Install Nginx, Setup Lets Encrypt SSL and Setup HTTP/2 on Ubuntu 15.10 Server
| |Did you know that HTTP/2 technology has been introduced and has become the new standard of HTTP protocol? At a glance, the HTTP/2.0 is the new generation as well as replacement of HTTP/1.1. Considered new but not built from the ground up, the v2 of HTTP protocol is capable to delivering a skyrocketing performance but is still being compatible with its version-1’s HTTP methods, status codes and semantics. Fun fact: HTTP/1.1 was first introduced in 1997, so it is more than … years – you do the math – till the release of HTTP/2.0.
The main advantage of this new protocol is its high transfer speed especially for content-rich websites. The technology allows all request to be downloaded in parallel, whereas HTTP/1.1 in queue. Also, page transfers are now done through the wire as binary which is more efficient. Moreover, HTTP headers are now compressed and server can now “push” data even users do not made request. Therefore, users with high latency can have improved transfer speed. Head to Wikipedia for more info on this.
What about Nginx? Well, it is a very popular web server said having faster and lighter performance than Apache’s. Combining HTTP/2 and Nginx together will result an unbeatable speed in delivering web pages to visitors while keeping server’s load low.
Basically, HTTP/2 itself does not need SSL Certificate but two most popular web browsers, Google Chrome and Mozilla Firefox, only support HTTP/2 only for HTTPS connections due to security reasons.
In this tutorial, I show you how to install Nginx, to setup free SSL certificate from Let’s Encrypt, and finally make it serve HTTP/2.0 protocol on Ubuntu. As always, I’ll try to be brief and make the tutorial concise with instruction steps and screenshot pics.
Also read : How to install Let’s Encrypt SSL on Vestacp.
Prerequisites
- A SSH client like Bitvise or Putty and basic knowledge about how to use it.
- Basic knowledge about common Unix command to SSH to your server.
- A server or VPS with at least 256MB of RAM (OpenVZ) but 512MB is recommended if you are using KVM or Xen.
- About 30 minutes of your time.
- a cup of coffee or tea.
Confused on choosing which VPS provider to install VestaCP? Read my recommended VPS providers or top low end cloud server providers. Quick recommendation: Digital Ocean, Atlantic.net or Ramnode.
In this guide I am using a 512MB RAM Cloud VPS from Atlantic running Ubuntu 15.10 x64.
Do not forget to always replace domain.tld with your own domain name.
Provision a cloud server
Step 1 – Login to Atlantic.net > click on Servers > Add Server.
Step 2 – Give your server a name and choose in which location you want it to be hosted at. Currently, Atlantic.net has 6 different locations available: New York, Dallas, Orlando, San Fransisco, Toronto (CA), and London (UK).
Step 3 – Choose Ubuntu 15.10 as the operating system for your cloud vps.
Step 4 – Decide which plan you want (and you need).
Step 5 – Finally, click on the Create Server button.
Step 6 – The process should take less than 1 minute to complete.
Step 6 – Once done, the login details will be emailed to your inbox.
Step 7 – Login to your server via Putty.
Step 8 – Type this command to change default Hostname. Use proper FQDN hostname format:
hostname host.domain.tld ## example : hostname atlantic.servermom.org
Step 9 – Close Putty and re-login using new session and you should now see it has changed. It is also a good practice to change given root password with your own.
Install Nginx
Step 1 – Basically you can simply use apt-get to install Nginx but it is not the latest version. What we are going to do is installing newer stable version of Nginx. Now execute commands below :
wget -qO - http://nginx.org/keys/nginx_signing.key | sudo apt-key add - echo -e "deb http://nginx.org/packages/mainline/ubuntu/ `lsb_release -cs` nginx\ndeb-src http://nginx.org/packages/mainline/ubuntu/ `lsb_release -cs` nginx" | sudo tee /etc/apt/sources.list.d/nginx.list
Step 2 – Now do apt update.
apt-get update -y apt-get upgrade -y
Step 3 – Finally, let’s install Nginx.
apt-get install nginx -y
Once done, you can use nginx -v to check which version is installed.
In my example, it is nginx v1.9.14. Open your web browser and access your server via IP address.
