Personal Cloud #2 - Nginx and Let's Encrypt

Welcome to part 2 of personal cloud! This week we’ll setup the Nginx web server and enable SSL encryption with Let’s Encrypt.

Nginx is a great web server that many large sites like Imgur use. It is built to be very light, scalable, and supports many proxies. You can even do automatic load balancing with it.

We are going to go over the basics with one domain name, but you can easily copy these steps to host multiple domain names on the same server with multiple virtual hosts.

Let’s start by installing nginx.

# apt install nginx

Now we will go to it’s config directory and delete the default site.

# cd /etc/nginx/sites-available
# rm default 
# cd ../sites-enabled/
# rm default
# cd ../sites-available/

Now we will create the config file for our site. Just name the file after your domain.

# nano

In here we can go ahead and paste a basic config which will enable regular http access to the site.

server {
        listen 80;
        listen [::]:80;
        root /var/www/html/;
        index index.html;

Change the server_name to your domain name, and change the root folder to your domain name. Make sure to also create that folder.

Now we make a symbolic link to the sites-enabled directory to activate the site.

# ln -s /etc/nginx/sites-available/ /etc/nginx/sites-enabled/

Now we just reload nginx to enable it.

# service nginx reload

Make sure to also allow port 80 and port 443 through the firewall:

# ufw allow 80
# ufw allow 443

If everything works then when you try to load your domain in a browser you should see either a 404 error or a 403.

Let’s go ahead and add an html homepage.

In your webdirectory which should be /var/www/html/ create the file index.html

# nano /var/www/html/

Enter whatever you want in there. When you refresh your webpage you should see the text.

Now let’s setup SSL encryption on the site. We can use Let’s Encrypt’s certbot for this. It is available from the Debian Jessie backports. To enable that just add the repo:

# nano /etc/apt/sources.list

Add: deb jessie-backports main

Then just # apt-update

Now we can install certbot with:

# apt install certbot -t jessie-backports

Certbot doesn’t support nginx automatically, so we need to use its standalone webserver to authenticate. To do this we need to disable nginx.

# service nginx stop

Now we can run certbot to get our SSL certificate:

# certbot certonly --standalone -d

If it was successful it will list out where it saved the certificate. So lets go edit our nginx config again to setup HTTPS:

# nano

Add this below the first section:

server {
        listen 443;
        listen [::]:443;


        root /var/www/html/;
        index index.php;

        ssl on;
        ssl_certificate /etc/letsencrypt/live/;
        ssl_certificate_key /etc/letsencrypt/live/;

Make sure to change the domain to your domain name. Remove the root path and index line from the first section of the config, and add the return line. This line will redirect all non-encrypted traffic over HTTPS:

return 301 https://$host$request_uri;

Now we can start nginx back up:

# service nginx start

If you load your domain again you should now see it fully encrypted!

The nice thing about having your own SSL certificate is that you can use it for more than just a web server. If you want to run a VPN server the SSL certificate can be used for that too.