About Us

Contact Us

Submit a Ticket

Client Area

Easy method to protect your Nginx server on CentOS

Published October 29, 2023

Here’s an easy method to protect your Nginx server on CentOS using Let’s Encrypt SSL.

As a website administrator, you understand the importance of prioritizing security and implementing encrypted HTTPS on your web server. This not only safeguards your website but also directly influences its ranking on search engines after SSL implementation. The process of installing and obtaining a certificate on the Nginx server is made incredibly convenient through full automation. In order to secure Nginx on CentOS with Let’s Encrypt SSL, there are a few essential and optional steps that you will discover in this informative article.

NGINX Server

Explore More; How to Configure FirewallD in CentOS

NGINX Server is a reverse proxy and a lightweight, open-source, reliable, high-performance HTTP server. IIS and Apache are surpassed by this web server in terms of popularity. Nginx is renowned for its dependability, efficiency, wealth of features, simple configuration, and sparse resource usage. Although most people prefer the default options, they are not safe enough, and additional adjustments are required to strengthen the web server.  

Defining Let’s Encrypt and How it Works?

Let’s Encrypt, a prodigious and innovative Certificate Authority (CA) that bestows upon you the ability to acquire and install TLS/SSL certificates without any cost. This extraordinary creation, crafted by the esteemed Internet Security Research Group (ISRG), grants certificates that are held in high regard and trust by the vast majority of web browsers.

 

In order to safeguard the sanctity of your website users’ privacy and elevate the standing of your esteemed online domain in the realm of search engines, it is imperative that you embrace the utilization of SSL, an acronym that stands for Secure Socket Layer.

Secure Socket Layer

Without the protective embrace of SSL, malevolent third parties who are surreptitiously transmitting data can clandestinely observe the sensitive information that is exchanged between your illustrious web server and the esteemed users of your digital abode.

However, with the implementation of SSL, this invaluable information is meticulously encrypted, rendering it visible solely to your esteemed self and the cherished visitors of your virtual realm. Thus, both parties involved are bestowed with an enhanced sense of security and tranquility.

If we add a layer of security using an SSL certificate, it will be the first and most important step in enhancing the security of your Nginx server.

A digital certificate known as an SSL certificate uses cryptography to encrypt the data transit between your web server and the web browser.

Prerequisites to Harden Nginx on CentOS

To ensure the installation and security of Nginx on CentOS, it is imperative to possess a functional Linux VPS running the CentOS operating system.

This VPS should be equipped with a non-root user having sudo privileges.

Additionally, it is highly advisable to have a domain record that directs to the public IP of your server.

Secure Nginx on CentOS with SSL

Step 1. Install Certbot on CentOS

First, you must install Certbot to be able to use Let’s Encrypt and obtain an SSL certification. Certbot allows you to automate the tasks to obtain and renew Let’s Encrypt SSL certificates and configure your web server.

 

It is a good idea to install the Certbot package from the EPEL repository. To do this, run the following command:

sudo yum install epel-release

Running the above command enables the repository, and you are ready to obtain the certbot-nginx package. Simply type the command below to install the Certbot Let’s Encrypt client and use it:

sudo yum install certbot-nginx

Step 2. Install/Start Nginx in CentOS

If the Nginx is already installed on your server, you skip this step. If not, you can do this after enabling the EPEL repository you did in the previous step. To install Nginx, run:

sudo yum install nginx

Then, use the command below to start Nginx on Linux CentOS:

sudo systemctl start nginx

By using the following command, you can also configure Nginx to launch automatically after the server boots up:

$ systemctl enable nginx

Step 3. Setup Firewall

Ensure seamless incoming and outgoing connections to your server by disabling the firewall software, firewalld, included with it.

To enable HTTPS access on your machine, firewalld must be set up. If you have a firewall enabled, check if ports 80 and 443 are accessible to incoming traffic. If you’re running firewalld, simply type to open these ports and continue uninterrupted.

sudo firewall-cmd –add-service=http

sudo firewall-cmd –add-service=https

sudo firewall-cmd –runtime-to-permanent

If you have an iptables firewall running, run the command below to add HTTP and HTTPS access:

sudo iptables -I INPUT -p tcp -m tcp –dport 80 -j ACCEPT

sudo iptables -I INPUT -p tcp -m tcp –dport 443 -j ACCEPT

This is an optional step to Secure Nginx on CentOS, but you are recommended to check the nginx firewall. However, you are ready to run Certbot and fetch your certificates.

Step 4. Obtain a Certificate

In this step, obtaining a certificate will be discussed. Through different plugins, Certbot offers several options to get SSL certificates. The Nginx plugin will handle reloading the configuration and changing Nginx’s configuration as needed:

sudo certbot –nginx -d example.com -d www.example.com

The names you consider the certificate to be valid for are specified using the -d option when running certbot with the –nginx plugin.

 

You will be asked to enter your email address and accept the terms of service if you are running certbot for the first time. As soon as you’ve done so, certbot connect to the Let’s Encrypt server and launch a challenge to confirm that you are the owner of the domain you want to seek a certificate. Nginx will reload after the configuration has been adjusted to take effect.

 

Your certificates will be placed there, and certbot will conclude with a message letting you know the procedure was successful:

<span style=”color: #808080;”>Output</span>

IMPORTANT NOTES:

 – Congratulations! Your certificate and chain have been saved at:

   /etc/letsencrypt/live/<span style=”color: #008000;”>your_domain</span>/fullchain.pem

   Your key file has been saved at:

   /etc/letsencrypt/live/<span style=”color: #008000;”>your_domain</span>/privkey.pem

   Your certificate will expire on 2024-01-01. To obtain a new or

   tweaked version of this certificate in the future, simply run

   certbot again with the “certonly” option. To non-interactively

   renew *all* of your certificates, run “certbot renew”

 – If you like Certbot, please consider supporting our work by:

 

   Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate

   Donating to EFF: https://eff.org/donate-le

You have downloaded, set up, and loaded your certificates. Examine your browser’s security indicator after reloading your webpage with the https:// protocol. It should display a green lock icon, which typically denotes that the website is adequately secured.

Step 5. Setup Auto-Renewal

Since Let’s Encrypt’s certificates are valid for 90 days, you must set up a regularly run command to keep track of expired certificate renewals and renew them automatically. To run periodic jobs, you can use cron and run the renewal check daily:

sudo crontab -e

It tells cron what to do after opening and editing a file called crontab. Your text editor will launch the default crontab, now an empty text file. Copy the next line, then save and close it:

0 5 * * * /usr/bin/certbot renew –quiet

The phrase “run the following command at 5:00 am, every day” is denoted by the 0 5 * * * part of the line. You can pick at any time. The Certbot renew command will examine all installed certificates and update any that have an expiration date of fewer than 30 days. Certbot is instructed not to output data or wait for user interaction by the command –quiet.

 

Now, cron will execute this command each day. When a certificate’s expiration date is thirty days or less away, it will be automatically renewed and reloaded.

 

Secure Nginx with SSL on CentOS must have been successfully done by now, and you must be able to access your site using HTTPS.

Explore More ; Discovering the new “UBUNTU Desktop 23.10”

For More Updates follow us on FacebookXInstagram.