How to Install Nginx with Let’s Encrypt TLS/SSL on Linux Mint 20

NGINX is open-source software for web serving, reverse proxying, caching, load balancing, media streaming, and more. Linux Mint is a community-driven Linux distribution based on Ubuntu (based on Debian), bundled with various free and open-source applications. These two can host and operate well together, given both are excellent in their respective fields.

What is Linux Mint?

Linux Mint aims to produce a modern, elegant and comfortable operating system that is powerful and easy to use. Linux Mint is one of the most popular desktop Linux distributions and is used by millions of people.

Some of the reasons for the success of Linux Mint are:

  • It works out of the box, with full multimedia support and is extremely easy to use.
  • It’s both free of cost and open source.
  • It’s community-driven. Users are encouraged to send feedback to the project so that their ideas can be used to improve Linux Mint.
  • Based on Debian and Ubuntu, it provides about 30,000 packages and one of the best software managers.
  • It’s safe and reliable. Thanks to a conservative approach to software updates, a unique Update Manager, and its Linux architecture robustness, Linux Mint requires very little maintenance (no regressions, no antivirus, no anti-spyware…etc.).

What is Nginx?

Nginx is an open-source, free HTTP server software. In addition to its HTTP server capabilities, NGINX can also function as a proxy server for email (IMAP, POP3, and SMTP) and a reverse proxy and load balancer for HTTP, TCP, and UDP servers. The goal behind NGINX was to create the fastest web server around, and maintaining that excellence is still a central goal of the project. NGINX consistently beats Apache and other servers in benchmarks measuring web server performance. However, since the original release of NGINX, websites have expanded from simple HTML pages to dynamic, multifaceted content. NGINX has grown along with it and now supports all the components of the modern Web, including WebSocket, HTTP/2, gRPC, and streaming of multiple video formats (HDS, HLS, RTMP, and others).

Advantages of Nginx:

  • Installations and configurations are simple and easy. …
  • Fastest and the best for serving static files. …
  • Dynamic content transformed into static content. …
  • When compared to Apache, 4 times more concurrent connections are handled. …
  • Compatibility with commonly-used web apps. …
  • Load Balancing Support.

In the following guide, you will be shown how to install Nginx on Linux Mint 20.

Prerequisites

Update Operating System

Update your Linux Mint operating system to make sure all existing packages are up to date:

sudo apt update && sudo apt upgrade -y

The tutorial will be using the sudo command and assuming you have sudo status. To verify sudo status on your account:

sudo whoami

Example output showing sudo status:

[joshua@linuxmint ~]$ sudo whoami
root

If you have not set up a sudo user account and would like to, visit our tutorial on How to Add a User to Sudoers on Linux Mint.

To use the root account, use the following command with the root password to log in.

su

Install Nginx

Method 1. Install Nginx Stable from Default Repository

The first method is to install Nginx from Linux Mint’s default repositories, and these versions are proven to be stable and secure. If you need to run a primary web server or reverse proxy, installing the default repository packages is often recommended.

To install Nginx, run the following command.

sudo apt install nginx

Example output:

How to Install Nginx with Let’s Encrypt TLS/SSL on Linux Mint 20

Type “Y,” then press the “ENTER KEY” to proceed with the installation.

Next, verify the version build and if the installation was successful.

sudo nginx -v

Example output:

nginx version: nginx/1.18.0

Method 2. Install Latest Nginx Stable or Mainline from Ondřej Surý PPA

Alternatively, instead of installing the default Nginx stable build from the Ubuntu 20.04’s repository, you can install either Nginx Stable or Mainline using the PPA from Ondřej Surý, the PHP maintainer for Debian.

Install one of the following PPA’s with the following command:

Install latest Nginx (STABLE):

sudo add-apt-repository ppa:ondrej/nginx-stable -y && sudo apt update

Install latest Nginx (MAINLINE):

sudo add-apt-repository ppa:ondrej/nginx-mainline -y && sudo apt update

Now that you have installed the PPA and updated the repository list, install Nginx with the following:

sudo apt install nginx-core nginx-common nginx nginx-full

Example output:

How to Install Nginx with Let’s Encrypt TLS/SSL on Linux Mint 20

Type “Y,” then press the “ENTER KEY” to proceed with the installation.

Next, verify the version build and if the installation was successful.

sudo nginx -v

Example output (From Mainline):

nginx version: nginx/1.21.3

Now check to ensure the latest Nginx from the Ondřej Surý repository was installed using the apt-cache policy command. Note, the tutorial example installed Nginx Mainline:

apt-cache policy nginx

Example output for Nginx Mainline:

How to Install Nginx with Let’s Encrypt TLS/SSL on Linux Mint 20

Note that you may be prompted to keep or replace your existing /etc/nginx/nginx.conf configuration file during the installation if you had Nginx installed previously. It is recommended to keep your current configuration file by pressing (n). A copy will be made regardless of the maintainer’s version, and you can also check this in the future.

You will notice additional modules will be available in this version, most notably brotli support. To install brotli, follow the steps below.

