How to Install Nginx with Let’s Encrypt TLS/SSL on Debian 11 Bullseye

NGINX is an open-source, free HTTP server software. In addition to its HTTP server capabilities, NGINX can also function as a proxy server for e-mail (IMAP, POP3, and SMTP) and a reverse proxy and load balancer for HTTP, TCP, and UDP servers. The goal behind NGINX was to create the fastest web server around, and maintaining that excellence is still a central goal of the Nginx project. NGINX consistently beats Apache and other servers in benchmarks measuring web server performance and is now the most popular used web server according to W3Tech.

In the following tutorial, you will learn how to install Nginx on Debian 11 Bullseye using the default Debian repository or the alternative repository by Ondřej Surý with a free TLS/SSL certificate from Let’s Encrypt.

Prerequisites

  • Recommended OS: Debian 11 Bullseye
  • User account: A user account with sudo privilages or root access (su command).

Updating Operating System

Update your Debian 11 Bullseye operating system to make sure all existing packages are up to date:

sudo apt update && sudo apt upgrade

Root or Sudo Access

By default, when you create your account at startup with Debian compared to other distributions, it does not automatically receive sudoers status. You must either have access to the root password to use the su command or visit our tutorial on How to Add a User to Sudoers on Debian.

Install Nginx

Method 1. Install Nginx Stable from Debian Repository

The first method is to install Nginx from Debian’s default repositories, and these versions are proven to be stable and secure. If you need to run a primary web server or reverse proxy, installing the Debian repository packages is often recommended.

To install Nginx, run the following command.

sudo apt install nginx

Example output:

How to Install Nginx with Let's Encrypt TLS/SSL on Debian 11 Bullseye

Type “Y,” then press the “ENTER KEY” to proceed with the installation.

Next, verify the version build and if the installation was successful.

sudo nginx -v

Example output:

nginx version: nginx/1.18.0

Method 2. Install Latest Nginx Stable or Mainline from Ondřej Surý Repository

Alternatively, instead of installing the default Nginx stable build from the Debian 11 repository, you can install either Nginx Stable or Mainline using the repository from Ondřej Surý, the PHP maintainer for Debian.

To import mainline repository:

curl -sSL https://packages.sury.org/nginx-mainline/README.txt | sudo bash -x

To import stable repository:

curl -sSL https://packages.sury.org/nginx/README.txt | sudo bash -x

Update your repository to reflect the new change:

sudo apt update

Now that you have installed the Nginx repository and updated the repository list, install Nginx with the following:

sudo apt install nginx-core nginx-common nginx nginx-full

Example output:

How to Install Nginx with Let's Encrypt TLS/SSL on Debian 11 Bullseye

Type “Y,” then press the “ENTER KEY” to proceed and complete the installation.

Now check to ensure the latest Nginx from the Ondřej Surý repository was installed using the apt-cache policy command. Note, the tutorial example installed Nginx Mainline:

apt-cache policy nginx

Example output for Nginx Mainline:

How to Install Nginx with Let's Encrypt TLS/SSL on Debian 11 Bullseye

Note that you may be prompted to keep or replace your existing /etc/nginx/nginx.conf configuration file during the installation. It is recommended to keep your current configuration file by pressing (n). A copy will be made regardless of the maintainer’s version, and you can also check this in the future.

You will notice additional modules will be available in this version, most notably brotli support. To install brotli, follow the steps below.

Open your nginx.conf configuration file:

nano /etc/nginx/nginx.conf

Now add the additional lines before in the HTTP{} section:

brotli on;
brotli_comp_level 6;
brotli_static on;
brotli_types application/atom+xml application/javascript application/json application/rss+xml
   application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype
   application/x-font-ttf application/x-javascript application/xhtml+xml application/xml
   font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon
   image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml;

The brotli_comp_level can be set between 1 (lowest) and 11 (highest). Typically, most servers sit in the middle, but if your server is a monster, set to 11 and monitor CPU usage levels.

Next, test to make sure the changes are working correctly before making it live:

sudo nginx -t

If the changes are working correctly, you should see the following:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Now make the changes live by restarting your server:

sudo systemctl restart nginx
systemctl status nginx

Example output:

How to Install Nginx with Let's Encrypt TLS/SSL on Debian 11 Bullseye

Optional. UFW Configuration

By default, UFW is not installed on Debian 11 Bullseye, unlike other distributions such as Ubuntu. However, if you use UFW or want a clearer view of running a firewall, use the information below to configure UFW for Nginx.

