In today’s digital landscape, securing your web server is more critical than ever. With an increasing number of cyber threats and privacy concerns, enabling HTTPS is a fundamental step toward safeguarding sensitive data transmitted between clients and your server. In this article, we’ll discuss how to set up HTTPS on your Linux server using modern ciphers harnessed via Let’s Encrypt and Nginx.

Understanding HTTPS and Why It’s Important

HTTPS (HyperText Transfer Protocol Secure) is an extension of HTTP, which encrypts the data sent between the user’s browser and your web server, preventing eavesdropping and tampering. The key benefits of using HTTPS include:

  1. Data Encryption: Protects sensitive information from attackers.

  2. Data Integrity: Ensures that information exchanged is not altered during transmission.

  3. Authentication: Confirms that users are communicating with the intended server.

  4. Search Engine Ranking: Search engines prioritize secure sites in their rankings.

Prerequisites

Before getting started, ensure that you have:

  • A Linux server (Ubuntu, CentOS, etc.)

  • A registered domain name

  • Root or sudo access to your server

Step 1: Install Nginx

To proceed with HTTPS configuration, you first need a web server. Nginx is a high-performance web server that is commonly used and provides excellent support for SSL.

Installing Nginx

For Ubuntu:

bash
sudo apt update
sudo apt install nginx

For CentOS:

bash
sudo yum install epel-release
sudo yum install nginx

Start and Enable Nginx

bash
sudo systemctl start nginx
sudo systemctl enable nginx

Step 2: Obtain an SSL Certificate with Let’s Encrypt

Let’s Encrypt offers free SSL certificates that you can use to secure your site. We’ll use Certbot, a tool that automates the process of obtaining and renewing SSL certificates.

Installing Certbot

For Ubuntu:

bash
sudo apt install certbot python3-certbot-nginx

For CentOS:

bash
sudo yum install certbot python2-certbot-nginx

Obtaining the SSL Certificate

Run the following command, replacing yourdomain.com with your actual domain name:

bash
sudo certbot –nginx -d yourdomain.com -d www.yourdomain.com

Follow the prompts to complete the installation, and Certbot will automatically configure Nginx to use the generated SSL certificate.

Step 3: Configuring Nginx for HTTPS

After obtaining your SSL certificate, you may need to review and adjust the Nginx configuration to enforce HTTPS and utilize modern cryptographic settings.

Open the Nginx Configuration

Open your Nginx configuration file located in /etc/nginx/sites-available/yourdomain or /etc/nginx/conf.d/default.conf.

bash
sudo nano /etc/nginx/sites-available/yourdomain

Nginx Configuration Block

Ensure your server block looks similar to the following, with modern ciphers and HTTP/2 enabled.

nginx
server {
listen 80;
server_name yourdomain.com www.yourdomain.com;
return 301 https://$server_name$request_uri; # Redirect HTTP to HTTPS
}

server {
listen 443 ssl http2;
server_name yourdomain.com www.yourdomain.com;

ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;

ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;



ssl_protocols  TLSv1.2 TLSv1.3;  # Use only modern protocols

ssl_ciphers  'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';

ssl_prefer_server_ciphers off;



location / {

    root /var/www/yourdomain;

    index index.html index.htm;

}

}

Save and Exit

Press CTRL + X, then Y, followed by ENTER to save and exit.

Step 4: Test Nginx Configuration

Before restarting Nginx, it is essential to ensure that there are no syntax errors in your configuration.

bash
sudo nginx -t

If the test is successful, restart Nginx:

bash
sudo systemctl restart nginx

Step 5: Set Up Automatic SSL Certificate Renewal

Let’s Encrypt certificates are valid for only 90 days. To ensure that your certificates renew automatically, you can set up a cron job.

Edit Your Cron Jobs

bash
sudo crontab -e

Add the following line to automatically renew your certificates:

bash
0 /12 certbot renew –quiet

This command runs the renewal process twice a day.

Conclusion

Securing your Linux server with HTTPS is a straightforward process that greatly enhances your website’s security. By following the steps outlined in this article, you can secure your server and protect your users’ data with modern ciphers and certificates from Let’s Encrypt. Continually monitor and test your server’s security posture to stay ahead of potential threats and maintain the trust of your clientele.

For more tips and tricks on securing your Linux server, stay tuned to the WafaTech Blog!