Ubuntu 22.04 - Nginx

Nginx

Install & create default landing page:

# apt update
# apt install nginx

# vim /var/www/html/index.html
hello

# systemctl restart nginx.service && systemctl status nginx.service && systemctl enable nginx.service

Allow in firewall:

# ufw allow 'Nginx Full'
# ufw status

Check in browser:

http://<ip_address>

Add website

# adduser example
# usermod -a -G www-data example
# mkdir /home/example/html
# echo "example" > /home/example/html/index.html
# chown example.example -R /home/example
# chmod 755 /home/example

Add nginx conf:

# vim /etc/nginx/conf.d/example.conf
server {
        server_name example.com;
        root /home/example/html;

        location / {
                index index.html index.htm;
        }

}

# systemctl reload nginx

Test: http://example.com

SSL (HTTPS) - acme.sh

Install acme.sh tool: https://github.com/Neilpang/acme.sh

# cd
# curl https://get.acme.sh | sh
# CTRL+D and reopen terminal

Set letsencrypt as default issuer:

# acme.sh --set-default-ca --server letsencrypt

Issue certificate using HTTP:

# acme.sh --issue -d example.com -w /home/example/prod/current/sf/public

Issue certificate using DNS - cloudflare API token (https://github.com/acmesh-official/acme.sh/wiki/dnsapi):
Cloudflare -> My profile -> API Tokens -> Create token -> Custom -> Permissions: Zone.Zone Read, Zone.DNS Edit
CF_Account_ID from sidebar on overview page.

# export CF_Token="xxxxxxxxxxxxxxxx"
# export CF_Account_ID="yyyyyyyyyyyyyyyy"
# acme.sh --issue --dns dns_cf -d example.com -d www.example.com

Install certificate:

# acme.sh --install-cert -d example.com --key-file /etc/ssl/private/example.com.key --fullchain-file /etc/ssl/certs/example.com.fullchain.crt --reloadcmd "systemctl reload nginx"

Nginx generate strong DHE parameter:

# cd /etc/ssl/certs
# openssl dhparam -out dhparam.pem 4096

Nginx config:

server {
    listen              443 ssl;
    ...

    ssl_certificate     /etc/ssl/certs/example.com.fullchain.crt;
    ssl_certificate_key /etc/ssl/private/example.com.key;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    ...
}

Add redirect for notsecure version:

server {
    listen     80;
    server_name  example.com www.example.com;
    access_log  off;
    error_log   off;
    root   /path/to/webroot;
    location /.well-known/acme-challenge/ {
    }
    location / {
        return 301 https://$server_name$request_uri;
    }
}

Test website/server on https://www.ssllabs.com/ssltest/index.html (should be A rating) or https://ssldecoder.org/