Open your nginx.conf configuration file:

nano /etc/nginx/nginx.conf

Now add the additional lines before in the HTTP{} section:

brotli on;
brotli_comp_level 6;
brotli_static on;
brotli_types application/atom+xml application/javascript application/json application/rss+xml
   application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype
   application/x-font-ttf application/x-javascript application/xhtml+xml application/xml
   font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon
   image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml;

The brotli_comp_level can be set between 1 (lowest) and 11 (highest). Typically, most servers sit in the middle, but if your server is a monster, set to 11 and monitor CPU usage levels.

Next, test to make sure the changes are working correctly before making it live:

sudo nginx -t

If the changes are working correctly, you should see the following:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Now make the changes live by restarting your server:

sudo systemctl restart nginx
sudo systemctl status nginx

Example output:

How to Install Nginx with Let’s Encrypt TLS/SSL on Linux Mint 20

UFW Configuration

By default, UFW is installed on Linux Mint. If you use UFW or want a clearer view of running a firewall, use the information below to configure UFW for Nginx.

If UFW is not installed, re-install the firewall using the following command:

sudo apt install ufw -y

Next, enable UFW with the following command.

sudo ufw enable

By default, all incoming connections are now blocked, and all outgoing is allowed.

Next, find out what applications you have installed by entering the following.

sudo ufw app list

Example output (Note an extensive list will appear of other applications as well):

 Available applications:
   Nginx Full
   Nginx HTTP
   Nginx HTTPS

Next, you can enable Nginx in HTTP (Port 80), HTTPS (Port 443), or Full, including all options.

HTTP (Port 80):

sudo ufw allow 'Nginx HTTP'

HTTP (Port 443):

sudo ufw allow 'Nginx HTTPS'

HTTP & HTTPS (Full):

sudo ufw allow 'Nginx FULL'

In the tutorial, “Nginx (Full)” was enabled.

Example output:

 Rules updated
 Rules updated (v6)

Confirm the firewall rules are active with the following command.

sudo ufw status

You will see the rules listed in the output.

 Status: active
 To                         Action      From
 --                         ------      ----
 Nginx Full                 ALLOW       Anywhere                  
 Nginx Full (v6)          ALLOW       Anywhere (v6) 

After UFW is configured, check to make sure you can see the Nginx landing page in your Internet Browser.

http://your_server_ip

If all is working well, you should land on the following page:

How to Install Nginx with Let’s Encrypt TLS/SSL on Linux Mint 20

Configure Nginx Server

You will need to have the server’s IP address ready for set up. The easiest way to do this is with the following.

Find Server IP Address

You will need to have the server’s IP address ready for set up. The easiest way to do this is with the following.

curl -4 icanhazip.com

Example output:

XXX.XXX.XXX.XXX IP address

If an error arises, you need to install the curl package on your system more than likely. Quickly run this command:

sudo apt install curl -y

Set Up Site Source Directory

Nginx server blocks (similar to virtual hosts in Apache) can encapsulate configuration details and host more than one domain from a single server. In the tutorial, you will set up a domain called example.com, but you should replace this with your domain name.

When you install Nginx, it is created with a pre-installed www directory. The location is found at /var/www/html/.

First, create the directory, for example.com, as follows, using the “-p” flag to make any necessary parent directories:

sudo mkdir -p /var/www/example.com/html

Second, you will need to assign the owner of the directory.

sudo chown -R $USER:$USER /var/www/your_domain/html

Third, assign the directory’s permissions, so the owner read, write, and execute the files while granting only read and execute permissions to groups and others. You can input the following command:

sudo chmod -R 755 /var/www/your_domain

Set up Test HTML page

Fourth, create a test page that you will use to confirm your Nginx server is operational.

nano /var/www/your_domain/html/index.html

Inside the nano editor and new file you have created. Enter the following.

<html>
 <head>
  <title>Welcome to your_domain!</title>
 </head>
 <body>
   <h1>Success!  The your_domain server block is working thanks to Linuxcapable.com!</h1>
 </body>
</html>

Save the file CTRL+O, then exit CTRL+X.

Create Nginx Server Block

Now, you will create the server block for your website. We will create a new server block as follows.

sudo nano /etc/nginx/sites-available/your_domain.conf

You can paste the following example code into the block. This is just an HTTP-only example for basic testing.

server {
 listen 80;
 listen [::]:80;

 root /var/www/your_domain/html;

  index index.html index.htm index.nginx-debian.html;
  server_name your_domain www.your_domain;

 location / {
  try_files $uri $uri/ =404;
 }
}

The example shows your server is listening for two server names, “your_domain” on port 80.

You will need to change the root directory to the name/location of the root directory you create.

Enable Nginx Server Block

You must link the configuration files from sites-available to sites-enabled in your Nginx directory to enable Nginx server blocks. This can be done with the ln -s command as follows.

sudo ln -s /etc/nginx/sites-available/your_domain.conf /etc/nginx/sites-enabled/

Final Configuration & Test run

In the final stage, you will need to open your default nginx.conf file.

sudo nano /etc/nginx/nginx.conf

And uncomment the following line.

server_names_hash_bucket_size 64;

The server name’s hash bucket size is changed as sometimes problems arise from adding additional servers.

