How to Install Nginx with Let’s Encrypt TLS/SSL on Ubuntu 20.04

NGINX is an open-source, free HTTP server software. In addition to its HTTP server capabilities, NGINX can also function as a proxy server for e-mail (IMAP, POP3, and SMTP) and a reverse proxy and load balancer for HTTP, TCP, and UDP servers. The goal behind NGINX was to create the fastest web server around, and maintaining that excellence is still a central goal of the Nginx project. NGINX consistently beats Apache and other servers in benchmarks measuring web server performance and is now the most popular used web server according to W3Tech.

In the following tutorial, you will learn to install Nginx on Ubuntu 20.04 LTS using the default Ubuntu repository or the alternative PPA by Ondřej Surý with a free TLS/SSL certificate from Let’s Encrypt.

Advertisement

Prerequisites

  • Recommended OS: Ubuntu 20.04 or higher
  • User account: A user account with sudo or root access.

Updating Operating System

Update your Ubuntu operating system to make sure all existing packages are up to date:

sudo apt update && sudo apt upgrade

Root or Sudo Access

By default, the account created with Ubuntu was giving sudo status. Still, suppose you need to provide additional accounts sudo/root access. In that case, you must either have access to the root password to use the su command or visit our tutorial on How to Add a User to Sudoers on Ubuntu.

Install Nginx

Method 1. Install Nginx Stable from Ubuntu Repository

The first method is to install Nginx from Ubuntu’s default repositories, and these versions are proven to be stable and secure. If you need to run a primary web server or reverse proxy, installing the Ubuntu repository packages is often recommended.

To install Nginx, run the following command.

sudo apt install nginx

Example output:

How to Install Nginx with Let’s Encrypt TLS/SSL on Ubuntu 20.04

Type “Y,” then press the “ENTER KEY” to proceed with the installation.

Next, verify the version build and if the installation was successful.

sudo nginx -v

Example output:

nginx version: nginx/1.18.0

Method 2. Install Latest Nginx Stable or Mainline from Ondřej Surý PPA

Alternatively, instead of installing the default Nginx stable build from the Ubuntu 20.04’s repository, you can install either Nginx Stable or Mainline using the PPA from Ondřej Surý the PHP maintainer for Debian.

Install one of the following PPA’s with the following command:

Install latest Nginx (STABLE):

sudo add-apt-repository ppa:ondrej/nginx-stable -y && sudo apt update

Install latest Nginx (MAINLINE):

sudo add-apt-repository ppa:ondrej/nginx-mainline -y && sudo apt update

Now that you have installed the PPA and updated the repository list, install Nginx with the following:

sudo apt install nginx-core nginx-common nginx nginx-full

Example output:

How to Install Nginx with Let’s Encrypt TLS/SSL on Ubuntu 20.04

Type “Y,” then press the “ENTER KEY” to proceed with the installation.

Next, verify the version build and if the installation was successful.

sudo nginx -v

Example output (From Mainline):

nginx version: nginx/1.18.0

Now check to ensure the latest Nginx from the Ondřej Surý repository was installed using the apt-cache policy command. Note, the tutorial example installed Nginx Mainline:

apt-cache policy nginx

Example output for Nginx Mainline:

How to Install Nginx with Let’s Encrypt TLS/SSL on Ubuntu 20.04

Note that you may be prompted to keep or replace your existing /etc/nginx/nginx.conf configuration file during the installation if you had Nginx installed previously. It is recommended to keep your current configuration file by pressing (n). A copy will be made regardless of the maintainer’s version, and you can also check this in the future.

You will notice additional modules will be available in this version, most notably brotli support. To install brotli, follow the steps below.

Open your nginx.conf configuration file:

nano /etc/nginx/nginx.conf

Now add the additional lines before in the HTTP{} section:

brotli on;
brotli_comp_level 6;
brotli_static on;
brotli_types application/atom+xml application/javascript application/json application/rss+xml
   application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype
   application/x-font-ttf application/x-javascript application/xhtml+xml application/xml
   font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon
   image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml;

The brotli_comp_level can be set between 1 (lowest) and 11 (highest). Typically, most servers sit in the middle, but if your server is a monster, set to 11 and monitor CPU usage levels.

