Simple Way to Secure Nginx on CentOS with Let’s Encrypt SSL
As a website administrator, you are cognizant of the significance of ensuring security and implementing encrypted HTTPS on your web server. This has a direct impact on the ranking of your website in search engines following the implementation of SSL. Installing and obtaining a certificate is fully automated on the Nginx server. Secure Nginx on CentOS with Let’s Encrypt SSL requires some essential and optional steps that you will learn in this article.
Nginx is a reverse proxy and a lightweight, open-source, reliable, high-performance HTTP server. IIS and Apache are surpassed by this web server in terms of popularity. Nginx is renowned for its dependability, efficiency, wealth of features, simple configuration, and sparse resource usage. Although most people prefer the default options, they are not safe enough, and additional adjustments are required to strengthen the web server.
What is Let’s Encrypt and How it Works?
Let’s Encrypt is a free, automated, and new Certificate Authority (CA) that allows you to obtain and install free TLS/SSL certificates. Developed by the Internet Security Research Group (ISRG), Let’s Encrypt issues certificates that are trusted by most browsers.
To protect website users’ privacy and raise your website’s search engine position, you must use SSL (short for Secure Socket Layer). Without SSL, third parties who are transmitting data can observe the data and information transmitted between your web server and the users of your site. With SSL, this information is encrypted and is only visible to you and your visitors, making both parties safer.
Adding a layer of security using an SSL certificate is the first and most important step in enhancing the security of your Nginx server. A digital certificate known as an SSL certificate uses cryptography to encrypt the data transit between your web server and the web browser. Additionally, an SSL certificate compels your website to use the secure HTTPS protocol rather than HTTP, which sends traffic in plain text.
Prerequisites to Harden Nginx on CentOS
To install and secure Nginx on CentOS, you will need to have an already running Linux VPS with the CentOS operating system installed with a non-root user with sudo privileges.
Also, a domain record that points to your server’s public IP is recommended.
Quick Guide to Secure Nginx on CentOS with SSL
Using Let’s Encrypt, you can configure an SSL certificate on your server free of charge to have a secure website. Let’s go through the steps of this guide to Secure Nginx on CentOS. Certbot software client plays the main role of securing processes and automating required steps.
Step 1. Install Certbot on CentOS
First, you must install Certbot to be able to use Let’s Encrypt and obtain an SSL certification. Certbot allows you to automate the tasks to obtain and renew Let’s Encrypt SSL certificates and configure your web server.
It is a good idea to install the Certbot package from the EPEL repository. To do this, run the following command:
sudo yum install epel-release
Running the above command enables the repository, and you are ready to obtain the certbot-nginx
package. Simply type the command below to install the Certbot Let’s Encrypt client and use it:
sudo yum install certbot-nginx
Step 2. Install/Start Nginx in CentOS
If the Nginx is already installed on your server, you skip this step. If not, you can do this after enabling the EPEL repository you did in the previous step. To install Nginx, run:
sudo yum install nginx
Then, use the command below to start Nginx on Linux CentOS:
sudo systemctl start nginx
By using the following command, you can also configure Nginx to launch automatically after the server boots up:
$ systemctl enable nginx
Step 4. Setup Firewall
You might know that the firewall software firewalld is included with it. If you want to ensure that no connections are blocked coming from or going to your server, you can choose to disable this. Firewalld must be set up to enable HTTPS access to your server if you want to use it on your machine.
Check to see if ports 80 and 443 are accessible to incoming traffic if you have a firewall enabled. You can continue if your computer does not have a firewall running. If your computer is running a firewalld, you can open these ports by typing:
sudo firewall-cmd --add-service=http
sudo firewall-cmd --add-service=https
sudo firewall-cmd --runtime-to-permanent
If you have an iptables firewall running, run the command below to add HTTP and HTTPS access:
sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT
This is an optional step to Secure Nginx on CentOS, but you are recommended to check the nginx firewall. However, you are ready to run Certbot and fetch your certificates.
Step 4. Obtain a Certificate
In this step, obtaining a certificate will be discussed. Through different plugins, Certbot offers several options to get SSL certificates. The Nginx plugin will handle reloading the configuration and changing Nginx’s configuration as needed:
sudo certbot --nginx -d example.com -d www.example.com
The names you consider the certificate to be valid for are specified using the -d
option when running certbot
with the --nginx
plugin.
You will be asked to enter your email address and accept the terms of service if you are running certbot
for the first time. As soon as you’ve done so, certbot
connect to the Let’s Encrypt server and launch a challenge to confirm that you are the owner of the domain you want to seek a certificate. Nginx will reload after the configuration has been adjusted to take effect.
Your certificates will be placed there, and certbot
will conclude with a message letting you know the procedure was successful:
<span style="color: #808080;">Output</span>
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/<span style="color: #008000;">your_domain</span>/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/<span style="color: #008000;">your_domain</span>/privkey.pem
Your certificate will expire on 2024-01-01. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again with the "certonly" option. To non-interactively
renew *all* of your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
You have downloaded, set up, and loaded your certificates. Examine your browser’s security indicator after reloading your webpage with the https://
protocol. It should display a green lock icon, which typically denotes that the website is adequately secured.
Step 5. Setup Auto-Renewal
Since Let’s Encrypt’s certificates are valid for 90 days, you must set up a regularly run command to keep track of expired certificate renewals and renew them automatically. To run periodic jobs, you can use cron and run the renewal check daily:
sudo crontab -e
It tells cron what to do after opening and editing a file called crontab. Your text editor will launch the default crontab, now an empty text file. Copy the next line, then save and close it:
crontab
. . .
0 5 * * * /usr/bin/certbot renew --quiet
The phrase “run the following command at 5:00 am, every day” is denoted by the 0 5 * * *
part of the line. You can pick at any time. The Certbot renew
command will examine all installed certificates and update any that have an expiration date of fewer than 30 days. Certbot is instructed not to output data or wait for user interaction by the command --quiet
.
Now, cron
will execute this command each day. When a certificate’s expiration date is thirty days or less away, it will be automatically renewed and reloaded.
Secure Nginx with SSL on CentOS must have been successfully done by now, and you must be able to access your site using HTTPS. Ubuntu server administrators also proceed with similar steps to Secure Nginx using Let’s Encrypt SSL on Ubuntu.
Conclusion
In this article, you learned How to Secure Nginx using SSL on CentOS. As you review, Let’s Encrypt provides setting up a free SSL certificate on your server. First, you learned how to use the Cerbot Let’s Encrypt client to obtain a free SSL certification. Updating the firewall is recommended after installing and enabling Nginx on your server. Then, you got ready to obtain a certificate which made you so close to securing Nginx on your CentOS server. Renewing your SSL certificate automatically was the final required step.
If you follow the above steps properly you can smoothly install certbot on CentOS and secure Nginx without any errors but do not hesitate to contact us if you encounter any problems. Our technical support team will try their best to solve your problems.