Install NGINX and configure SSL

Install NGINX
# Use apt-get to retrieve nginx
sudo apt-get install nginx

# You may need to install apt-get first
sudo apt-get install software-properties-common

# startup the server
sudo service nginx start

# command to restart nginx
# sudo nginx -s reload

# Check that ngix is successfully installed
nginx -v
Add a new website

We will create a new web root directory under ‘/var/www‘ and change the web directory’s user ownership to a user that has permissions to the web root directory (avoid using root user). Copy the static web content to the new web root directory.

# Create site directory under Nginx web root
sudo mkdir -p /var/www/example.com/html

# switch user 
su -user_name

#Change the permission of the directory
chmod -R ug+wrx ../var/www
# Or
sudo chmod -R 755 /var/www
Configure server block

By default NGINX installs with a default server block that is configured to serve files from a directory of ‘/var/www/html‘ . The default configuration file for NGINX is located at ‘/etc/nginx/sites-available/default‘ . The default configuration file is the fallback configuration and is not intended to be modified.

To direct HTTP web traffic to the new website, we will create a new NGINX server configuration block. Similar to virtual hosts in Apache, server blocks enable Nginx to host multiple domains with host-specific configurations. (the configuration that applies to the domain).

# listing default + all custom configuration files
ls /etc/nginx/sites-available/

# copy command to backup default and or custom configuration files
cp /etc/nginx/sites-available/default /etc/nginx/sites-available/default.save

# copy default config for modification
sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/example.com

# modify the copied config
sudo nano /etc/nginx/sites-available/example.com

Example: Server block for server site:

# Edit config file
sudo nano /etc/nginx/sites-available/example.com

# root indicates the root directory of the site, server block is serving port 80 traffic
server {
	listen 80;
	listen [::]:80;
	root /var/www/example.com/html;
	server_name example.com www.example.com;
	location / {
		try_files $uri $uri/ =404;
	}
}

Example: Server block for reverse proxy

# Edit config file
sudo nano /etc/nginx/sites-available/example.com

# this block redirect all traffic to https
server {
        listen 80;
        server_name example.com www.example.com;
        return 301 https://$host$request_uri;
}
server {
        listen 80;
        listen [::]:80;
        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;
        server_name example.com www.example.com;
        location / {
                proxy_pass http://localhost:5000;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection keep-alive;
                proxy_set_header Host $http_host;
                proxy_cache_bypass $http_upgrade;
        }
}

Note the default_server directive can only be set once in all configuration. whereas the server_name allows you to specify any hostname to serve.

Enable server block and restart NGINX

After setting up the server block file, we need to enable them. To do this, creating a symbolic link to the sites-enabled directory and restart Nginx. (source)

# Use the following command to check default_server is set only once
grep -R default_server /etc/nginx/sites-available/

# use to verify configurations
sudo nginx -t

# create symbolic link 
sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/ 

# restart server
sudo systemctl restart nginx
Install Certbot, configure HTTPS

This post covers how to install certificates and configure HTTPS on NGINX web server. We will be using LetsEncrypt to generate a trusted certificate issued from a Certificate Authority (CA). We will be using LetsEncrypt’s tool known as Certbot.

In brief, Certbot is an application that is installed on the server that is associated with the domain. This allows LetsEncrypt’s servers to verify the ownership of the domain using asymmetric keys. The authenticity of the certificate generated by Certbot is verified by public/private keys. Once the domain is verified, the generated certificate is associated with the domain (source).

certbot --nginx -m your-email@ex.com --agree-tos --no-eff-email --redirect --expand -d example.com,www.example.com

Start Certbot using the command and follow the instructions. The tool verifies domain by communicating with Let’s Encrypt server and run a challenge to verify that you control the domain you’re requesting a certificate for. When successful, Certbot will ask you to configure HTTPS settings and Nginx config will be automatically updated along with certificate files being created.

Reverse Proxy

When dealing with a domain that is hooked up to an Nginx reverse proxy, you may need to temporarily redirect the HTTP traffic to a static Nginx web root directory. Update the default config to intercept the domain hostname and have it serve the request from /var/www/html. (Undo this once the domain is verified)

# open config
nano /etc/nginx/sites-enabled/default

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        root /var/www/html;
        ...
        # Temporary added to setup certbot, certbot only needs to be able to hit a valid domain response
        server_name example.com www.example.com;
        #server_name _;

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
        }
    ...
}

Source – Using Certbot with an Nginx server instance