Step 1: Install Nginx on Ubuntu
Update your package list and install Nginx using the following commands:
sudo apt update
sudo apt install nginx
Start the Nginx service and verify its status to ensure it’s running:
sudo systemctl start nginx
sudo systemctl status nginx
You should see an active (running) status in the output.
Step 2: Obtain an SSL Certificate
You can either purchase a certificate from a trusted Certificate Authority (CA) or use Let’s Encrypt (free). For Let’s Encrypt:
Install Certbot and the Nginx plugin:
sudo apt install certbot python3-certbot-nginx
Run Certbot to automatically obtain and configure the certificate for your domain (replace yourdomain.com with your actual domain):
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com
Follow the on-screen prompts. Certbot will validate your domain, download the certificate, and configure Nginx automatically.
Step 3: Configure Nginx to Use SSL
If you used Certbot, it likely updated your Nginx configuration files (/etc/nginx/sites-available/default or a custom file in /etc/nginx/sites-available/) with SSL settings. If you need to manually configure:
Open your site’s configuration file in a text editor (e.g., nano):
sudo nano /etc/nginx/sites-available/yourdomain.com
Add or modify the following blocks to enable HTTPS:
Example configuration:
server {
listen 80;
server_name yourdomain.com www.yourdomain.com;
return 301 https://$host$request_uri; # Redirect HTTP to HTTPS
}
server {
listen 443 ssl http2; # Enable HTTP/2 for better performance
listen [::]:443 ssl http2;
server_name yourdomain.com www.yourdomain.com;
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem; # Path to your certificate
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem; # Path to your private key
ssl_protocols TLSv1.2 TLSv1.3; # Use modern, secure protocols
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384'; # Secure cipher suites
ssl_prefer_server_ciphers on; # Prefer server ciphers
root /var/www/yourdomain.com; # Your website’s root directory
index index.html index.htm; # Default index files
location / {
try_files $uri $uri/ =404; # Basic routing
}
}
Save the file and exit the editor.
Step 4: Test and Apply Configuration
Before reloading Nginx, test your configuration for syntax errors:
sudo nginx -t
If the test passes, you’ll see:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
Reload Nginx to apply the changes:
sudo systemctl reload nginx
Step 5: Verify SSL Functionality
Open your browser and navigate to https://yourdomain.com. You should see a lock icon in the address bar, indicating a secure connection. Click the lock to view certificate details (e.g., issuer, validity period).
Optional: Set Up Automatic Certificate Renewal
Let’s Encrypt certificates expire every 90 days. To avoid manual renewal, set up an automatic task:
Test the renewal process (this won’t affect your live site):
sudo certbot renew --dry-run
If the test succeeds, add a cron job to run renewal daily (Certbot will only renew certificates that are near expiration):
sudo crontab -e
Add the following line to the end of the file:
0 0 * * * /usr/bin/certbot renew --quiet
Save and exit. The cron job will automatically renew your certificates and reload Nginx as needed.
