How To Let Encrypt Free A + Grade SSL on Nginx Ubuntu 16.04

prerequisites:

LEMP on Ubuntu 16.04

Start by updating apt indices

sudo apt-update

Install Let’s encrypt package

(Known as certbot on Github (https://github.com/certbot/certbot))

sudo apt-get install letsencrypt

I will accept that the domain name we work on is called mysite.com and you have Nginx installed and configured from the tutorial above.

Open Nginx Configuration File

sudo vi /etc/nginx/sites-available/mysite.com

Make a known guide available

We do this because Let’s use Encrypt. Known guide to validating the SSL.
Add it before denying hidden files (The complete configuration file is below)

    location ~ / familiarity {

allow everyone;

}

The key Nginx syntax

sudo nginx -t

Recharge Nginx

sudo systemctl recharge nginx

Generate the certificate

sudo letsencrypt certonly-a webroot - webroot-path = / var / www / mysite / html-d mysite.com-d www.mysite.com

The results will be similar to the following:

IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved to
/etc/letsencrypt/live/mysite.com/fullchain.pem. you
cert will expire on 2017-05-17. To get a new version of the
certificate in the future, just run Encrypt again.
– If you like to use Let & # 39; s Encrypt, consider supporting our work by:

Donate to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donate to EFF: https://eff.org/donate-le

Generate a 2048 or 4096-bit Diffie Hellman symmetric key

I will generate the Diffie Hellman in Nginx installation to keep things organized. You can make it wherever you want. (If you make it anywhere else, make sure you change the configuration file below to reflect your changes)

sudo mkdir / etc / nginx / ssl
sudo openssl dhparam-out / etc / nginx /ssl/dhparam.pem 4096

It can take a while (4096 bits can take about 30 minutes on a modern CPU), but once it’s done you’ll have a circular key of 4096 bits.

Nginx configuration to read the generated certificates

By default, Let’s Encrypt will store (expire and execute) all the certificates
/etc/letsencrypt/archive/mysite.com

To prevent the nginx configuration file from being changed each time, letsencrypt plugin & # 39; will create a simlink to the latest generated certificate in
/etc/letsencrypt/live/mysite.com

Let’s open Nginx configuration file:

sudo vi /etc/nginx/sites-available/mysite.com

And add / change the new SSL location

listen 443 ssl http2 default_server;
ssl_certificate /etc/letsencrypt/live/mysite.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mysite.com/privkey.pem;

Improve SSL Security to get Grade A + on SslLabs
Paste the following under the certificates

# From cipherli.st
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers;
ssl_ciphers "EECDH + AESGCM: EDH + AESGCM: AES256 + EECDH: AES256 + EDH";
ssl_ecdh_curve secp384r1; # Requires nginx> = 1.1.0
ssl_session_cache shared: SSL: 10m;
ssl_session_tickets off; # Requires nginx> = 1.5.9
ssl_stapling up; # Requires nginx> = 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver $ DNS-IP-1 $ DNS-IP-2 valid = 300s;
resolver_timeout 5s;
# # If you are not aware of how preloading works, keep it off now
# # More information on preload can be found in
## blog.mozilla.org / security / 2012/11/01 / frontload hsts
## &
## hstspreload.org
#add_header Strict-Transport-Security "maximum age = 63072000; includeSubDomains; preload";
add_header Strict-Transport-Security "maximum age = 63072000; includeSubDomains;";
add_header X-Frame Options DENY;
add_header nosniff;
# Add Diffie Hellman that we previously generated
ssl_dhparam /etc/nginx/ssl/dhparam.pem;

Make sure you replace it $ DNS-IP-1 $ DNS-IP-2 With your DNS IPs, if you don’t know or not, you can replace them with Google’s DNS 8.8.8.8 & 8.8.4.4

The entire configuration file will look like:

server {
# Redirect to www
server name mysite.com;
rewrite ^ / (. *) $ http://www.mysite.com/$1 permanently;
}

server {
# Domain name
server name www.mysite.com;

