policy "no-referrer, strict-origin-when-cross-origin";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

As you can see, I disable one line of config to allow certain JS, CSS, and images to load properly for your site, but, of course, it’s up to you to configure it, but, as of this time, we can slightly free up some strict configs.

1
# add_header Content-Security-Policy "default-src 'none'; frame-ancestors 'none'; script-src 'self'; img-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self';";

We’re almost done, reload your NGINX to take effect the changes that the Certbot inserted few lines of new configurations.

1
sudo nginx -s reload

At this point, double check your domain by accessing it in the browser to see if the HTTPS has been implemented. You can check your SSL Cert status provided by the SSL Labs site.

Step 4: Cloudflare Configuration (Optional)

Moreover, if your site is not on Cloudflare, you can skip this part, so login with your Cloudflare account and select your domain name to change the SSL mode to SSL (strict) since we have a fully functional SSL Cert provided by the Letsencrypt.

Head over to SSL/TLS tab and then select the Full (strict) SSL mode from the Cloudflare. Next, click on the the “Edge Certificates” tab, then make these two buttons to turn it ON.

Always Use HTTPS
Redirect all requests with scheme “http” to “https”. This applies to all http requests to the zone.

Automatic HTTPS Rewrites
Automatic HTTPS Rewrites helps fix mixed content by changing “http” to “https” for all resources or links on your web site that can be served with HTTPS.

That’s it, there you have it, you now have a fully functional SSL Certificate with an A+ ratings.

In the next event loop on {{ PLP }}.

Congratulations! you now have the fully functional A+ SSL rating provided by the Letsencrypt with auto-renewal configurations and you don’t have anything to worry about your NGINX web server and your site are now fully encrypted and secure.

Besides, the best technology out there which is the Letsencrypt generously secure our sites and our users data as well.

For those who’re not able to successfully launch your site with an SSL Certificate and have a hard time to follow this tutorial that I laid it before you, or you need more clarifications, don’t worry, leave a comment below and I’m happy to help you to succeed.

That’s all, have fun learning with {{ PLP }}.

To help Filipino students to learn Python programming language with Django to enhance their capabilities in developing robust web-based applications with practical and direct to the point tutorials, step-by-step with actual information that I provided for you. Leave a comment below or email me at [email protected], thank you!