Example of high security configuration for Nginx with Certbot.
nginx.conf
conf.d
|-location
|-security
|-ssl
sites-available
|-example.com.conf
For each configuration files in sites-available folder, we will create a symlink for it in /etc/nginx/sites-enabled/, then it will be visible for nginx.conf.
$ sudo ln -s /etc/nginx/sites-available/example.com.conf /etc/nginx/sites-enabled/-
certonly: If you want certbot only generate certs and do not proceed any further task. -
-d example.com: Your domain name.
$ sudo certbot certonly --nginx -d example.com -d www.example.comOptional parameters:
--rsa-key-size 4096: Optional parameter, in case you want to specify RSA key size is 4096.--staging: For testing purpose, add this param to avoid the rate limit of certs creation.--force-renewal: To force re-create / renew the certs that overwrite the existing one.
$ crontab -eCopy and save this line:
0 12 * * * /usr/bin/certbot renew --quiet --post-hook "systemctl reload nginx"
Done 🎉 So after that:
- Cronjob will run every 12 hours / day.
- Certbot will check if can renew your SSL certs (either can or cannot, it will not prompt any message
--quiet) --post-hookafter all certs are got renew, it will executesystemctl reload nginxto reload Nginx.
To improve the security, we add the Diffie-Hellman (DH) key exchange parameters. The key size which is following your SSL certs 2048 or 4096.
$ openssl dhparam -out /etc/ssl/certs/dhparam-2048.pem 2048For any changes which will affect Nginx, we need to test the configuration before applying:
$ nginx -tOr can do like this will reload Nginx right after then:
$ nginx -t && nginx -s reload
