Here’s an easy method to protect your Nginx server on CentOS using Let’s Encrypt SSL.
As a website administrator, you understand the importance of prioritizing security and implementing encrypted HTTPS on your web server. This not only safeguards your website but also directly influences its ranking on search engines after SSL implementation. The process of installing and obtaining a certificate on the Nginx server is made incredibly convenient through full automation. In order to secure Nginx on CentOS with Let’s Encrypt SSL, there are a few essential and optional steps that you will discover in this informative article.
Explore More; How to Configure FirewallD in CentOS
NGINX Server is a reverse proxy and a lightweight, open-source, reliable, high-performance HTTP server. IIS and Apache are surpassed by this web server in terms of popularity. Nginx is renowned for its dependability, efficiency, wealth of features, simple configuration, and sparse resource usage. Although most people prefer the default options, they are not safe enough, and additional adjustments are required to strengthen the web server.
Defining Let’s Encrypt and How it Works?
Let’s Encrypt, a prodigious and innovative Certificate Authority (CA) that bestows upon you the ability to acquire and install TLS/SSL certificates without any cost. This extraordinary creation, crafted by the esteemed Internet Security Research Group (ISRG), grants certificates that are held in high regard and trust by the vast majority of web browsers.
In order to safeguard the sanctity of your website users’ privacy and elevate the standing of your esteemed online domain in the realm of search engines, it is imperative that you embrace the utilization of SSL, an acronym that stands for Secure Socket Layer.
Secure Socket Layer
Without the protective embrace of SSL, malevolent third parties who are surreptitiously transmitting data can clandestinely observe the sensitive information that is exchanged between your illustrious web server and the esteemed users of your digital abode.
However, with the implementation of SSL, this invaluable information is meticulously encrypted, rendering it visible solely to your esteemed self and the cherished visitors of your virtual realm. Thus, both parties involved are bestowed with an enhanced sense of security and tranquility.
If we add a layer of security using an SSL certificate, it will be the first and most important step in enhancing the security of your Nginx server.
A digital certificate known as an SSL certificate uses cryptography to encrypt the data transit between your web server and the web browser.
Prerequisites to Harden Nginx on CentOS
To ensure the installation and security of Nginx on CentOS, it is imperative to possess a functional Linux VPS running the CentOS operating system.
This VPS should be equipped with a non-root user having sudo privileges.
Additionally, it is highly advisable to have a domain record that directs to the public IP of your server.
Secure Nginx on CentOS with SSL
Step 1. Install Certbot on CentOS
First, you must install Certbot to be able to use Let’s Encrypt and obtain an SSL certification. Certbot allows you to automate the tasks to obtain and renew Let’s Encrypt SSL certificates and configure your web server.
It is a good idea to install the Certbot package from the EPEL repository. To do this, run the following command:
sudo yum install epel-release
Running the above command enables the repository, and you are ready to obtain the certbot-nginx package. Simply type the command below to install the Certbot Let’s Encrypt client and use it:
sudo yum install certbot-nginx
Step 2. Install/Start Nginx in CentOS
If the Nginx is already installed on your server, you skip this step. If not, you can do this after enabling the EPEL repository you did in the previous step. To install Nginx, run:
sudo yum install nginx
Then, use the command below to start Nginx on Linux CentOS:
sudo systemctl start nginx
By using the following command, you can also configure Nginx to launch automatically after the server boots up:
$ systemctl enable nginx
Step 3. Setup Firewall
Ensure seamless incoming and outgoing connections to your server by disabling the firewall software, firewalld, included with it.
To enable HTTPS access on your machine, firewalld must be set up. If you have a firewall enabled, check if ports 80 and 443 are accessible to incoming traffic. If you’re running firewalld, simply type to open these ports and continue uninterrupted.
sudo firewall-cmd –add-service=http
sudo firewall-cmd –add-service=https
sudo firewall-cmd –runtime-to-permanent
If you have an iptables firewall running, run the command below to add HTTP and HTTPS access:
sudo iptables -I INPUT -p tcp -m tcp –dport 80 -j ACCEPT
sudo iptables -I INPUT -p tcp -m tcp –dport 443 -j ACCEPT
This is an optional step to Secure Nginx on CentOS, but you are recommended to check the nginx firewall. However, you are ready to run Certbot and fetch your certificates.
Step 4. Obtain a Certificate
In this step, obtaining a certificate will be discussed. Through different plugins, Certbot offers several options to get SSL certificates. The Nginx plugin will handle reloading the configuration and changing Nginx’s configuration as needed:
sudo certbot –nginx -d example.com -d www.example.com
The names you consider the certificate to be valid for are specified using the -d option when running certbot with the –nginx plugin.
You will be asked to enter your email address and accept the terms of service if you are running certbot for the first time. As soon as you’ve done so, certbot connect to the Let’s Encrypt server and launch a challenge to confirm that you are the owner of the domain you want to seek a certificate. Nginx will reload after the configuration has been adjusted to take effect.
Your certificates will be placed there, and certbot will conclude with a message letting you know the procedure was successful:
<span style=”color: #808080;”>Output</span>
IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/<span style=”color: #008000;”>your_domain</span>/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/<span style=”color: #008000;”>your_domain</span>/privkey.pem
Your certificate will expire on 2024-01-01. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again with the “certonly” option. To non-interactively
renew *all* of your certificates, run “certbot renew”
– If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
You have downloaded, set up, and loaded your certificates. Examine your browser’s security indicator after reloading your webpage with the https:// protocol. It should display a green lock icon, which typically denotes that the website is adequately secured.
Step 5. Setup Auto-Renewal
Since Let’s Encrypt’s certificates are valid for 90 days, you must set up a regularly run command to keep track of expired certificate renewals and renew them automatically. To run periodic jobs, you can use cron and run the renewal check daily:
sudo crontab -e
It tells cron what to do after opening and editing a file called crontab. Your text editor will launch the default crontab, now an empty text file. Copy the next line, then save and close it:
0 5 * * * /usr/bin/certbot renew –quiet
The phrase “run the following command at 5:00 am, every day” is denoted by the 0 5 * * * part of the line. You can pick at any time. The Certbot renew command will examine all installed certificates and update any that have an expiration date of fewer than 30 days. Certbot is instructed not to output data or wait for user interaction by the command –quiet.
Now, cron will execute this command each day. When a certificate’s expiration date is thirty days or less away, it will be automatically renewed and reloaded.
Secure Nginx with SSL on CentOS must have been successfully done by now, and you must be able to access your site using HTTPS.
Explore More ; Discovering the new “UBUNTU Desktop 23.10”
For More Updates follow us on Facebook, X, Instagram.