# Location of files
root /var/www/mysite.com/html;
# Place of access and error logs
access_log /var/log/nginx/www.mysite.com.access.log;
error_log /var/log/nginx/www.mysite.com.error.log;

# Listen to Port 80 (http)
listen 80 default_server;

#List on SSL
listen 443 ssl http2 default_server;

# ssl up;
ssl_certificate /etc/letsencrypt/live/mysite.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mysite.com/privkey.pem;

# From cipherli.st
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers;
ssl_ciphers "EECDH + AESGCM: EDH + AESGCM: AES256 + EECDH: AES256 + EDH";
ssl_ecdh_curve secp384r1; # Requires nginx> = 1.1.0
ssl_session_cache shared: SSL: 10m;
ssl_session_tickets off; # Requires nginx> = 1.5.9
ssl_stapling up; # Requires nginx> = 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 8.8.4.4 valid = 300s;
resolver_timeout 5s;
# # If you are not aware of how preloading works, keep it off now
# # More information on preload can be found in
## blog.mozilla.org / security / 2012/11/01 / frontload hsts
## &
## hstspreload.org /
#add_header Strict-Transport-Security "maximum age = 63072000; includeSubDomains; preload";
add_header Strict-Transport-Security "maximum age = 63072000; includeSubDomains;";
add_header X-Frame Options DENY;
add_header nosniff;
# Add Diffie Hellman that we previously generated
ssl_dhparam /etc/nginx/ssl/dhparam.pem;

# Default file to serve. If the first file is not found,
index index.php index.html index.htm;

# Do not sign favicons
location = /favicon.ico {
log_not_found off;
access_log off;
}

# Configure robots.txt
location = /robots.txt {
allow everyone;
log_not_found off;
access_log off;
}

# Add 404 pages
error_page 404 / 404.html;

# Error 50x Pages
error_page 500 502 503 504 / 50x.html;
location = / 50x.html {
root / usr / share / nginx / www;
}

location ~ / familiarity {
allow everyone;
}

# Deny all attempts to gain access to hidden files
location ~ / {
deny all;
}

# End date headings for static files and link logging.
place ~ * ^. + | | bz2 | doc | xls | exe | ppt | tar | middle | midi | wav | bmp | rtf) $ {
access_log off; log_not_found off; expire 30d;
}

# Rewrite rules, send everything through index.php
location / {
proven_files $ uri $ uri / /index.php?q=$uri&$args;
}

# Reject access to PHP files in the upload folder
location ~ * /(?:uploads|files)/.*.php$ {
deny all;
}

# Enable PHP support
location ~ .php $ {
close snippets / fastcgi-php.conf;
fastcgi_pass unix: /run/php/php7.0-fpm.sock;
}

# Enable rewrite rules for Yoast SEO SiteMap
rewrite ^ / sitemap_index .xml $ / index.php? sitemap = 1 last;
rewrite ^ / ([^/]+) - Sitemap ([0-9]+)? . xml $ / index.php? sitemap = $ 1 & sitemap_n = $ 2 last;

# Add slash * / wp admin requests.
rewrite / wp-admin $ $ schema: // $ host $ uri / permanent;
}

The key Nginx syntax

To automatically renew the certificates, we will set up a cron work. By default, Let & # 39; s Encrypt only extends a certificate 1 month before it expires (after 2 months out of 3), otherwise it will switch renewal. Therefore, we can run the cron work once a week (or less if you wish), and let us automatically encrypt or renew the certificates.

(function(d, s, id) {
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) return;
js = d.createElement(s); js.id = id;
js.src = “http://connect.facebook.net/en_US/all.js#xfbml=1&appId=463292747036958”;
fjs.parentNode.insertBefore(js, fjs);
}(document, ‘script’, ‘facebook-jssdk’));

this post was thanks to TECH AND DEV.

Excellent website on technology, I recommend you visit their site and see some of their articles.

THANK YOU FOR VISITING US AND CAN SUBSCRIBE TO OUR NEWSLESTER TO GET THE LATEST NEWS

ORIGINAL SOURCE LINK TECH AND DEV

Leave a Reply