Deploy secured HTTPS web server on Ubuntu OS with Let's Encrypt behind a home router

Rodolphe Beloncle — Wed, 22 May 2024 07:11:33 +0000

How to Deploy a Simple Secured HTTPS Website on Ubuntu with Let's Encrypt and DuckDNS

Prerequisites

A computer running Ubuntu.
Access to your home router to open ports.
A DuckDNS domain name.

Step 1: Create a DuckDNS Domain Name

Visit DuckDNS and create an account.
Create a new subdomain and assign it to your router's external IP address.

Step 2: Configure Your Home Router

Open the router settings page (usually available at 192.168.1.1 or 192.168.0.1).
Forward the following ports to your Ubuntu machine’s internal IP address:
- Port 80 (HTTP)
- Port 443 (HTTPS) In my case it's a orange wifi box

If you've got a orange box follow this link :
How to configure nat rules for applications server

Step 3: Check Your External IP Address

Visit mon-ip.info to verify your external IP address.

Step 4: Configure Firewall

Open your terminal and run the following commands to configure the firewall:

sudo ufw enable
sudo ufw status verbose
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw reload
sudo ufw status

Step 5: Install Nginx

Install Nginx if it's not already installed:

sudo apt update
sudo apt install nginx

Step 6: Create Nginx Configuration for Your Domain

Create an Nginx configuration file for your DuckDNS domain:

sudo nano /etc/nginx/sites-available/mydomainename.duckdns.org

Add the following configuration:


server {
    listen 80;
    server_name mydomainename.duckdns.org www.mydomainename.duckdns.org;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name mydomainename.duckdns.org www.mydomainename.duckdns.org;

    ssl_certificate /etc/letsencrypt/live/mydomainename.duckdns.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mydomainename.duckdns.org/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
    ssl_ecdh_curve secp384r1;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;

    location / {
        try_files $uri $uri/ =404;
    }
}

Step 7: Enable Your Nginx Configuration

Create a symbolic link to enable the site:

sudo ln -s /etc/nginx/sites-available/mydomainename.duckdns.org /etc/nginx/sites-enabled/

Test the Nginx configuration and restart Nginx:
sudo nginx -t
sudo systemctl restart nginx

sudo nginx -t
sudo systemctl restart nginx

Step 8: Obtain SSL Certificate with Let's Encrypt

Install Certbot and the Nginx plugin:

sudo apt update
sudo apt install certbot python3-certbot-nginx

Generate the SSL certificate:

sudo certbot --nginx -d mydomainename.duckdns.org -d www.mydomainename.duckdns.org

Step 9: Verify and Reload Nginx

!!! Verify that the generated Let's Encrypt certificate has the same name as in your Nginx config.

Follow the prompts to complete the certificate

Reload Nginx to apply the new configuration:

sudo systemctl reload nginx