Setup Nginx Virtual Hosts File
Step 1 – Now nginx has been installed and it works perfectly. Now you can start adding a website to nginx configuration. However, you have to firstly define to which directory you will store all your website files. Create that directory :
mkdir -p /var/www/domain.tld/html ## Other variants: mkdir -p /var/www/domain.tld/public_html mkdir -p /var/www/domain.tld/htdocs mkdir -p /var/www/html/domain.tld ## Example of mine mkdir -p /var/www/servermom.xyz/html
Step 2 – Now make sure it has proper permission setup and proper ownership.
chmod 755 /var/www chown -R $USER:$USER /var/www/domain.tld/html # example chown -R $USER:$USER /var/www/servermom.xyz/html
Step 3 – Next, you have to edit nginx .conf file and create Virtual Hosts configuration. You can use Nano editor.
nano /etc/nginx/conf.d/default.conf
Step 4 – Now edit few lines inside that file accordingly (see below) :
## before you edit listen 80; server_name localhost; ## replace that with this listen 443 ssl http2; server_name domain.tld www.domain.tld;
Step 5 – Also, you need to define the location of your web root directory. Edit these lines :
## before location / { root /var/share/nginx/html; index index.html index.htm; } ## after you edit location / { root /var/www/servermom.xyz/html; index index.html index.htm; try_files $uri $uri/ /index.php?$args; }
Step 6 – Right after that, add following lines :
ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers 'EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5'; ssl_dhparam /etc/nginx/ssl/dhparams.pem; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_stapling on; ssl_stapling_verify on; add_header Strict-Transport-Security max-age=15768000;
On the whole, it will look like this :
Now save changes by pressing Control+O and exit Nano editor by pressing Control+X.
Pointing Domain to Server
Simply edit / add the A and CNAME records in your DNS Management. In this example I use the one comes free with Namecheap.
After that, you can just wait till your domain has been fully resolved to your server.
Install Let’s Encrypt SSL
Before you continue, it is important to firstly make sure your domain is pointing to your server. Otherwise, it would not work.
Step 1 – Install Git and its dependencies :
apt-get -y install git bc git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
Step 2 – Now let’s try to request the free SSL certificate for your domain. But first, we need to stop nginx service first.
service nginx stop
Step 3 – Now issue following command :
cd /opt/letsencrypt ./letsencrypt-auto certonly --standalone --email your@emaill.com -d domain.tld -d www.domain.tld
example :
Step 4 – Usually, the first time you run the command it will take longer than usual because it downloads some necessary dependencies. Once done, you’ll see something like this :
Step 5 – Create new directory to store DH parameters :
mkdir /etc/nginx/ssl cd /etc/nginx/ssl
Step 6 -Next, generate Diffie Helman parameters:
openssl dhparam -out dhparams.pem 2048
The process usually takes long time:
Step 7 -Test Nginx configuration and start the service :
nginx -t systemctl start nginx.service
Step 8 – Open up your browser and then try accessing your domain via https
https://domain.tld
Step 9 – Now you need to redirect from http to https. Go edit back your nginx .conf file :
nano /etc/nginx/conf.d/default.conf
Step 10 – And put these lines in very top part:
server { listen 80; server_name domain.tld; return 301 https://$server_name$request_uri; }
so it will look similar to this
Testing SSL Quality
In your browser, go visit https://www.ssllabs.com/ssltest/ and try testing the quality of your ssl setup.
However, if you followed the steps above correctly you will get A+. Click on image below to see detailed report.
Testing HTTP/2 Protocol
If you are using Mozilla Firefox, then simply press Control+Shift+Q to bring up Networking tool. After that simply refresh your page and in the
Done. Thank you for your attention in reading this article. Do not hesitate to leave comment below.
Great tutorial,waiting tutorial debian/ubuntu+lets encrypt+lighttpd with autorenew via crontab 🙂 interesting to read.
Hi Thanks for your great tutorial
but i’m getting some error like below
@ubuntu:/etc/nginx/ssl$ sudo nginx -t
nginx: [emerg] BIO_new_file(“/etc/letsencrypt/live/domain.tld/fullchain.pem”) failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(‘/etc/letsencrypt/live/domain.tld/fullchain.pem’,’r’) error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed
Hello @prakash, check your nginx configuration file and replace domain.tld with your actual domain. The problem is origination from not putting your domain there