Introduction
This week I fumbled upon configuring my new site with NGINX with secure SSL using Letsencrypt. I did a lot of research and development before getting it deployed and running it succesfully on ubuntu server.
Step-1 : mkdir /var/www/your_domain
Step-2: Create a text file
/etc/nginx/sites-available/first.conf containing: server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
server_name first.com www.first.com;
root /var/www/first;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}Step-3 : sudo rm /etc/nginx/sites-enabled/default
sudo ln -s /etc/nginx/sites-available/your_domain.conf /etc/nginx/sites-enabled/your_domain.conf
sudo nginx -t
sudo systemctl stop nginx
sudo systemctl start nginxStep-4:Check that Nginx is running:
sudo systemctl status nginx
Step-5: Install certbot
One-liner to install cerbot is
curl -o- https://raw.githubusercontent.com/vinyll/certbot-install/master/install.sh | bashStep-6: Setup the certificates & convert Virtual Hosts to HTTPS:
sudo certbot --nginx
It will ask for:
an email address
agreeing to its Terms of Service
which domains to use HTTPS for (it detects the list using server_name lines in your Nginx config)
whether to redirect HTTP to HTTPS (recommended) or notSSL
Now let's edit the shared SSL settings at /etc/letsencrypt/options-ssl-nginx.conf
More liberal content security policy:
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload;";
add_header Content-Security-Policy "default-src 'self'; connect-src *; font-src *; frame-src *; img-src * data:; media-src *; object-src *; script-src * 'unsafe-inline' 'unsafe-eval'; style-src * 'unsafe-inline';";
add_header Referrer-Policy "no-referrer, strict-origin-when-cross-origin";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";Now configure nginx to enable gzip compression. the following snippet can be added to the configuration file in order to enable Nginx Gzip.
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types application/javascript application/rss+xml application/vnd.ms-fontobject application/x-font application/x-font-opentype application/x-font-otf application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/opentype font/otf font/ttf image/svg+xml image/x-icon text/css text/javascript text/plain text/xml;References : 1. https://gist.github.com/cecilemuller/a26737699a7e70a7093d4dc115915de8
