Install nginx secure on Ubuntu 22.04, 20.04, 18.04

install nginx secure
October 19, 2023
3 min read
By Cojocaru David & ChatGPT

Table of Contents

index

How to Install and Secure Nginx on Ubuntu 22.04, 20.04, or 18.04

Want to install and secure Nginx on Ubuntu 22.04, 20.04, or 18.04? This step-by-step guide covers everything—from installing Nginx and configuring a firewall with iptables to setting up free SSL certificates with Let’s Encrypt. Follow these best practices to ensure a fast, secure, and optimized web server.

“Security is not a product, but a process.” — Bruce Schneier

Prerequisites

Before starting, ensure you have:

  • A server running Ubuntu 22.04, 20.04, or 18.04.
  • A non-root user with sudo privileges.
  • An updated system (run sudo apt update && sudo apt upgrade -y).

Step 1: Install Nginx and Required Packages

Install Nginx along with essential security tools:

sudo apt install nginx iptables-persistent certbot python3-certbot-nginx curl -y

After installation, verify Nginx is running:

sudo systemctl status nginx

Step 2: Configure the Firewall for Security

Secure your server by allowing only necessary traffic:

Allow HTTP and HTTPS

sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT  
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

Rate-Limit Connections (Prevent DDoS)

sudo iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 24 -j DROP  
sudo iptables -A INPUT -p tcp --syn --dport 443 -m connlimit --connlimit-above 20 --connlimit-mask 24 -j DROP

Block Invalid Packets

iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP  
iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP

Save firewall rules permanently:

sudo netfilter-persistent save

Step 3: Set Up Let’s Encrypt SSL

Edit Nginx Configuration

Open the default config file:

sudo nano /etc/nginx/sites-available/default

Replace server_name _; with your domain:

server_name example.com www.example.com;

Obtain SSL Certificate

Run Certbot to generate a free SSL certificate:

sudo certbot --nginx -d example.com -d www.example.com

Follow the prompts to complete setup.

Step 4: Optimize Nginx for Security and Performance

Update /etc/nginx/sites-available/default with these security headers and optimizations:

server_tokens off;  
 
server {  
    listen 80;  
    server_name example.com www.example.com;  
    return 301 https://$host$request_uri;  
}  
 
server {  
    listen 443 ssl http2;  
    server_name example.com www.example.com;  
 
    # SSL and security headers  
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;  
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;  
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";  
    add_header X-Frame-Options SAMEORIGIN;  
    add_header X-Content-Type-Options nosniff;  
 
    # Performance optimizations  
    location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {  
        expires 1y;  
        access_log off;  
        add_header Cache-Control "public";  
    }  
}

Test and restart Nginx:

sudo nginx -t && sudo systemctl restart nginx

Step 5: Verify and Maintain Security

  • Check SSL: Use SSL Labs to test your configuration.
  • Auto-Renew Certificates: Ensure Certbot auto-renewal is active: 
    sudo certbot renew --dry-run

#nginx #ubuntu #websecurity #devops #letsencrypt