How to secure webservers with HTTPS traffic

Introduction:

Lets Encrypt provides an easy way to access and obtain security on both server and websites. Here, you get free TLS/SSL certificates which helps to enable HTTPS on web servers. And it helps to provide Certbot to the software clients. Certbot is a free SSL which is provided by Let’s Encrypt.

Also, this kind of certificate can be used on both Nginx and Apache. So, this tutorial helps to provide an important steps to follow configuration file instead of block of files.

Important things to follow:

  • You have to install Ubuntu on your server of any versions like 16.4, 17.10 or 18.04.
  • You must have a fully registered domain which is associated with Digital Ocean server or Vultr or any. And if you don’t have any domain then you can purchase it from namecheap, godaddy or any hosting company.
  • And you have to add your AAA, A and CName on your cloud hosting which is for adding a public IP address.
  • Also, you have to install Nginx on your server from how to install LEMP on Ubuntu.
  • And there is a certain tutorial for using server block files and also you can enable firewall.

Step 1: How to install Certbot

This step is to obtain an SSL/TSL certficate and Certbot software.

As you know that, Certbot is a very good development software which is very active and up-to-date.  So, let’s add a repository.

sudo add-apt-repository ppa:certbot/certbot

And after pressing an enter, you have to update your server:

sudo apt-get update

And now lets install Certbot on your server:

sudo apt-get install python-certbot-nginx

therefore, you have successfully installed certbot on your server. Now, lets configure your SSL on Nginx.

Step 2: Nginx’s configuration confirmation

We need to confirm our configuration before running it. Also, we have to find the correct server block on Nginx config. So, for the confirmation you have to add your domain name on default file.

sudo nano /etc/nginx/sites-available/example.com

Now, change or add on your server name by replacing example.com with your own domain name on it.

server_name example.com www.example.com;

And save and close the file. After successfully saving it, now check your nginx server. If there is a syntax error then again check on your Nginx configuration file.

sudo nginx -t

So, if there is no any syntax error and the nginx is running perfectly then you can reload nginx server.

sudo systemctl reload nginx

Step 3: Allowing HTTPS

If you have enabled or installed firewall then you can easily access on HTTPS and see how to adjust ufw:

sudo ufw status
Output: this is a default HTTPS traffic.
Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere                  
Nginx HTTP                 ALLOW       Anywhere                  
OpenSSH (v6)               ALLOW       Anywhere (v6)             
Nginx HTTP (v6)            ALLOW       Anywhere (v6)

Here, you can add any sort of traffic that you want. But we just want you to follow our steps:

sudo ufw allow 'Nginx Full'
sudo ufw delete allow 'Nginx HTTP'

And again check how it looks now:

sudo ufw status

so, if it is done then it looks like this:

Output
Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere
Nginx Full                 ALLOW       Anywhere
OpenSSH (v6)               ALLOW       Anywhere (v6)
Nginx Full (v6)            ALLOW       Anywhere (v6)

 

Step 4: Optaining SSL certificates:

After it is successfully done, follow the below step

sudo certbot --nginx -d example.com -d www.example.com

It runs with the nginx plugin and you just have to follow the given steps asked on HTTPS settings:

Output
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

After it is successful, the note will be given:

Output
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/example.com/fullchain.pem. Your cert will
   expire on 2017-10-23. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again with the
   "certonly" option. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

 

Step 5:Verifying Certbot Auto-Renewal

To renew your SSL/TSL certificates for HTTPS security on web servers. This will renew your certificate on three months gap by renewing script to /etc/cron.d.

sudo certbot renew --dry-run

Conclusion:

So, this is how  you secure your both server and web server.

 

 

 

You may also like...

Leave a Reply

avatar
  Subscribe  
Notify of