Ubuntu - install Nginx to host website with free SSL certificate

What is Nginx

Nginx is a web server for hosting websites that is accessible by the public or office users. It can also work as a reverse proxy which forwards the incoming request to Node.js or other web service.

Why Nginx

Nginx is famous for fast response as compared to Apache.

Here's how you install and configure it

• To install,

  sudo apt install nginx
  

• To check status,

  sudo systemctl status nginx
  

• After that,

  sudo ufw allow 'Nginx Full'
  

• To edit the configuration,

  sudo nano /etc/nginx/sites-available/default
  

• To host Node.js applications, you will have to use reverse proxy. For example, our Node.js application is running a web service on port 8080 (and on the same server) and you will have to add the following to the /etc/nginx/sites-available/default configuration file,

  location /app1 {
      proxy_pass http://localhost:8080/;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection 'upgrade';
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_cache_bypass $http_upgrade;
  }
  

  Notes: "/app1" does not end with "/". As a result, if the visitor has typed "app1/", they will see 404 error.

• For more information about Node.js, please refers to this page: Install Node.js and PM2

• To enable the support to PHP,

  location ~ \.php$ {
      include snippets/fastcgi-php.conf;
      fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
  }
  

• If you have a PHP application that was hosted in Apache and you would like to host it in Nginx, you will have to migrate the .htaccess file and add it into /etc/nginx/sites-available/default file.

  To do this, you will have to copy the contents in .htaccess file and follow the instructions in the following converter:

  https://winginx.com/en/htaccess

  For example, the following will block the public from accessing the .htaccess file:

  location ~ /\.ht {
      deny all;
  }
  

  For hosting static files, you may consider making those files cache able. The following configuration will make all files in CSS, JS and images directory cache able.

  location ~* ^/(css|js|images) {
      expires 1h;
      access_log off;
      add_header Cache-Control "public";
  }
  

  To block crawlers, you may add the following to the Nginx config file (below "server_name" line). In the following setting, it blocks both Bytespider and Semrushbot.

  if ($http_user_agent ~ (Bytespider||SemrushBot)) {
      return 403;
  }
  

  Notes: in fail2ban article, we mentioned that you may block the crawler with a new filter. The problem is that fail2ban bans the crawler after it has downloaded some files from your web server. If you don't want the crawler to take anything from your website, you should implement the banning in the web server (which prevent it from downloading any files) and also fail2ban (which prevent them to come back again).

• To test the config before restart nginx

  sudo nginx -t
  sudo systemctl restart nginx
  

• To view the error generated by php or file request:

  sudo cat /var/log/nginx/error.log
  

• 28.Sep.2022: if the web directory is accessible by the FTP user, you may have to set the access permission.

  sudo chown -R user1:www-data /webdirectory
  sudo chmod -R 0755 /webdirectory
  

  Notes: where 'user1' is the user ID and 'www-data' is the group.

goaccess - the web traffic statistics report generator

• To install goaccess

  • Old notes

    https://www.digitalocean.com/community/tutorials/how-to-install-and-use-goaccess-web-log-analyzer-on-ubuntu-20-04

    echo "deb http://deb.goaccess.io/ $(lsb_release -cs) main" | sudo tee -a /etc/apt/sources.list.d/goaccess.list
    wget -O - https://deb.goaccess.io/gnugpg.key | sudo apt-key --keyring /etc/apt/trusted.gpg.d/goaccess.gpg add -
    sudo apt update
    sudo apt install goaccess
    

  • 18.Jan.2025

    https://goaccess.io/download

    wget -O - https://deb.goaccess.io/gnugpg.key | gpg --dearmor | sudo tee /usr/share/keyrings/goaccess.gpg >/dev/null
    echo "deb [signed-by=/usr/share/keyrings/goaccess.gpg arch=$(dpkg --print-architecture)] https://deb.goaccess.io/ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/goaccess.list
    sudo apt-get update
    sudo apt-get install goaccess
    

• To find the config file location

  goaccess --dcf
  

• Then, edit it

  sudo nano /etc/goaccess/goaccess.conf
  

• Uncomment the following options in the config file. This is a compulsory step!!

  time-format %H:%M:%S
  date-format %d/%b/%Y
  

• Either one of the following must be uncommented:

  # NCSA Combined Log Format
  log-format %h %^[%d:%t %^] "%r" %s %b "%R" "%u"
  
  # Or NCSA Combined Log Format with Virtual Host
  log-format %v:%^ %h %^[%d:%t %^] "%r" %s %b "%R" "%u"
  

• To view real time report

  sudo goaccess /var/log/nginx/access.log
  

• To compile report from various files:

  sudo zcat /var/log/nginx/access.log.*.gz | goaccess -a
  

• To publish the report, create a bash script file in /usr/local/bin

  cd /usr/local/bin
  sudo nano gen-webstat.sh
  

  Copy the following contents,

  # today
  sudo goaccess /var/log/nginx/access.log -o /var/www/yourwebsite-com/my-rpt/stats.html
  

  To publish the aggregate report,

  cd /usr/local/bin
  sudo nano gen-webstat-agg.sh
  

  Copy the following contents,

  # historical - the aggregate report based on all the compress Nginx log files
  # For processing the piping the data, you have to use "-" (dash symbol).
  # So, it is not a mistake to have "-" "space" "-o" arguments.
  sudo zcat /var/log/nginx/access.log.*.gz | sudo goaccess - -o /var/www/yourwebsite-com/my-rpt/stats0.html
  

