NGINX with Let’s Encrypt

This guide is for Centos 7 using NGINX to serve static files or serve as a proxy.

You should add DNS A-record and/or AAAA-record before starting.

Add NGINX repository (optional)

You will most likely get more up to date version from NGINX repositories than what Linux distributions repositories usually provide.

https://www.nginx.com/resources/wiki/start/topics/tutorials/install/

Install NGINX

sudo yum install nginx

Enable NGINX to start on boot

sudo systemctl enable nginx

Start NGINX

sudo systemctl start nginx

Open firewall ports

Ports 80 and 443 need to be open to get HTTP and HTTPS traffic in.

Here is iptables example

Configure NGINX

Disable default conf.

sudo mv /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/defaultconf

Create your own conf. Change DOMAIN

sudo cp -av /etc/nginx/conf.d/defaultconf /etc/nginx/conf.d/DOMAIN.conf

Generate dhparams.pem

sudo mkdir /etc/nginx/ssl
sudo openssl dhparam -out /etc/nginx/ssl/dhparams.pem 2048

Edit new conf

sudo vi /etc/nginx/conf.d/DOMAIN.conf

Example DOMAIN.conf

server_tokens off;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

server {
    listen 80 default_server;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name DOMAIN;

    ssl_dhparam /etc/nginx/ssl/dhparams.pem;

    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # https://mozilla.github.io/server-side-tls/ssl-config-generator/
    # modern configuration. tweak to your needs.
    ssl_protocols TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_prefer_server_ciphers on;

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=15768000;

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
    #ssl_trusted_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem;

    resolver 1.1.1.1;

    access_log /var/log/nginx/DOMAIN.access.log;

    location / {
        root /var/www/DOMAIN/public;
        index index.html index.htm;
    }
}

Notice that configuration file does not have certificate file rows because those files do not yet exist!

Use https://mozilla.github.io/server-side-tls/ssl-config-generator/ to generate up to date configuration.

Be sure you know what HSTS does and then decide if you want to use it.

Create public folder (if using NGINX to serve static files)

sudo mkdir -p /var/www/DOMAIN/public

Test NGINX configuration

sudo nginx -t

Install Certbot

https://certbot.eff.org/

I am using python2-certbot-nginx with this guide. EPEL needs to be installed for that.

https://fedoraproject.org/wiki/EPEL#How_can_I_use_these_extra_packages.3F

sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
sudo yum install python2-certbot-nginx

Request certificates

sudo certbot --nginx

Enable ssl_trusted_certificate

Remove comment on ssl_trusted_certificate and check that path is correct.

sudo vi /etc/nginx/conf.d/DOMAIN.conf

Reload NGIX

sudo nginx -t
sudo systemctl reload nginx

Check certificate and configuration quality

You can now check certificate and NGINX configuration with

https://www.ssllabs.com/ssltest/

https://securityheaders.com/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.