To install UFW, use the following command.

sudo apt install ufw -y

Next, enable UFW with the following command.

sudo ufw enable

By default, all incoming connections are now blocked, and all outgoing is allowed.

Next, find out what applications you have installed by entering the following.

sudo ufw app list

Example output (Note a large list will appear of other applications as well):

 Available applications:
   Nginx Full
   Nginx HTTP
   Nginx HTTPS

Next, you can enable Nginx in HTTP (Port 80), HTTPS (Port 443), or Full, including all options.

HTTP (Port 80):

sudo ufw allow 'Nginx HTTP'

HTTP (Port 443):

sudo ufw allow 'Nginx HTTPS'

HTTP & HTTPS (Full):

sudo ufw allow 'Nginx FULL'

In the tutorial, “Nginx (Full)” was enabled.

Example output:

 Rules updated
 Rules updated (v6)

Confirm the firewall rules are active with the following command.

sudo ufw status

You will see the rules listed in the output.

 Status: active
 To                         Action      From
 --                         ------      ----
 Nginx Full                 ALLOW       Anywhere                  
 Nginx Full (v6)          ALLOW       Anywhere (v6) 

After UFW is configured, check to make sure you can see the Nginx landing page in your Internet Browser.

http://your_server_ip

If all is working well, you should land on the following page:

How to Install Nginx with Let's Encrypt TLS/SSL on Debian 11 Bullseye

Configure Nginx Server

You will need to have the server’s IP address ready for set up. The easiest way to do this is with the following.

Find Server IP Address

You will need to have the server’s IP address ready for set up. The easiest way to do this is with the following.

curl -4 icanhazip.com

Example output:

XXX.XXX.XXX.XXX IP address

Set Up Site Source Directory

Nginx server blocks (similar to virtual hosts in Apache) can encapsulate configuration details and host more than one domain from a single server. In the tutorial, you will set up a domain called example.com, but you should replace this with your domain name.

When you install Nginx, it is created with a pre-installed www directory. The location is found at /var/www/html/.

First, create the directory, for example.com, as follows, using the “-p” flag to make any necessary parent directories:

sudo mkdir -p /var/www/example.com/html

Second, you will need to assign the owner of the directory.

sudo chown -R $USER:$USER /var/www/your_domain/html

Third, assign the directory’s permissions, so the owner read, write, and execute the files while granting only read and execute permissions to groups and others. You can input the following command:

sudo chmod -R 755 /var/www/your_domain

Set up Test HTML page

Fourth, create a test page that you will use to confirm your Nginx server is operational.

nano /var/www/your_domain/html/index.html

Inside the nano editor and new file you have created. Enter the following.

<html>
 <head>
  <title>Welcome to your_domain!</title>
 </head>
 <body>
   <h1>Success!  The your_domain server block is working!</h1>
 </body>
</html>

Save the file CTRL+O, then exit CTRL+X.

Create Nginx Server Block

Now, you will create the server block for your website. We will create a new server block as follows.

sudo nano /etc/nginx/sites-available/your_domain.conf

You can paste the following example code into the block. This is just an HTTP-only example for basic testing.

server {
 listen 80;
 listen [::]:80;

 root /var/www/your_domain/html;

  index index.html index.htm index.nginx-debian.html;
  server_name your_domain www.your_domain;

 location / {
  try_files $uri $uri/ =404;
 }
}

The example shows your server is listening for two server names, “your_domain” on port 80.

You will need to change the root directory to the name/location of the root directory you create.

Enabled Nginx Server Block

To enable Nginx server blocks, you must link the configuration files from sites-available to sites-enabled in your Nginx directory. This can be done with the ln -s command as follows.

sudo ln -s /etc/nginx/sites-available/your_domain.conf /etc/nginx/sites-enabled/

Final Configuration & Test run

In the final stage, you will need to open your default nginx.conf file.

sudo nano /etc/nginx/nginx.conf

And uncomment the following line.

server_names_hash_bucket_size 64;

The server name’s hash bucket size is changed as sometimes problems arise from adding additional servers.