Next, test your Nginx to make sure it’s working before properly restarting.

sudo nginx -t

The output should be if no errors in the syntax:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

If you have the following ok output, restart the Nginx server for the changes to take place.

sudo systemctl restart nginx

Now open your Internet Browser and type in the server domain name. You should see your server block is live.

How to Install Nginx with Let’s Encrypt TLS/SSL on Linux Mint 20

Secure Nginx with Let’s Encrypt SSL Free Certificate

Ideally, you would want to run your Nginx on HTTPS using an SSL certificate. The best way to do this is to use Let’s Encrypt, a free, automated, and open certificate authority run by the nonprofit Internet Security Research Group (ISRG).

First, install the certbot package as follows:

sudo apt install python3-certbot-nginx -y

Once installed, run the following command to start the creation of your certificate:

sudo certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --email you@example.com -d www.example.com

This is the ideal setup that includes force HTTPS 301 redirects, Strict-Transport-Security header, and OCSP Stapling. Just make sure to adjust the e-mail and domain name to your requirements.

Now your URL will be HTTPS://www.example.com instead of HTTP://www.example.com.

Note, if you use the old HTTP URL, it will automatically redirect to HTTPS.

Optionally, you can set a cron job to renew the certificates automatically. Certbot offers a script that does this automatically, and you can first test to make sure everything is working by performing a dry run.

sudo certbot renew --dry-run

If everything is working, open your crontab window by using the following terminal command.

sudo crontab -e

Next, please specify the time when it should auto-renew. This should be checked daily at a minimum, and if the certificate needs to be renewed, the script will not update the certificate. If you need help with finding a good time to set, use the crontab.guru free tool.

00 00 */1 * * /usr/sbin/certbot-auto renew

Save (CTRL+O) then exit (CTRL+X), and the cronjob will be automatically enabled.

How to Access Nginx Server Logs

Nginx Logs Directory

By default, all NGINX access/error logs, unless you have changed them, are located in the log directory, which the following command can view.

First, navigate to the logs directory and list files:

cd /var/log/nginx && ls -l

You should find the following access and error files:

Access Log:

/var/log/nginx/access.log

Error Log:

/var/log/nginx/error.log

To view logs in real-time in your terminal using the sudo tail -f /location/of/log path command.

Example:

sudo tail -f /var/log/nginx/access.log

Another option is to print the last X amount of lines. For example, X is replaced with 30 to print 30 lines by adding the -n 30 flags.

sudo tail -f /var/log/nginx/access.log -n 30

These are just some examples of reading logs.

How to Configure Nginx Log Rotate

Nginx automatically installs log rotation and configure it to default which is to rotate daily. You can change these settings by accessing the file as shown below.

sudo nano /etc/nginx/logrotate.d/nginx

Next, you will see the same if not similar file structure. You can modify the contents here. Mostly you can change how many logs to keep or go from daily to weekly. This should be left on default unless you have specific log requirement needs for software like fail2ban monitoring or similar.

/var/log/nginx/*.log {
  daily
  missingok
  rotate 14
  compress
  delaycompress
  notifempty
  create 0640 www-data adm
  sharedscripts
  prerotate
  if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
  run-parts /etc/logrotate.d/httpd-prerotate; \
  fi \
  endscript
  postrotate
  invoke-rc.d nginx rotate >/dev/null 2>&1
  endscript
}

The main settings you will probably want to change is the following:

  • Daily – This can be changed to Weekly, Monthly. This shouild be kept at daily, or else going through the log file will be difficult.
  • Rotate 14 – This is how many logs to keep and remove, so at max there is only 14 logs, if you only want to keep 7 days worth of logs change this to 7.

Its recommended not to touch any other settings unless you know what you are doing.

How to Update Nginx

Nginx will be updated by default when a new version hits the repositories. Before upgrading, it’s always advised to back up your Nginx directory or, at the very least, the nginx.conf file. You can do either with the following command.

Back up nginx.conf (Highly Recommended):

sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx-backup.conf

Back up your entire Nginx folder if you prefer:

sudo cp /etc/nginx/ /etc/nginx-bkup

Next, run the standard update command.

sudo apt update

If an upgrade is available, run the upgrade.

sudo apt upgrade 

You may be prompted this during an upgrade or installation, but manually doing this beforehand is pretty essential. For large Nginx configurations of multiple sites, backing up to something like Github or Gitlab would be even more beneficial.

Comments and Conclusion

In the tutorial, you have learned to install and set up a basic Nginx configuration on your domain on Linux Mint and create a free SSL certificate using Let’s Encrypt. Overall, Nginx is the most used and popular web application software now, with every month and year surpassing taking more market share from Apache.

Some new contenders are starting to pop up, such as Openlitespeed but given these other web applications, for now, focus on specific things like WordPress. Nginx will be the go-to web application for some time.



Follow LinuxCapable.com!

Like to get automatic updates? Follow us on one of our social media accounts!