22 October, 2023 by

Secure Nginx on CentOS with Let’s Encrypt SSL

Secure Nginx on CentOS by installing Nginx, enabling HTTPS with Let’s Encrypt SSL certificates, and setting up automatic renewal for continuous security. This quick guide ensures encrypted, safe connections for your web server.

🤖AI Overview:

Securing Nginx on CentOS involves configuring SSL to encrypt server-client communication using free certificates from Let’s Encrypt. The process includes installing Certbot and Nginx, configuring firewalls for HTTPS traffic, obtaining the SSL certificate, and automating its renewal, enhancing both security and SEO performance.

What is Let’s Encrypt and How it Works?

Let’s Encrypt is a free, automated, and new Certificate Authority (CA) that allows you to obtain and install free TLS/SSL certificates. Developed by the Internet Security Research Group (ISRG), Let’s Encrypt issues certificates that are trusted by most browsers.

To protect website users’ privacy and raise your website’s search engine position, you must use SSL (short for Secure Socket Layer). Without SSL, third parties who are transmitting data can observe the data and information transmitted between your web server and the users of your site. With SSL, this information is encrypted and is only visible to you and your visitors, making both parties safer.

Adding a layer of security using an SSL certificate is the first and most important step in enhancing the security of your Nginx server. A digital certificate known as an SSL certificate uses cryptography to encrypt the data transit between your web server and the web browser. Additionally, an SSL certificate compels your website to use the secure HTTPS protocol rather than HTTP, which sends traffic in plain text.

Prerequisites to Harden Nginx on CentOS

To install and secure Nginx on CentOS, you will need to have an already running Linux VPS with the CentOS operating system installed with a non-root user with sudo privileges.

Also, a domain record that points to your server’s public IP is recommended.

Quick Guide to Secure Nginx on CentOS with SSL

Using Let’s Encrypt, you can configure an SSL certificate on your server free of charge to have a secure website. Let’s go through the steps of this guide to Secure Nginx on CentOS. Certbot software client plays the main role of securing processes and automating required steps.

Step 1. Install Certbot on CentOS

First, you must install Certbot to be able to use Let’s Encrypt and obtain an SSL certification. Certbot allows you to automate the tasks to obtain and renew Let’s Encrypt SSL certificates and configure your web server.

It is a good idea to install the Certbot package from the EPEL repository. To do this, run the following command:

sudo yum install epel-release

Running the above command enables the repository, and you are ready to obtain the certbot-nginx package. Simply type the command below to install the Certbot Let’s Encrypt client and use it:

sudo yum install certbot-nginx

Step 2. Install/Start Nginx in CentOS

If the Nginx is already installed on your server, you skip this step. If not, you can do this after enabling the EPEL repository you did in the previous step. To install Nginx, run:

sudo yum install nginx

Then, use the command below to start Nginx on Linux CentOS:

sudo systemctl start nginx

By using the following command, you can also configure Nginx to launch automatically after the server boots up:

$ systemctl enable nginx

Step 4. Setup Firewall

You might know that the firewall software firewalld is included with it. If you want to ensure that no connections are blocked coming from or going to your server, you can choose to disable this. Firewalld must be set up to enable HTTPS access to your server if you want to use it on your machine.

Check to see if ports 80 and 443 are accessible to incoming traffic if you have a firewall enabled. You can continue if your computer does not have a firewall running. If your computer is running a firewalld, you can open these ports by typing:

sudo firewall-cmd --add-service=http
sudo firewall-cmd --add-service=https
sudo firewall-cmd --runtime-to-permanent

If you have an iptables firewall running, run the command below to add HTTP and HTTPS access:

sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT

This is an optional step to Secure Nginx on CentOS, but you are recommended to check the nginx firewall. However, you are ready to run Certbot and fetch your certificates.