Next, test your Nginx to make sure it’s working before properly restarting.

sudo nginx -t

The output should be if no errors in the syntax:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

If you have the following ok output, restart the Nginx server for the changes to take place.

sudo systemctl restart nginx

Now open your Internet Browser and type in the server domain name. You should see your server block is live.

Secure Nginx with Let’s Encrypt SSL Free Certificate

Ideally, you would want to run your Nginx on HTTPS using an SSL certificate. The best way to do this is to use Let’s Encrypt, a free, automated, and open certificate authority run by the nonprofit Internet Security Research Group (ISRG).

First, install the certbot package as follows:

sudo apt install python3-certbot-nginx -y

Once installed, run the following command to start the creation of your certificate:

sudo certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --email you@example.com -d www.example.com

This is the ideal setup that includes force HTTPS 301 redirects, Strict-Transport-Security header, and OCSP Stapling. Just make sure to adjust the e-mail and domain name to your requirements.

Now your URL will be HTTPS://www.example.com instead of HTTP://www.example.com.

Note, if you use the old HTTP URL, it will automatically redirect to HTTPS.

How to Access Nginx Server Logs

Nginx Logs Directory

By default, all NGINX access/error logs, unless you have changed them, are located in the log directory, which the following command can view.

First, navigate to the logs directory and list files:

cd /var/log/nginx && ls -l

You should find the following access and error files:

Access Log:

/var/log/nginx/access.log

Error Log:

/var/log/nginx/error.log

To view logs in real-time in your terminal using the sudo tail -f /location/of/log path command.

Example:

sudo tail -f /var/log/nginx/access.log

Another option is to print the last X amount of lines. For example, X is replaced with 30 to print 30 lines by adding the -n 30 flag.

sudo tail -f /var/log/nginx/access.log -n 30

These are just some examples of reading logs.

How to Configure Nginx Log Rotate

Nginx automatically installs log rotation and configure it to default which is to rotate daily. You can change these settings by accessing the file as shown below.

sudo nano /etc/nginx/logrotate.d/nginx

Next, you will see the same if not similar file structure. You can modify the contents here. Mostly you can change how many logs to keep or go from daily to weekly. This should be left on default unless you have specific log requirement needs for software like fail2ban monitoring or similar.

/var/log/nginx/*.log {
  daily
  missingok
  rotate 14
  compress
  delaycompress
  notifempty
  create 0640 www-data adm
  sharedscripts
  prerotate
  if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
  run-parts /etc/logrotate.d/httpd-prerotate; \
  fi \
  endscript
  postrotate
  invoke-rc.d nginx rotate >/dev/null 2>&1
  endscript
}

The main settings you will probably want to change is the following:

  • Daily – This can be changed to Weekly, Monthly. This shouild be kept at daily, or else going through the log file will be difficult.
  • Rotate 14 – This is how many logs to keep and remove, so at max there is only 14 logs, if you only want to keep 7 days worth of logs change this to 7.

Its recommended not to touch any other settings unless you know what you are doing.

How to Update Nginx

Nginx will be updated by default when a new version hits the repositories. Before upgrading, it’s always advised to back up your Nginx directory or, at the very least, the nginx.conf file. You can do either with the following command.

Back up nginx.conf (Highly Recommended):

sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx-backup.conf

Back up your entire Nginx folder if you prefer:

sudo cp /etc/nginx/ /etc/nginx-bkup

Next, run the standard update command.

sudo apt update

If an upgrade is available, run the upgrade.

sudo apt upgrade 

You may be prompted this during an upgrade or installation, but manually doing this beforehand is pretty essential. For large Nginx configurations of multiple sites, backing up to something like Github or Gitlab would be even more beneficial.

Comments and Conclusion

In the tutorial, you have learned to install and set up basic Nginx configuration on your domain on Debian 11 Bullseye and create a free SSL certificate using Let’s Encrypt. Overall, Nginx is the most used and popular web application software now, with every month and year surpassing taking more market share from Apache.

Some new contenders are starting to pop up, such as Openlitespeed but given these other web applications, for now, focus on specific things like WordPress. Nginx will be the go-to web application for some time.



Follow LinuxCapable.com!

Like to get automatic updates? Follow us on one of our social media accounts!