• Then, save the above command into the following file,

  /usr/local/bin/gen-webstat.sh
  

• To make the above script file an executable,

  sudo chmod +x /usr/local/bin/gen-webstat.sh
  sudo chown root:www-data /usr/local/bin/gen-webstat.sh
  

• Then, schedule the report generation,

  sudo crontab -e
  

  and add the following line into the file

  55 23 * * * /usr/local/bin/gen-webstat.sh
  15 0 * * * /usr/local/bin/gen-webstat-agg.sh
  

• To view what you have scheduled,

  sudo crontab -l
  

• By default, yesterday's Nginx log file will not be compressed and this will lead to the gen-webstat-agg.sh excluded yesterday from the log, you will find it difficult to interpret the aggregate report. In this case, you have to make sure that logrotate will compress yesterday's log file.

  sudo nano /etc/logrotate.d/nginx
  

• Then, comment the following line in the config file.

  ## delaycompress
  

• Save the config file.

Install certbot - to get a SSL cert for your website

certbot is a program that helps to register, install and renew (automatically) SSL cert provided by Let's Encrypt (https://letsencrypt.org/). This SSL cert is 100% for free.

• The first step is to make sure that your Nginx has configured properly with the domain name.

  If you are putting all your website configuration into default,

  sudo nano /etc/nginx/sites-available/default
  

  Or if you are putting all your website configuration into yourwebsite.com which is a domain specific configuration file,

  sudo nano /etc/nginx/sites-available/yourwebsite.com
  

  Notes: if the value is server_name _;, _ means any incoming request will be handled based on this configuration file.

  Then, look for server_name and make sure that the domain name has been set up. In this example, we will see "yourwebsite.com".

  server_name yourwebsite.com www.yourwebsite.com
  

  WATCH OUT: there is not comma between 'yourwebsite.com' and 'www.yourwebsite.com'!!

  After you've edited the configuration file by entering the domain name, run the following commands which test the configuration. If the configuration looks good, you may proceed with restarting Nginx.

  sudo nginx -t
  sudo systemctl restart nginx
  

  01-May-2025,lhw-Next step is to enable the website. Otherwise the website is not accessible. Notes: please type the full path!

  sudo ln -s /etc/nginx/sites-available/example.com.conf /etc/nginx/sites-enabled/example.com.conf
  

• To install certbot, run the following command,

  sudo apt install certbot python3-certbot-nginx
  

• To open the HTTPS port (443) in the firewall,

  sudo ufw allow 'Nginx Full'
  

  For more information about the firewall, please refer to Configure firewall.

• Next step is to request a SSL cert from the Let's Encrypt server,

  sudo certbot --nginx -d yourwebsite.com -d www.yourwebsite.com
  

  Or simply runs the following command that will extract the domain name from your Nginx configuration file.

  sudo certbot --nginx
  

  Then, follow the instructions on the screen to complete the request.

• Finally, you may want to test out if the certbot is able to renew the certificate automatically. To do this, run the following command,

  sudo certbot renew --dry-run
  

• In case you want to find out when it will be renew, run the following command:

  sudo systemctl status certbot.timer
  

  • 17.Nov.2023: try the following in case certbot.timer cannot be found or it has been masked (inactive).

    sudo systemctl status snap.certbot.renew.timer
    

• 28.Sep.2022: to view the certificates that is managing by certbot,

  certbot certificates
  

• 28.Sep.2022: to add a new website (the website configuration file is kept in /etc/nginx/sites-available/) to the certbot,

  certbot --nginx -d domain2.com,www.domain2.com
  

• 28.Sep.2022: to view the possible parameters,

  certbot --help
  

• 17.Nov.2023: to view the renewal log,

  journalctl -u certbot.service -n 50
  

  Show last 50 lines of the certbot log.

References

• 13 Nginx Location Directive Examples including Regular Expression Modifiers: https://www.thegeekstuff.com/2017/05/nginx-location-examples/

• Using the Forwarder header: https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/

• How to remove the Server header in NGINX: https://medium.com/@getpagespeed/how-to-remove-the-server-header-in-nginx-e74c7b431b

• What is server_names_hash_bucket_size in Nginx configuration file: https://gist.github.com/muhammadghazali/6c2b8c80d5528e3118613746e0041263

• 30.Sep.2022: HTTP Keepalive Connections and Web Performance: https://www.nginx.com/blog/http-keepalives-and-web-performance/

• 30.Sep.2022: Tuning NGINX for Performance: https://www.nginx.com/blog/tuning-nginx/

• 30.Sep.2022: Avoiding the Top 10 NGINX Configuration Mistakes: https://www.nginx.com/blog/avoiding-top-10-nginx-configuration-mistakes/#unsecured-metrics

• 17.Nov.2023: certbot installation guide: https://certbot.eff.org/instructions

• 06.May.2025: Nginx location directive examples https://www.digitalocean.com/community/tutorials/nginx-location-directive

Related posts

• Hardening your server
• Install and configure fail2ban
• Install Node.js and PM2
• Ubuntu - the configuration steps to add a new website in Nginx
• Ubuntu - manage the files & directories with the appropriate access permission

Back to #UBUNTU blog

Back to #blog listing