How To Set Up HTTPS For A Website On Ubuntu

Prerequisites:
You must set up the following first:
Context:
Steps:
  1. Get a SSL certificate.
You can get a free SSL certificate by the following steps:
  • SSH into your server.
ssh alex@bluedroplet.yourdomain.com
  • Install the Certbot client.
sudo apt-get install letsencrypt -y
  • Get a SSL certificate for your site using the letsencrypt command.
sudo letsencrypt certonly --webroot -w ~/sites/yourdomain.com/public -d yourdomain.com
- The -w flag should point to your site’s public directory.
- The -d flag is the domain you’re requesting the certificate for.
- You should be prompted to enter your email address, which will be used for expiration notices.
- You'll see the following message on success, showing the certificate location.


  1. Install the SSL certificate.
  • Edit the site’s Nginx configuration file.
sudo nano /etc/nginx/sites-available/yourdomain.com
Remove the following directives in the existing server block.
listen 80;
listen [::]:80;
Add the following directives within the server block. Replacing /etc/letsencrypt/live/yourdomain.com with the one you received when obtaining the certificate. The http2 value is to enable HTTP/2 support.
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/
yourdomain.com/privkey.pem;
  •  Ensure there are no syntax errors. 
sudo nginx -t
  • Reload the configuration if there's no errors.
sudo service nginx reload
  • Visite your site in a browser.
             - Go to the HTTP address  http://yourdomain.com you should receive an empty response.
             - Go to the HTTPS address  https://yourdomain.com, you should see the site content and a padlock icon in the address bar.
            - If the site times out, remember to ensure that you have opened port 443 on your server firewall. See the firewall detail in this article.

  1. Redirect HTTP Traffic to HTTPS
  • Edit the site’s Nginx configuration file.
sudo nano /etc/nginx/sites-available/yourdomain.com
Add a new server block below the existing one like below.
server {
     …
     listen 443 ssl http2;
     listen [::]:443 ssl http2;
     server_name yourdomain.com;
     …
}

server {
    listen 80;
    listen [::]:80;
    server_name
 yourdomain.com;
    return 301 https://$server_name$request_uri;
}
  •  Ensure there are no syntax errors.
sudo nginx -t
  • Reload the configuration if there's no errors.
sudo service nginx reload
  • Visit your site via HTTP, it will be redirected to the HTTPS address.

  1. Automate SSL certificate renewal.
Certificates from Let’s Encrypt automatically expire after 90 days. You can set up an auto renew cron job on your server.
Edit the cron task file.
sudo crontab -e
Add the following command to the end of the file.
0 0,12 * * * letsencrypt renew >/dev/null 2>&1
This will attempt to renew certificates twice daily. Certificates which are not due to expire in the next 30 days will be skipped.

  1. Improve SSL security and performance.
  • Edit the main Nginx configuration file.
sudo nano /etc/nginx/nginx.conf
Inside the http block, add the directives as below.
http {
   …

   ssl_prefer_server_ciphers on;  
   ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
   ssl_session_cache shared:SSL:10m;
   ssl_session_timeout 10m;


   # IMPORTANT: Remove includeSubdomains below if you have a subdomain that does not support HTTPS.
   add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
 
   …
}
Note:
- SSL session parameters will be cached with this configuration. Connections will only need to reauthenticate every 10 minutes.
-  Adding the Strict-Transport-Security header to the server response will ensure all future connections enforce HTTPS in case the user attempts further HTTP connections.
  • Build a more secure DHE (Ephemeral Diffie-Hellman) key in the same folder as our SSL certificates to provide maximum security.
sudo openssl dhparam -out /etc/letsencrypt/live/yourdomain.com/dhparam.pem 2048
Note: By default, Nginx uses a 1028 bit DHE which could relatively easily be decrypted.
  • Ensure there are no syntax errors.
sudo nginx -t
  • Reload the configuration if there's no errors.
sudo service nginx reload
  • Visit your website to test.

    1. DONE.

    Comments

    Popular posts from this blog

    How To Set Up Quasar v0.14 On A Laravel+Vue Framework

    How To Set Up Quasar v0.13 On A Laravel(5.4)+Vue Framework

    How To Set Up NodeJs And Npm On Linux

    How To Set Up PHP on Ubuntu

    How To Set Up A Vue Web App Development Environment

    How To Fix Random Disappearing Of HTML Elements On iPhone/iPad

    How To Set Up WordPress On Google App Engine (GAE)

    What Is Markdown ?

    How To Set Up The Nginx Web Server On Ubuntu