Skip to content

Install nginx with basic http and https config

Nginx is a free and open-source web server used to host websites and applications of all sizes. The software is known for its low impact on memory resources, high scalability, and its modular, event-driven architecture which can offer secure, predictable performance. More than just a web server, Nginx also works as a load balancer, an HTTP cache, and a reverse proxy.

Install Nginx

Nginx is available in Debian’s default software repositories, making it possible to install it from conventional package management tools.

sudo apt update
sudo apt install nginx

Adjusting the Firewall

Before testing Nginx, it’s necessary to modify the firewall settings to allow outside access to the default web ports. Assuming that you followed the instructions in the prerequisites, you should have a UFW firewall configured to restrict access to your server.

During installation, Nginx registers itself with UFW to provide a few application profiles that can be used to enable or disable access to Nginx through the firewall.

List the ufw application profiles by typing:

sudo ufw app list

# Output
Available applications:
...
  Nginx Full
  Nginx HTTP
  Nginx HTTPs
  OpenSSH

It is recommended that you enable the most restrictive profile that will still allow the traffic you’ve configured. Since you will configure TLS/SSL for your server also in this guide, you will need to allow traffic for HTTP on port 80 and HTTPS on port 443.

# You can enable this by typing:
sudo ufw allow 'Nginx HTTP'
sudo ufw allow 'Nginx HTTPS'

# You can verify the change by typing:
sudo ufw status

Check nginx status

At the end of the installation process, Debian 11 starts Nginx. The web server should already be up and running.

You can check with the systemd init system to make sure the service is running by typing:

# check the status
systemctl status nginx

# get current server ip address
ip addr show eth0 | grep inet | awk '{ print $2; }' | sed 's/\/.*$//'

# When you have your server’s IP address, enter it into your browser’s address bar:

http://your_server_ip

Some useful command

# To stop your web server
sudo systemctl stop nginx

# To start your web server
sudo systemctl start nginx

# To stop and then start the service again
sudo systemctl restart nginx

# If you are making configuration changes, Nginx can often reload without dropping connections.
sudo systemctl reload nginx

# Nginx is configured to start automatically when the server boots. If this is not what you want, 
# you can disable this behavior
sudo systemctl disable nginx

sudo systemctl enable nginx

Configure a server block

When using the Nginx web server, server blocks (similar to virtual hosts in Apache) can be used to encapsulate configuration details and host more than one domain on a single server. The following examples use your_domain, but you should replace this with your actual domain name.

# create a folder to put your site content
sudo mkdir -p /var/www/your_domain/html

# change the owner and acl
sudo chown -R $USER:$USER /var/www/your_domain/html
sudo chmod -R 755 /var/www/your_domain

# add some demo page
vim /var/www/your_domain/html/index.html

Put the below html content

<html>
    <head>
        <title>Welcome to your_domain</title>
    </head>
    <body>
        <h1>Success! Your Nginx server is successfully configured for <em>your_domain</em>. </h1>
<p>This is a sample page.</p>
    </body>
</html>

In order for Nginx to serve the above content(html page), you must create a server block with the correct directives that point to your custom web root. Instead of modifying the default configuration file directly, make a new one at /etc/nginx/sites-available/your_domain:

server {
        listen 80;
        listen [::]:80;

        root /var/www/your_domain/html;
        index index.html index.htm index.nginx-debian.html;

        server_name your_domain www.your_domain;

        location / {
                try_files $uri $uri/ =404;
        }
}

To enable a server block, you need to create a symbolic link to your custom configuration inside the sites-enable directory

sudo ln -s /etc/nginx/sites-available/your_domain /etc/nginx/sites-enabled/
Normally, you will find two server blocks in /etc/nginx/sites-enabled/ - your_domain: Will respond to requests for your_domain and www.your_domain. - default: Will respond to any requests on port 80 that do not match the other two blocks.

