Linux Security

How to Secure Nginx with Letsencrypt on Rocky Linux/Alma Linux 9

Let’s Encrypt is a certificate authority (CA) that provides free certificates for Transport Layer Security (TLS) encryption. It simplifies the process of creation, validation, signing, installation, and renewal of certificates by providing a software client—Certbot.

It was developed by the Internet Security Research Group (ISRG) and trusted by all major browsers. It is used to automate the process of certificate creation, validation, signing, implementation, and renewal of certificates for secure websites.

The certificate is valid for only 90 days, so you will need to renew it manually or or set up the auto renewal system,

Let’s encrypt supports automated certification issuance for Apache, Nginx, Plex, and HAproxy. We will cover nginx in this guide.

Related Content

Prerequisites:

  • A Rocky Linux 9 server with internet access and public IP
  • A valid domain name with DNS pointed to the server
  • Root access to the server

Step 1 – Logging in to the server

Log in to the server using ssh user@server -p port:

ssh rocky@10.2.10.10

Step 2 – Ensure the OS packages are up to date

Update all of your packages to their latest available versions.

sudo dnf update -y

Step 3 – Install and enable Nginx

Install Nginx

sudo dnf install -y nginx

Start and enable nginx

systemctl start nginx
systemctl enable nginx

Step 4 – Create Nginx Configurations

For this lets create an nginx configurations. Save this in the file /etc/nginx/conf.d/site1.citizix.com.conf:

server {
    listen 80;
    server_tokens off;
    client_max_body_size 10M;
    server_name site1.citizix.com;

    access_log /var/log/nginx/site1.citizix.com/access.log;
    error_log /var/log/nginx/site1.citizix.com/error.log;
    ignore_invalid_headers off;

    ## Deny illegal Host headers
    if ($host !~* ^(site1.citizix.com)$ ) {
        return 444;
    }

    root /var/www/site1.citizix.com;

    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header   Host $host;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Host $server_name;
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   X-Scheme $scheme;
        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
    }
}

Step 5 – Install the Certbot Client

The Certbot is a command-line tool used to simplifies the process for obtaining and renewing Let’s Encrypt SSL certificates for your website.

We will use snapd to install the required packages. You’ll need to install snapd and make sure you follow any instructions to enable classic snap support.

To install snapd in Rocky Linux 9, use the following command:

sudo dnf install epel-release
sudo dnf install snapd

Once installed, the systemd unit that manages the main snap communication socket needs to be enabled:

$ sudo systemctl enable --now snapd.socket

To enable classic snap support, enter the following to create a symbolic link between /var/lib/snapd/snap and /snap:

$ sudo ln -s /var/lib/snapd/snap /snap

Either log out and back in again or restart your system to ensure snap’s paths are updated correctly.

If you have any Certbot packages installed using an OS package manager, you should remove them before installing the Certbot snap to ensure that when you run the command certbot the snap is used rather than the installation from your OS package manager.

  1. Run this command on the command line on the machine to install Certbot.
sudo snap install --classic certbot

Execute the following instruction on the command line on the machine to ensure that the certbot command can be run.

sudo ln -s /snap/bin/certbot /usr/bin/certbot

Step 6 – Enable services on firewall

If using firewalld enable http and https in firewall:

sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https

Then reload to apply the configurations

sudo firewall-cmd --reload

You can verify with this command:

sudo firewall-cmd --permanent --list-all

Step 7 – Obtaining a Certificate

Stop nginx:

sudo systemctl stop nginx

Run this command to get a certificate and have Certbot edit your nginx configuration automatically to serve it, turning on HTTPS access in a single step.

sudo certbot --nginx

If you’re feeling more conservative and would like to make the changes to your nginx configuration by hand, run this command.

sudo certbot certonly --nginx

This is the command I run in my system:

sudo certbot certonly --nginx --non-interactive --agree-tos --email admin@citizix.com -d site1.citizix.com

Output

# sudo certbot --nginx --non-interactive --agree-tos --email admin@citizix.com -d site1.citizix.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Account registered.
Requesting a certificate for site1.citizix.com
Performing the following challenges:
http-01 challenge for site1.citizix.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/conf.d/site1.citizix.com.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/site1.citizix.com.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled
https://site1.citizix.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/site1.citizix.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/site1.citizix.com/privkey.pem
   Your certificate will expire on 2021-11-05. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again with the "certonly" option. To non-interactively
   renew *all* of your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Start nginx:

sudo systemctl start nginx

Updated Nginx config to redirect all traffic to https:

server {
    server_tokens off;
    client_max_body_size 10M;
    server_name site1.citizix.com;

    access_log /var/log/nginx/site1.citizix.com/access.log;
    error_log /var/log/nginx/site1.citizix.com/error.log;
    ignore_invalid_headers off;

    ## Deny illegal Host headers
    if ($host !~* ^(site1.citizix.com)$ ) {
        return 444;
    }

    root /var/www/site1.citizix.com;

    location / {
        proxy_pass http://127.0.0.1:8096;
        proxy_set_header   Host $host;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Host $server_name;
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   X-Scheme $scheme;
        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/site1.citizix.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/site1.citizix.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = site1.citizix.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    server_name site1.citizix.com;
    return 404; # managed by Certbot
}

Conclusion

In this guide we learnt how to secure an Nginx virtual host with Letsencrypt ssl.

comments powered by Disqus
© 2020 - 2024 Citizix, Inc.
Citizix Ltd
Built with Hugo
Theme Stack designed by Jimmy