How to Secure Nginx with Let's Encrypt on Debian 10"

Maneesh kushwaha
3 min readMay 30, 2020

--

“How to Secure Nginx with Let’s Encrypt on Debian 10”

We hope this post helped you to find out How to Secure Nginx with Let’s Encrypt on Debian 10

Let’s Encrypt is a free, automated, and open certificates authority developed by the Web Safety Analysis Group (ISRG) that gives free SSL certificates.

Certificates issued by Let’s Encrypt are trusted by all main browsers and legitimate for 90 days from the problem date.

This tutorial exhibits set up a free Let’s Encrypt SSL certificates on Debian 10, Buster working Nginx as an online server. We’ll additionally present configure Nginx to make use of the SSL certificates and allow HTTP/2.

Conditions #

Guarantee the next stipulations are met earlier than continuing with the information:

  • Logged in as root or person with sudo privileges.
  • The area for which you wish to get hold of the SSL certificates should level to your public server IP. We’ll use instance.com.
  • Nginx put in.

Installing in Certbot #

We’ll use the certbot software to acquire and renew the certificates.

Certbot is a fully-featured and straightforward to make use of software that automates the duties for acquiring and renewing Let’s Encrypt SSL certificates and configuring internet servers to make use of the certificates.

The certbot bundle is included within the default Debian repositories. Run the next instructions to put in certbot:

sudo apt update
sudo apt install certbot

Generating Dh (Diffie-Hellman) Group #

Diffie–Hellman key change (DH) is a technique of securely exchanging cryptographic keys over an unsecured communication channel.

We’re going to generate a brand new set of 2048 bit DH parameters to strengthen the safety:

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

You can too change the scale as much as 4096 bits, however the technology might take greater than 30 minutes relying on the system entropy.

Acquiring a Let’s Encrypt SSL certificates #

To acquire an SSL certificates for the area, we’re going to make use of the Webroot plugin. It really works by creating a short lived file for validating the requested area within the ${webroot-path}/.well-known/acme-challenge listing. The Let’s Encrypt server makes HTTP requests to the short-term file to validate that the requested area resolves to the server the place certbot runs.

We’re going to map all HTTP requests for .well-known/acme-challenge to a single listing, /var/lib/letsencrypt.

Run the next instructions to create the listing and make it writable for the Nginx server:

sudo mkdir -p /var/lib/letsencrypt/.well-knownsudo chgrp www-data /var/lib/letsencryptsudo chmod g+s /var/lib/letsencrypt

To avoid duplicating code, we’ll create two snippets that will be included in all Nginx server block files.

Open your text editor and create the first snippet, letsencrypt.conf:

sudo nano /etc/nginx/snippets/letsencrypt.conf/etc/nginx/snippets/letsencrypt.conflocation ^~ /.well-known/acme-challenge/ {
allow all;
root /var/lib/letsencrypt/;
default_type "text/plain";
try_files $uri =404;
}

The second snippet ssl.conf includes the chippers recommended by Mozilla, enables OCSP Stapling, HTTP Strict Transport Security (HSTS), and enforces few security‑focused HTTP headers.

sudo nano /etc/nginx/snippets/ssl.conf/etc/nginx/snippets/ssl.confssl_dhparam /etc/ssl/certs/dhparam.pem;ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 30s;
add_header Strict-Transport-Security "max-age=63072000" always;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;

Once done, open the domain server block file and include the letsencrypt.conf snippet as shown below:

sudo nano /etc/nginx/sites-available/example.com.conf

/etc/nginx/sites-available/example.com.conf

server {
listen 80;
server_name example.com www.example.com;
include snippets/letsencrypt.conf;
}

Create a symbolic link to the sites-enabled directory to enable the domain server block:

sudo ln -s /etc/nginx/sites-available/example.com.conf /etc/nginx/sites-enabled/

Restart the Nginx service for the changes to take effect:

sudo systemctl restart nginx

You’re now ready to obtain the SSL certificate files by running the following command:

sudo certbot certonly --agree-tos --email admin@example.com --webroot -w /var/lib/letsencrypt/ -d example.com -d www.example.com

If the SSL certificate is successfully obtained, the following message will be printed on your terminal:

Reading full article

https://www.mstvlife.com/how-to-secure-nginx-with-lets-encrypt-on-debian-10/

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

--

--

No responses yet

Write a response