Skip to content

Deployment Overview of Nginx on Server

Prerequisites and Basic Requirements

The deployment requires a Linux server running Debian or Ubuntu. The following components must be present or installed:

  • Operating System: Debian or Ubuntu
  • Privileges: Root access or sudo privileges
  • Domain: A fully qualified domain name (FQDN) configured to point to the server's IP address
  • Ports:
  • Port 80 (HTTP) for Let's Encrypt ACME challenges and redirects
  • Port 443 (HTTPS) for secure traffic
  • Software Packages:
  • nginx
  • certbot
  • python3-certbot-nginx
  • openssl

File and Directory Structure

The application utilizes the following directory structure for web content, certificates, and configuration files:

  • /var/www/html: The default web root directory for static content.
  • /var/www/letsencrypt: The webroot directory used by Certbot for ACME challenges.
  • /etc/nginx/sites-available/: Contains the main server configuration file named {fqdn}.conf.
  • /etc/nginx/sites-enabled/: Contains symbolic links to active server configurations.
  • /etc/letsencrypt/live/{fqdn}/: Stores the active SSL/TLS certificates (fullchain.pem, privkey.pem, chain.pem).
  • /etc/letsencrypt/dhparams/: Stores the Diffie-Hellman parameter file (dhparam.pem).
  • /etc/nginx/user_conf.d/: A directory for additional user-defined configuration snippets included in the HTTPS server block.

Application Installation Process

The installation process involves installing the required packages and configuring the Nginx service. The following steps outline the final state of the system:

  1. Update the package index cache.
  2. Install the nginx, certbot, python3-certbot-nginx, and openssl packages.
  3. Enable and start the nginx service using systemd.
  4. Create the necessary directories for web content and Let's Encrypt challenges.
  5. Configure the HTTP server block to handle ACME challenges and redirect traffic to HTTPS.
  6. Obtain an SSL/TLS certificate using Certbot in webroot mode.
  7. Configure the HTTPS server block to serve traffic securely.

Access Rights and Security

Security measures are implemented through firewall configurations, user permissions, and SSL/TLS enforcement:

  • Firewall: Ensure that ports 80 and 443 are open to allow incoming HTTP and HTTPS traffic.
  • User Permissions:
  • The www-data user and group own the /var/www/html and /var/www/letsencrypt directories with 0755 permissions.
  • The root user and group own the Nginx configuration files and the /etc/letsencrypt directory.
  • SSL/TLS:
  • The server enforces HTTPS by redirecting all HTTP traffic to HTTPS.
  • The SSL configuration uses a 4096-bit RSA key size.
  • The ssl_dhparam directive loads a Diffie-Hellman parameter file for enhanced security.

Proxy Servers

Nginx acts as the primary proxy server, handling both HTTP and HTTPS traffic. The configuration includes:

  • HTTP Server Block:
  • Listens on port 80 for both IPv4 and IPv6.
  • Serves the ACME challenge files from /var/www/letsencrypt to validate domain ownership.
  • Redirects all other traffic to the HTTPS server.
  • HTTPS Server Block:
  • Listens on port 443 for both IPv4 and IPv6 with HTTP/2 support.
  • Uses the SSL certificates provided by Let's Encrypt.
  • Includes additional configuration files from /etc/nginx/user_conf.d/ if present.
  • Returns a success message indicating that the certificate has been installed.

Permission Settings

The following permission settings are applied to ensure proper access and security:

  • /var/www/html: Owned by www-data:www-data with 0755 permissions.
  • /var/www/letsencrypt: Owned by www-data:www-data with 0755 permissions.
  • /etc/nginx/sites-available/{fqdn}.conf: Owned by root:root with 0644 permissions.
  • /etc/nginx/sites-enabled/{fqdn}.conf: A symbolic link to the configuration file in sites-available.
  • /etc/letsencrypt/live/{fqdn}/: Owned by root:root with restricted permissions to protect private keys.
  • /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh: Owned by root:root with 0755 permissions to allow execution.

Starting, Stopping, and Updating

The Nginx service is managed using systemd. The following commands are used to control the service:

  • Start the service: 
    systemctl start nginx
  • Stop the service: 
    systemctl stop nginx
  • Restart the service: 
    systemctl restart nginx
  • Reload the configuration without downtime: 
    systemctl reload nginx
  • Check the service status: 
    systemctl status nginx

The Certbot renewal hook automatically reloads Nginx after certificate renewal to apply the new certificates.

question_mark
Is there anything I can help you with?
question_mark
AI Assistant ×