Installing Nginx and Certbot

The first step will be installing nginx. There are several ways to go about this, so I'll run through them from easiest to hardest.

The easiest way to install nginx will be to use the official packages. This can be done with apt install nginx on Ubuntu and Debian or dnf install nginx on Fedora. However, official repositories are normally a few versions behind. While this isn't necessarily bad, some people (myself included) like using the newest version for some features that won't be touched on in this guide.

The easiest way to install the latest version of nginx will be to use packages I build and maintain. However, this only works on Ubuntu 18+. To get started, first add my GPG key to apt and then add the package repository I maintain to your apt sources. The easiest way to do this is to run curl -sSL https://packages.galenguyer.com/bootstrap.sh | sh, though if you're hesitant to pipe from curl to bash, you can download and run the script normally. Finally, install the package you want. Five are provided, with various feature sets. Mainline packages are the latest version of nginx, whereas stable packages use the nginx stable branch, which is slightly behind mainline. Packages with "quiche" in the name have experimental HTTP/3 support enabled, which I don't reccomend unless you're familiar with nginx and ready to debug it. I would suggest installing the edgeinx-mainline package for the best mix of features and stability. This can be done by simply running apt install edgeinx-mainline. Any time you update your system with apt update or upgrade, it will update this package if a newer version is found as well.

The last way to install nginx is build it from source yourself. If you want to do this, I reccomend using this script, which was originally written by Seednode. You can edit it to change the version of nginx you install and change what features are installed as well. It will also set up default config files and a systemd service for you. I last tested it on Ubuntu 18.04, but it should work on all modern versions of Debian, Ubuntu, and Fedora. Be warned, it will take a long time to run if you don't have a relatively powerful CPU.

The final thing you'll want to install is certbot-auto. I've found it the easiest way to interact with Let'sEncrypt for certificates. You can install it by running the following commands:

sudo curl -sSL https://dl.eff.org/certbot-auto -o /usr/local/bin/certbot-auto
sudo chmod a+x /usr/local/bin/certbot-auto

Configuring Nginx for plain HTTP

Now that nginx is installed, let's complete the basic setup. Before doing this, make sure you have a domain set up that resolves to the public IP address of your server.

To configure nginx, enter the /etc/nginx directory on your server. You'll need root permissions to edit or create any files here. It will be populated with a few basic config files as well as default versions for all of them, which you can choose to keep or remove with rm *default

First, create two directories in which to store your configuration files using the following command:

# mkdir -p /etc/nginx/{sites,ssl}

Now that those directories exist, modify your nginx.conf file to include any configuration files we put in the /etc/nginx/sites directory. An example configuration file is available here: nginx.conf.

Next, create the file /etc/nginx/ssl/params.conf, where you'll configure HTTPS. You won't use these yet, but we'll get back to them. An example file with comments is available here: ssl/params.conf.

You'll also want to generate a dhparam.pem file. Here is a good explanation of what they're used for, though understanding that isn't required. Use the following command to generate the file:

# touch /etc/nginx/ssl/dhparam.pem && openssl dhparam --out /etc/nginx/ssl/dhparam.pem 4096

Now that your basic HTTPS configuration is done, let's tell nginx to listen for requests over HTTP for your website and serve files. This will also let us set up HTTPS.

In the /etc/nginx/sites directory, create a file ending with .conf. The actual name isn't important, but I find it useful to follow the pattern of [domain].conf, so I know which file controls which site. An example plain HTTP configuration file can be found here: sites/example.com.nohttps.conf, but you won't need more than the following four lines. Whichever configuration you go with, make sure to update the server_name and root options.

# /etc/nginx/sites/example.com.conf

server {
    listen 80;
    listen [::]:80;
    server_name example.com;
    root /var/www/example.com;
}

Now that all your configuration files are in place, run sudo nginx -t to test your configuration. If there are any errors, it will tell you, otherwise, you're good to apply the configuration! To do that, simply run sudo systemctl restart nginx, and you should be able to navigate to your website and see any pages you have!

Setting up HTTPS with LetsEncrypt

Now that you can access your website, it's time to get a certificate for HTTPS. Use the following command, making sure to update the -w and -d options appropriately:

# certbot-auto certonly --webroot -w /var/www/example.com/ -d example.com -d www.example.com --rsa-key-size 4096

Once this completes, you will have the certificates in /etc/letsencrypt/live/example.com. You'll have to renew them using the same command or certbot-auto renew every 90 days.

Finally, modify your configuration to use the certificate you just generated. You can use the example file at the following link, making sure to change from example.com to your domain! sites/example.com.conf

Once you've modified the configuration file, test it with sudo nginx -t again, and if everything is good, apply it with sudo systemctl reload nginx. Now, when you visit your site, it should redirect you to the HTTPS version. Just repeat this process to add any more domains!

A couple notes

All example configuration files can be found at https://git.galenguyer.com/chef/nginx-demo/

You might have noticed some blocks for php in the example config files. If you want to use PHP, install it (the command for Ubuntu is sudo apt install php7.2-fpm) and uncomment the lines as shown in this config file. You may need to change the socket path. If you are missing any of the other php config files, you can find in this git repo.