Step 4. Obtain a Certificate

In this step, obtaining a certificate will be discussed. Through different plugins, Certbot offers several options to get SSL certificates. The Nginx plugin will handle reloading the configuration and changing Nginx’s configuration as needed:

sudo certbot --nginx -d example.com -d www.example.com

The names you consider the certificate to be valid for are specified using the -d option when running certbot with the --nginx plugin.

You will be asked to enter your email address and accept the terms of service if you are running certbot for the first time. As soon as you’ve done so, certbot connect to the Let’s Encrypt server and launch a challenge to confirm that you are the owner of the domain you want to seek a certificate. Nginx will reload after the configuration has been adjusted to take effect.

Your certificates will be placed there, and certbot will conclude with a message letting you know the procedure was successful:

<span style="color: #808080;">Output</span>
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/<span style="color: #008000;">your_domain</span>/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/<span style="color: #008000;">your_domain</span>/privkey.pem
   Your certificate will expire on 2024-01-01. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again with the "certonly" option. To non-interactively
   renew *all* of your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

You have downloaded, set up, and loaded your certificates. Examine your browser’s security indicator after reloading your webpage with the https:// protocol. It should display a green lock icon, which typically denotes that the website is adequately secured.

Step 5. Setup Auto-Renewal

Since Let’s Encrypt’s certificates are valid for 90 days, you must set up a regularly run command to keep track of expired certificate renewals and renew them automatically. To run periodic jobs, you can use cron and run the renewal check daily:

sudo crontab -e

It tells cron what to do after opening and editing a file called crontab. Your text editor will launch the default crontab, now an empty text file. Copy the next line, then save and close it:

crontab

. . .
0 5 * * * /usr/bin/certbot renew --quiet

The phrase “run the following command at 5:00 am, every day” is denoted by the 0 5 * * * part of the line. You can pick at any time. The Certbot renew command will examine all installed certificates and update any that have an expiration date of fewer than 30 days. Certbot is instructed not to output data or wait for user interaction by the command --quiet.

Now, cron will execute this command each day. When a certificate’s expiration date is thirty days or less away, it will be automatically renewed and reloaded.

Secure Nginx with SSL on CentOS must have been successfully done by now, and you must be able to access your site using HTTPS. Ubuntu server administrators also proceed with similar steps to Secure Nginx using Let’s Encrypt SSL on Ubuntu.

Conclusion

Securing Nginx on CentOS involves a combination of system hardening, proper configuration, and ongoing monitoring. Following the above steps ensures that your Nginx web server is well protected against common threats. From installing SSL certificates to limiting request sizes and enabling Fail2Ban, each measure contributes to a safer environment for your website and users.

For beginners, taking these steps builds a strong foundation in Linux server security and Nginx management. Always stay informed about security best practices and updates to maintain a secure web presence.

By implementing these guidelines, you will effectively secure Nginx on CentOS, providing a reliable and safe platform for your web applications.

FAQ

Enable the EPEL repository with sudo yum install epel-release, then install Nginx using sudo yum install nginx and start it with sudo systemctl start nginx.

Let's Encrypt is a free SSL certificate provider that enables HTTPS to encrypt website traffic, securing your Nginx server.

Install Certbot from the EPEL repo with "sudo yum install certbot-nginx", which automates obtaining and renewing SSL certificates.

Run "sudo certbot --nginx -d yourdomain.com"; Certbot will verify your domain and configure HTTPS automatically.

Open HTTP and HTTPS ports using "sudo firewall-cmd --add-service=http and sudo firewall-cmd --add-service=https", then save changes.

Let's Encrypt certificates last 90 days. Auto-renewal via a cron job ensures your certificate remains valid without manual renewal.

Visit your site with "https://" and look for a padlock icon in the browser address bar indicating secure SSL encryption.

Yes, specify multiple domains with repeated -d options, for example, "sudo certbot --nginx -d example.com -d www.example.com".

You need a CentOS server with Nginx installed, sudo privileges, and a domain pointing to your server's IP address.

Leave a Reply

Your email address will not be published. Required fields are marked.