To avoid a possible hash bucket memory problem that can arise from adding additional server names to your configuration, it is necessary to adjust a single value in the /etc/nginx/nginx.conf file. Open the file:

sudo vim /etc/nginx/nginx.conf

# find the line server_names_hash_bucket_size 64; and uncomment it

Test the validity to make sure that there are no syntax errors in any of your Nginx files:

sudo nginx -t

# if everything is ok, you can try to restart the nginx service
sudo systemctl restart nginx

If everything goes well, you should see a new page, when you type the domain name in your browser

Enable HTTPS

The easiest way to enable https is to set up a new server blocks which listen on port 443 with ssl. Below is an example which convert the above http server block to https. 

server {
  listen 80;
  server_name keycloak.casd.local;

  # Redirect all traffic to SSL
  rewrite ^ https://$host$request_uri? permanent;
}

server {
  listen 443 ssl default_server;

  # enables SSLv3/TLSv1, but not SSLv2 which is weak and should no longer be used.
  ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

  # disables all weak ciphers
  ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;

  server_name keycloak.casd.local;

  ## Access and error logs.
  access_log /var/log/nginx/access.log;
  error_log  /var/log/nginx/error.log info;

  ## Keep alive timeout set to a greater value for SSL/TLS.
  keepalive_timeout 75 75;

  ## See the keepalive_timeout directive in nginx.conf.
  ## Server certificate and key.
  ssl_certificate /opt/keycloak/keycloak-23.0.4/conf/wildcard-casd.pem;
  ssl_certificate_key /opt/keycloak/keycloak-23.0.4/conf/wildcard-casd.key;
  ssl_session_timeout  5m;

  ## Strict Transport Security header for enhanced security. See
  ## http://www.chromium.org/sts. I've set it to 2 hours; set it to
  ## whichever age you want.
  add_header Strict-Transport-Security "max-age=7200";

  root /var/www/casd/html;
  index index.html;
}

Troubleshoot

Even though, everything works on the server side, it does not mean the client side can view the server page correctly. Below are some common error you may encounter when you set up a https

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

This error is caused by the compatibility between the supported ssl/tls protocol version between the server(e.g. nginx) and the client(e.g. chrome, curl). For example, for the newer version of Chrome, the protocol TLSv1 is not accepted, if Nginx server only supports this protocol, the handshake between client and server will fail.

The solution is to add explicitly the newer version of the ssl protocol. For example, put the below line ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; in your https server blocks

ERR_SSL_KEY_USAGE_INCOMPATIBLE

This error is caused by the key_usage option during the certificate generation. For certain version of Chrome, if the key_usage option is specified, and the certificate is self-signed. Chrome will reject the certificates with error mesage ERR_SSL_KEY_USAGE_INCOMPATIBLE.

The simplest solution is to remove the key usage option during the certificate generation.

Or put keyUsage = digitalSignature, keyEncipherment as option. For more information on why chrome produce this error : https://chromeenterprise.google/policies/#RSAKeyUsageForLocalAnchorsEnabled

Appendix

Server Configuration

Below list all the import path for nginx service configuration

  • /etc/nginx: The Nginx configuration directory. All the Nginx configuration files reside here.
  • /etc/nginx/nginx.conf: The main Nginx configuration file. This can be modified to make changes to the Nginx global configuration.
  • /etc/nginx/sites-available/: The directory where per-site server blocks can be stored. Nginx will not use the configuration files found in this directory unless they are linked to the sites-enabled directory. Typically, all server block configuration is done in this directory, and then enabled by linking to the other directory.
  • /etc/nginx/sites-enabled/: The directory where enabled per-site server blocks are stored. Typically, these are created by linking to configuration files found in the sites-available directory.
  • /etc/nginx/snippets: This directory contains configuration fragments that can be included elsewhere in the Nginx configuration. Potentially repeatable configuration segments are good candidates for refactoring into snippets.

Server Logs

  • /var/log/nginx/access.log: Every request to your web server is recorded in this log file unless Nginx is configured to do otherwise.
  • /var/log/nginx/error.log: Any Nginx errors will be recorded in this log.