How to Configure Nginx Ssl/tls with Let’s Encrypt and Security Hardening
Learning how to configure Nginx SSL/TLS with Let’s Encrypt and security hardening is essential for any web administrator who wants to secure their websites effectively. This comprehensive tutorial will walk you through the entire process of setting up SSL certificates using Let’s Encrypt’s free service and implementing advanced security measures to protect your Nginx web server.
SSL/TLS encryption has become a mandatory requirement for modern websites. Search engines like Google prioritize HTTPS sites in their rankings, and browsers now display security warnings for unencrypted connections. Let’s Encrypt revolutionized SSL certificate management by providing free, automated certificates that renew automatically.
In this guide, you’ll learn to install and configure Certbot, obtain SSL certificates for your domains, configure Nginx with proper SSL settings, and implement security hardening measures including HTTP Strict Transport Security (HSTS), security headers, and cipher suite optimization. By the end of this tutorial, your Nginx server will have enterprise-grade security configurations that protect against common web vulnerabilities and attacks.
Prerequisites and Requirements for Nginx SSL/TLS Configuration
Before you begin this how to configure Nginx SSL/TLS with Let’s Encrypt and security hardening tutorial, ensure you meet these requirements:
You need a Ubuntu 20.04 or 22.04 server with root or sudo access. Your server should have Nginx already installed and running. If you haven’t installed Nginx yet, run these commands:
sudo apt update
sudo apt install nginx -y
sudo systemctl start nginx
sudo systemctl enable nginxYour domain name must point to your server’s IP address through DNS A records. Let’s Encrypt validates domain ownership by making HTTP requests to your server, so proper DNS configuration is crucial. You can verify this by running nslookup yourdomain.com from your local machine.
Port 80 and 443 must be open in your firewall. If you’re using UFW, configure it with these commands:
sudo ufw allow 'Nginx Full'
sudo ufw reloadYou should have basic knowledge of Nginx configuration files and Linux command line operations. This tutorial assumes you understand how to edit files using nano or vim and navigate the Linux filesystem.
The estimated completion time for this tutorial is 30-45 minutes, depending on your familiarity with these tools and the number of domains you’re securing.
Step-by-Step Guide to Configure Nginx SSL/TLS with Let’s Encrypt
For more strange history, see: How to Set Up Nginx Reverse Proxy with Ssl Termination Using Docker and Let’s Encrypt Certbot
Step 1: Install Certbot and Nginx Plugin
First, install Certbot, the official Let’s Encrypt client, along with the Nginx plugin:
sudo apt update
sudo apt install certbot python3-certbot-nginx -yThe python3-certbot-nginx package provides automatic Nginx configuration capabilities. This plugin can modify your Nginx configuration files automatically to include SSL settings.
Step 2: Configure Basic Nginx Server Block
Before obtaining SSL certificates, create a basic server block for your domain. Create a new configuration file:
sudo nano /etc/nginx/sites-available/yourdomain.comAdd this basic configuration:
server {
listen 80;
server_name yourdomain.com www.yourdomain.com;
root /var/www/yourdomain.com;
index index.html index.php;
location / {
try_files $uri $uri/ =404;
}
}Enable the site and test the configuration:
sudo ln -s /etc/nginx/sites-available/yourdomain.com /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginxStep 3: Obtain SSL Certificates with Certbot
Now obtain your SSL certificate using Certbot. The Nginx plugin will automatically configure SSL settings:
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.comCertbot will ask for your email address and agreement to terms of service. Choose option 2 to redirect all HTTP traffic to HTTPS when prompted. This command performs several actions automatically:
– Validates domain ownership
– Downloads SSL certificates
– Modifies your Nginx configuration
– Sets up automatic HTTP to HTTPS redirection
Step 4: Verify SSL Certificate Installation
Check that your SSL certificate is working correctly:
sudo certbot certificatesThis command displays information about installed certificates, including expiration dates and covered domains. You can also test your site by visiting https://yourdomain.com in a web browser.
Step 5: Configure Automatic Certificate Renewal
Let’s Encrypt certificates expire every 90 days. Set up automatic renewal using cron:
sudo crontab -eAdd this line to check for renewal twice daily:
0 12 /usr/bin/certbot renew --quietTest the renewal process manually:
sudo certbot renew --dry-runStep 6: Create SSL Configuration Snippet
Create a reusable SSL configuration snippet for consistent security settings across all sites. According to Nginx’s official HTTPS documentation, this approach improves maintainability:
sudo nano /etc/nginx/snippets/ssl-params.confAdd these security-focused SSL parameters:
# SSL Configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;Advanced Security Hardening for Nginx SSL/TLS Configuration
Step 7: Implement Security Headers
Create a security headers snippet to protect against common web vulnerabilities:
sudo nano /etc/nginx/snippets/security-headers.confAdd comprehensive security headers:
# Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;Step 8: Update Nginx Server Configuration
Modify your site’s configuration to include the security snippets:
sudo nano /etc/nginx/sites-available/yourdomain.comUpdate the HTTPS server block to include your security configurations:
server {
listen 443 ssl http2;
server_name yourdomain.com www.yourdomain.com;
root /var/www/yourdomain.com;
index index.html index.php;
# SSL Certificate Configuration
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
# Include SSL and Security Configuration
include /etc/nginx/snippets/ssl-params.conf;
include /etc/nginx/snippets/security-headers.conf;
location / {
try_files $uri $uri/ =404;
}
# Security: Hide Nginx version
server_tokens off;
}Step 9: Configure Rate Limiting
Implement rate limiting to protect against brute force attacks and DDoS attempts. Add this to your main Nginx configuration:
sudo nano /etc/nginx/nginx.confAdd these lines in the http block:
# Rate Limiting Configuration
limit_req_zone $binary_remote_addr zone=login:10m rate=1r/s;
limit_req_zone $binary_remote_addr zone=general:10m rate=10r/s;Then apply rate limiting in your server block:
# Apply rate limiting
limit_req zone=general burst=20 nodelay;
# Stricter limits for login pages
location ~ ^/(wp-login|login|admin) {
limit_req zone=login burst=5 nodelay;
try_files $uri $uri/ =404;
}Step 10: Test and Validate Configuration
Test your Nginx configuration for syntax errors:
sudo nginx -tIf the test passes, reload Nginx to apply all changes:
sudo systemctl reload nginxVerify your SSL configuration using online tools. Visit SSL Labs SSL Test and enter your domain to receive a comprehensive security assessment. A properly configured server should achieve an A+ rating.