Next, test to make sure the changes are working correctly before making it live:

sudo nginx -t

If the changes are working correctly, you should see the following:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Now make the changes live by restarting your server:

sudo systemctl restart nginx
sudo systemctl status nginx

Example output:

How to Install Nginx with Let’s Encrypt TLS/SSL on Ubuntu 20.04
Advertisement

UFW Configuration

By default, UFW is installed on Ubuntu 20.04. If you use UFW or want a clearer view of running a firewall, use the information below to configure UFW for Nginx.

If UFW is not installed, re-install the firewall using the following command:

sudo apt install ufw -y

Next, enable UFW with the following command.

sudo ufw enable

By default, all incoming connections are now blocked, and all outgoing is allowed.

Next, find out what applications you have installed by entering the following.

sudo ufw app list

Example output (Note an extensive list will appear of other applications as well):

 Available applications:
   Nginx Full
   Nginx HTTP
   Nginx HTTPS

Next, you can enable Nginx in HTTP (Port 80), HTTPS (Port 443), or Full, including all options.

HTTP (Port 80):

sudo ufw allow 'Nginx HTTP'

HTTP (Port 443):

sudo ufw allow 'Nginx HTTPS'

HTTP & HTTPS (Full):

sudo ufw allow 'Nginx FULL'

In the tutorial, “Nginx (Full)” was enabled.

Example output:

 Rules updated
 Rules updated (v6)

Confirm the firewall rules are active with the following command.

sudo ufw status

You will see the rules listed in the output.

 Status: active
 To                         Action      From
 --                         ------      ----
 Nginx Full                 ALLOW       Anywhere                  
 Nginx Full (v6)          ALLOW       Anywhere (v6) 

After UFW is configured, check to make sure you can see the Nginx landing page in your Internet Browser.

http://your_server_ip

If all is working well, you should land on the following page:

How to Install Nginx with Let’s Encrypt TLS/SSL on Ubuntu 20.04
Advertisement

Configure Nginx Server

You will need to have the server’s IP address ready for set up. The easiest way to do this is with the following.

Find Server IP Address

You will need to have the server’s IP address ready for set up. The easiest way to do this is with the following.

curl -4 icanhazip.com

Example output:

XXX.XXX.XXX.XXX IP address

If an error arises, more than likely you need to install the curl package on your system. Quickly run this command:

sudo apt install curl -y

Set Up Site Source Directory

Nginx server blocks (similar to virtual hosts in Apache) can encapsulate configuration details and host more than one domain from a single server. In the tutorial, you will set up a domain called example.com, but you should replace this with your domain name.

When you install Nginx, it is created with a pre-installed www directory. The location is found at /var/www/html/.

First, create the directory, for example.com, as follows, using the “-p” flag to make any necessary parent directories:

sudo mkdir -p /var/www/example.com/html

Second, you will need to assign the owner of the directory.

sudo chown -R $USER:$USER /var/www/your_domain/html

Third, assign the directory’s permissions, so the owner read, write, and execute the files while granting only read and execute permissions to groups and others. You can input the following command:

sudo chmod -R 755 /var/www/your_domain

Set up Test HTML page

Fourth, create a test page that you will use to confirm your Nginx server is operational.

nano /var/www/your_domain/html/index.html

Inside the nano editor and new file you have created. Enter the following.

<html>
 <head>
  <title>Welcome to your_domain!</title>
 </head>
 <body>
   <h1>Success!  The your_domain server block is working!</h1>
 </body>
</html>

Save the file CTRL+O, then exit CTRL+X.

Create Nginx Server Block

Now, you will create the server block for your website. We will create a new server block as follows.

sudo nano /etc/nginx/sites-available/your_domain.conf

You can paste the following example code into the block. This is just an HTTP-only example for basic testing.

server {
 listen 80;
 listen [::]:80;

 root /var/www/your_domain/html;

  index index.html index.htm index.nginx-debian.html;
  server_name your_domain www.your_domain;

 location / {
  try_files $uri $uri/ =404;
 }
}

The example shows your server is listening for two server names, “your_domain” on port 80.

You will need to change the root directory to the name/location of the root directory you create.

Enable Nginx Server Block

To enable Nginx server blocks, you must link the configuration files from sites-available to sites-enabled in your Nginx directory. This can be done with the ln -s command as follows.

sudo ln -s /etc/nginx/sites-available/your_domain.conf /etc/nginx/sites-enabled/

Final Configuration & Test run

In the final stage, you will need to open your default nginx.conf file.

sudo nano /etc/nginx/nginx.conf

And uncomment the following line.

server_names_hash_bucket_size 64;

The server name’s hash bucket size is changed as sometimes problems arise from adding additional servers.

