DEV Community: Mouhamadou Tidiane Seck

How to Create a Self-Signed SSL Certificate for Nginx on Ubuntu 22.04

Mouhamadou Tidiane Seck — Tue, 20 Aug 2024 00:00:54 +0000

Introduction

Securing your web server with SSL is a crucial step in protecting your users' data and ensuring the integrity of your web application. Let’s Encrypt is a popular service that offers free SSL certificates via an automated API, with Certbot as the most commonly used client. In this guide, we'll walk through the process of creating a self-signed SSL certificate for Nginx on Ubuntu 22.04 using Certbot.

We won't delve deeply into SSL configuration, but by the end of this tutorial, you'll have a valid certificate that renews automatically. Plus, you'll know how to automate the reloading of your service to account for the renewed certificate.

Prerequisites

Before starting, ensure you have the following:

An Ubuntu 22.04 server with a non-root user configured with sudo privileges and a basic firewall.
A domain name pointing to your server (replace your_domain in the tutorial with your actual domain).
Ports 80 or 443 must be free on your server. If these ports are occupied by a web server, consider using Certbot's webroot mode instead.

Step 1 — Installing Certbot

Certbot recommends using their snap package for installation. Snaps are supported on most Linux distributions, but you'll need snapd installed to manage snap packages. Ubuntu 22.04 supports snaps by default, so start by ensuring your snapd core is up to date:

sudo snap install core; sudo snap refresh core

If you have an older version of Certbot installed, remove it:

sudo apt remove certbot

Then, install the Certbot package:

sudo snap install --classic certbot

Finally, link the Certbot command to your path:

sudo ln -s /snap/bin/certbot /usr/bin/certbot

Certbot is now installed, and we can proceed to obtain our SSL certificate.

Step 2 — Running Certbot

Certbot needs to respond to a cryptographic challenge issued by the Let’s Encrypt API to prove that you control your domain. It uses ports 80 (HTTP) or 443 (HTTPS) for this purpose. Open the appropriate ports in your firewall:

sudo ufw allow 80
sudo ufw allow 443

Run Certbot to obtain your certificate, using the --standalone option to let Certbot handle the challenge with its built-in web server:

sudo certbot certonly --standalone -d your_domain

You’ll need to enter an email address and accept the terms of service. If successful, Certbot will inform you where the certificates are stored.

Step 3 — Configuring Your Application

Configuring your application for SSL varies depending on the software you use, but let’s explore what Certbot has downloaded. List the directory containing your keys and certificates:

sudo ls /etc/letsencrypt/live/your_domain

The most commonly needed files are:

privkey.pem: This is the private key for your certificate. Keep this file secure and private.
fullchain.pem: This is your certificate bundled with any intermediate certificates. Most configurations refer to this file as the actual certificate.

For more details on the other files, check the Certbot documentation.

Step 4 — Managing Automatic Renewals with Certbot

Let’s Encrypt certificates are valid for 90 days, encouraging users to automate the renewal process. The Certbot package handles this by adding a renewal script to /etc/cron.d, which runs twice daily to renew any certificates within 30 days of expiration.

To automate tasks after renewal, such as reloading your server, add a renew_hook to Certbot’s renewal configuration:

sudo nano /etc/letsencrypt/renewal/your_domain.conf

Add the following line to reload your services after renewal:

renew_hook = systemctl reload your_service

Replace your_service with the command you need to run. Save and close the file, then perform a dry run to check for errors:

sudo certbot renew --dry-run

If there are no errors, you're all set. Certbot will now automatically renew your certificate and execute the necessary commands.

Conclusion

In this tutorial, we installed the Let’s Encrypt Certbot client, obtained an SSL certificate using the standalone mode, and set up automatic renewals with custom hooks. This process provides a solid foundation for using Let’s Encrypt certificates with various services beyond the typical web server.

Configuring Nginx as a Reverse Proxy on Ubuntu 22.04

Mouhamadou Tidiane Seck — Mon, 19 Aug 2024 23:58:16 +0000

A reverse proxy is a server that sits between client devices and backend servers, forwarding client requests to the appropriate server. Nginx is commonly used as a reverse proxy due to its stability, simple configuration, and low resource consumption. In this guide, we'll walk through how to configure Nginx as a reverse proxy.

Network Architecture

A reverse proxy typically has at least two network interfaces:

External Interface: This interface is exposed to the internet and handles requests from external users.
Internal Interface: This interface communicates with the backend web servers that hold the requested information.

Here’s a diagram illustrating the basic flow:

External Users -> Reverse Proxy (Nginx) -> Internal Web Servers

Roles and Benefits of a Reverse Proxy

Using a reverse proxy like Nginx offers several advantages:

Load Balancing: Distributes incoming traffic across multiple web servers, improving performance and availability.
Traffic Management: Allows you to manage server maintenance or migrations without downtime.
Centralized Configuration: Manages access and configuration for multiple sites and web servers from a single location.
Traffic Optimization: Uses caching and compression to improve response times.
Enhanced Security: Handles SSL encryption and filters requests/URLs to increase security.

Configuring Nginx as a Reverse Proxy

Step 1 — Installing Nginx

Start by installing Nginx on your server:

Update the package index:

  sudo apt update

Install Nginx:

  sudo apt install nginx

Ensure Nginx is running:

  systemctl status nginx

Step 2 — Configuring the Firewall (Optional)

If your server’s firewall is active, you'll need to allow HTTP traffic:

Allow HTTP traffic:

  sudo ufw allow 'Nginx HTTP'

Step 3 — Creating a Configuration File

Create a configuration file for your site:

Use a text editor like nano to create a new configuration file in the /etc/nginx/sites-available/ directory:

  sudo nano /etc/nginx/sites-available/your_domain

Step 4 — Configuring the Server Block

Edit the server block configuration with your domain and application server address:

Insert the following configuration into your new file, replacing your_domain and app_server_address with your actual domain and server address:

  server {
      listen 80;
      listen [::]:80;

      server_name your_domain www.your_domain;

      location / {
          proxy_pass http://app_server_address;
          include proxy_params;
      }
  }

Step 5 — Activating the Configuration

Activate the new configuration file:

Create a symbolic link from the configuration file to the directory that Nginx reads from at startup:

  sudo ln -s /etc/nginx/sites-available/your_domain /etc/nginx/sites-enabled/

Step 6 — Testing the Configuration

Test the Nginx configuration for syntax errors and then restart Nginx:

Verify the configuration:

  sudo nginx -t

Restart Nginx to apply the changes:

  sudo systemctl restart nginx

Optional: Using Gunicorn

If you need to run a Python web application, you can use Gunicorn as an application server:

Install Gunicorn:

  sudo apt install gunicorn

Create a test application that returns "Hello World!" in an HTTP response to verify Gunicorn is working correctly.

Conclusion

You have successfully configured Nginx as a reverse proxy for your websites. This setup not only optimizes traffic management but also enhances the security and scalability of your web infrastructure. Feel free to explore more Nginx features to further improve your deployment!