Skip to content

Deployment Overview of Nginx on Server

Prerequisites and Basic Requirements

The following system requirements must be met before proceeding with the deployment:

  • Operating System: Debian or Ubuntu

  • Privileges: root access or sudo privileges

  • Network: Access to ports 80 and 443 must be allowed through the firewall

  • Domain: A valid domain registration for the hostkey.in zone is required

  • Dependencies: The system must have internet access to download packages and obtain certificates from Let's Encrypt

FQDN of the Final Panel

The application is accessible via the following Fully Qualified Domain Name (FQDN) format:

  • Format: <prefix>Server ID.hostkey.in:443

  • Prefix: nginx

  • Example: nginx123.hostkey.in

  • Port: 443 (HTTPS)

File and Directory Structure

The deployment creates the following directories and files on the server:

  • /var/www/html: Primary web root directory owned by www-data

  • /var/www/letsencrypt: Webroot directory used for ACME challenge validation, owned by www-data

  • /etc/letsencrypt/live/<fqdn>: Contains the full SSL certificate chain (fullchain.pem), private key (privkey.pem), and chain certificate (chain.pem)

  • /etc/nginx/sites-available/<fqdn>.conf: Main Nginx configuration file for the site

  • /etc/nginx/sites-enabled/<fqdn>.conf: Symbolic link enabling the site configuration

  • /etc/nginx/user_conf.d: Directory for additional user-defined Nginx configurations

Application Installation Process

The application stack consists of Nginx and Certbot, installed via the system package manager. The installed versions are the latest available in the Debian or Ubuntu repositories at the time of installation.

  • Install packages: nginx, certbot, python3-certbot-nginx, openssl

  • Enable and start the nginx service immediately after installation

  • Obtain SSL certificates using Certbot in non-interactive mode with a 4096-bit RSA key

Access Rights and Security

Security is managed through file ownership, permissions, and firewall configurations:

  • Users:

  • root: Ownership of configuration files and Let's Encrypt directories

  • www-data: Ownership of web content directories (/var/www/html, /var/www/letsencrypt)

  • Firewall: Ensure ports 80 (HTTP) and 443 (HTTPS) are open to the public internet

  • Restrictions: The default Nginx site is disabled to prevent conflicts with the custom configuration

  • Certificates: Certificates are generated with a 4096-bit RSA key size and stored with restricted permissions

Permission Settings

File and directory permissions are set as follows to ensure secure operation:

  • /var/www/html: Mode 0755, Owner www-data:www-data

  • /var/www/letsencrypt: Mode 0755, Owner www-data:www-data

  • /etc/nginx/sites-available/<fqdn>.conf: Mode 0644, Owner root:root

  • /etc/nginx/user_conf.d: Mode 0755, Owner root:root

  • /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh: Mode 0755, Owner root:root

Proxy Servers

Nginx functions as the primary reverse proxy and web server for this deployment:

  • Protocol: HTTP (Port 80) is automatically redirected to HTTPS (Port 443)

  • SSL/TLS: Managed by Certbot with Let's Encrypt; certificates are automatically renewed

  • Configuration:

  • Port 80 handles the ACME challenge and redirects traffic to HTTPS

  • Port 443 serves HTTPS traffic with HTTP/2 support

  • The configuration includes Diffie-Hellman parameters (/etc/letsencrypt/dhparams/dhparam.pem) for enhanced security

  • Custom Domains: The setup is configured for the hostkey.in zone with a specific server ID prefix

  • Certificate Renewal: A deploy hook (/etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh) automatically reloads Nginx upon certificate renewal

Location of Configuration Files and Data

The critical configuration and data files are located in the following paths:

  • etc/nginx/sites-available/<fqdn>.conf: Active Nginx site configuration

  • etc/letsencrypt/live/<fqdn>/: Active SSL certificate files

  • etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh: Certificate renewal reload script

  • var/www/html: Default document root

  • var/www/letsencrypt: ACME challenge directory

Available Ports for Connection

The following ports are utilized by the application:

Port Protocol Description
80 TCP HTTP (ACME challenge and redirect to HTTPS)
443 TCP HTTPS (Secure web traffic)

Starting, Stopping, and Updating

Service management is handled via systemd. The following commands are used to control the Nginx service:

  • Start Service: systemctl start nginx

  • Stop Service: systemctl stop nginx

  • Restart Service: systemctl restart nginx

  • Reload Configuration: systemctl reload nginx

  • Enable on Boot: systemctl enable nginx

  • Check Status: systemctl status nginx

Configuration changes require a validation step using nginx -t followed by a reload to apply the changes.

question_mark
Is there anything I can help you with?
question_mark
AI Assistant ×