Next, test your Nginx to make sure it’s working before properly restarting.

sudo nginx -t

The output should be if no errors in the syntax:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

If you have the following ok output, restart the Nginx server for the changes to take place.

sudo systemctl restart nginx

Now open your Internet Browser and type in the server domain name. You should see your server block is live.

How to Install Nginx with Let’s Encrypt TLS/SSL on Ubuntu 20.04

Secure Nginx with Let’s Encrypt SSL Free Certificate

Ideally, you would want to run your Nginx on HTTPS using an SSL certificate. The best way to do this is to use Let’s Encrypt, a free, automated, and open certificate authority run by the nonprofit Internet Security Research Group (ISRG).

First, install the certbot package as follows:

sudo apt install python3-certbot-nginx -y

Once installed, run the following command to start the creation of your certificate:

sudo certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --email you@example.com -d www.example.com

This is the ideal setup that includes force HTTPS 301 redirects, Strict-Transport-Security header, and OCSP Stapling. Just make sure to adjust the e-mail and domain name to your requirements.

Now your URL will be HTTPS://www.example.com instead of HTTP://www.example.com.

Note, if you use the old HTTP URL, it will automatically redirect to HTTPS.

How to Access Nginx Server Logs

Nginx Logs Directory

By default, all NGINX access/error logs, unless you have changed them, are located in the log directory, which the following command can view.

First, navigate to the logs directory and list files:

cd /var/log/nginx && ls -l

You should find the following access and error files:

Access Log:

/var/log/nginx/access.log

Error Log:

/var/log/nginx/error.log

To view logs in real-time in your terminal using the sudo tail -f /location/of/log path command.

Example:

sudo tail -f /var/log/nginx/access.log

Another option is to print the last X amount of lines. For example, X is replaced with 30 to print 30 lines by adding the -n 30 flags.

sudo tail -f /var/log/nginx/access.log -n 30

These are just some examples of reading logs.

How to Configure Nginx Log Rotate

Nginx automatically installs log rotation and configure it to default which is to rotate daily. You can change these settings by accessing the file as shown below.

sudo nano /etc/nginx/logrotate.d/nginx

Next, you will see the same if not similar file structure. You can modify the contents here. Mostly you can change how many logs to keep or go from daily to weekly. This should be left on default unless you have specific log requirement needs for software like fail2ban monitoring or similar.

/var/log/nginx/*.log {
  daily
  missingok
  rotate 14
  compress
  delaycompress
  notifempty
  create 0640 www-data adm
  sharedscripts
  prerotate
  if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
  run-parts /etc/logrotate.d/httpd-prerotate; \
  fi \
  endscript
  postrotate
  invoke-rc.d nginx rotate >/dev/null 2>&1
  endscript
}

The main settings you will probably want to change is the following:

  • Daily – This can be changed to Weekly, Monthly. This shouild be kept at daily, or else going through the log file will be difficult.
  • Rotate 14 – This is how many logs to keep and remove, so at max there is only 14 logs, if you only want to keep 7 days worth of logs change this to 7.

Its recommended not to touch any other settings unless you know what you are doing.

How to Update Nginx

Nginx will be updated by default when a new version hits the repositories. Before upgrading, it’s always advised to back up your Nginx directory or, at the very least, the nginx.conf file. You can do either with the following command.

Back up nginx.conf (Highly Recommended):

sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx-backup.conf

Back up your entire Nginx folder if you prefer:

sudo cp /etc/nginx/ /etc/nginx-bkup

Next, run the standard update command.

sudo apt update

If an upgrade is available, run the upgrade.

sudo apt upgrade 

You may be prompted this during an upgrade or installation, but manually doing this beforehand is pretty essential. For large Nginx configurations of multiple sites, backing up to something like Github or Gitlab would be even more beneficial.

Comments and Conclusion

In the tutorial, you have learned to install and set up a basic Nginx configuration on your domain on Ubuntu 20.04 LTS and create a free SSL certificate using Let’s Encrypt. Overall, Nginx is the most used and popular web application software now, with every month and year surpassing taking more market share from Apache.

Some new contenders are starting to pop up, such as Openlitespeed but given these other web applications, for now, focus on specific things like WordPress. Nginx will be the go-to web application for some time.

Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments
adplus-dvertising
0
Would love your thoughts, please comment.x
()
x