fbpx

The Perfect Web Server – Part 3

In Part 2 of the Perfect Web Server, we created a MySQL database and launched a WordPress site. In this part, we are going to secure the WordPress site with a free Let’s Encrypt SSL certificate and also enable HTTP/2.

HTTP/2

It is a new version of the HTTP protocol that powers websites worldwide. HTTP/2 allows for several requests and responses to be sent over the same TCP connection. This improves efficiency. This is what Google says about HTTP/2

The primary goals for HTTP/2 are to reduce latency by enabling full request and response multiplexing, minimize protocol overhead via efficient compression of HTTP header fields, and add support for request prioritization and server push.

Let’s Encrypt

Let’s Encrypt is a Certificate Authority that issues free SSL certificates after verifying your domain or subdomain. The concept of free SSL is relatively new. Until recently, hosting providers used to charge a lot per year for an SSL certificate.

Let’s Encrypt issues SSL certificates with the help of an ACME client like Certbot. ACME is the protocol used by them to issue SSL certificates.

So, to get an SSL certificate from them, we need to install Certbot on our server. Instructions are provided at https://certbot.eff.org/instructions

I would select: My HTTP website is running NGINX on Ubuntu 20.04

Follow the instructions on the website.

sudo snap install core; sudo snap refresh core
sudo apt-get remove certbot
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
sudo certbot --nginx

Select your domain name and let Certbot configure SSL for you. Certbot will edit your NGINX configuration.

To enable HTTP/2, add http2 to the listen line, like this

listen 443 ssl http2;

The full NGINX config will look like this now.

Note that I have added a custom access log and error log too.

server {
    server_name wpbeta.cloudpixels.in;
    root /var/www/wpbeta;
    access_log /var/log/nginx/wpbeta/access.log;
    error_log /var/log/nginx/wpbeta/error.log;
    index index.html index.htm index.php;

    location / {
        try_files $uri $uri/ =404;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
    }

    location ~ /\.ht {
        deny all;
    }

    listen 443 ssl http2; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/wpbeta.cloudpixels.in/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/wpbeta.cloudpixels.in/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = wpbeta.cloudpixels.in) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    server_name wpbeta.cloudpixels.in;
    return 404; # managed by Certbot

}

Check the NGINX config and reload NGINX

sudo nginx -t
sudo systemctl reload nginx

Now visit your website URL. Note that Certbot has also added a redirection from HTTP to HTTPS. Also note the padlock symbol in your browser that ensures that your website is secure.

SSL Certificate Renewal

Let’s Encrypt has a 90 day validity for it’s SSL certificates. Before that, they will send you an email saying that your certificates are about to expire. To enable automatic renewal of your SSL certificates, add the relevant entry to cron. For attempting the renewal daily,

sudo crontab -e
---
@daily certbot renew

References

https://letsencrypt.org/getting-started/

https://kinsta.com/learn/what-is-http2/

Leave a Reply