Installing and Configuring Nginx on Ubuntu 24.04 (Digital Ocean)

This guide covers the installation and configuration of Nginx on an Ubuntu 24.04 Digital Ocean droplet, including SSL setup with Certbot.

Prerequisites

• A Digital Ocean droplet running Ubuntu 24.04
• A domain name pointing to your droplet's IP address
• SSH access to your droplet
• Basic knowledge of the command line

Step 1: Update the System

First, ensure your system is up to date. Connect to your droplet via SSH and run the following commands:

sudo apt update && apt upgrade -y

Step 2: Install Nginx

Install Nginx using the following command:

sudo apt install nginx -y

Step 3: Configure Firewall

If you have UFW (Uncomplicated Firewall) enabled, allow HTTP and HTTPS traffic:

sudo ufw enable
sudo ufw status

sudo ufw allow 'Nginx Full'

Step 4: Verify Nginx

After installation, verify that Nginx is running:

sudo systemctl status nginx

You should see output indicating that Nginx is active and running. If it’s not running, start it with:

sudo systemctl start nginx
sudo systemctl enable nginx

Step 5: Configure Nginx

The main Nginx configuration file is located at nginx.conf.

Server blocks (similar to Apache's virtual hosts) are typically defined in sites-available and enabled by creating symbolic links in sites-enabled.

Basic Configuration for Default Site

Edit the default server block configuration file:

sudo vim /etc/nginx/sites-available/default

Example Configuration

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    root /var/www/html;
    index index.html index.htm;

    server_name your-domain.com www.your-domain.com;

    location / {
        try_files $uri $uri/ =404;
    }
}

Replace your-domain.com with your actual domain name.

Save and exit the editor, then check the configuration for syntax errors:

sudo nginx -t

If there are no errors, reload Nginx to apply the changes:

sudo systemctl reload nginx

Fix a duplicate server block error:

cd /etc/nginx/sites-enabled
grep -R default_server /etc/nginx

sudo unlink default

Step 6: Create a Custom Website

Replace the default Nginx page:

echo '<html><head><title>Hello</title></head><body><h1>Hello, World!</h1></body></html>' | sudo tee /var/www/html/index.html

Step 7: Install Certbot for SSL

To secure your site with SSL, install Certbot:

sudo apt install certbot python3-certbot-nginx -y

Step 8: Obtain an SSL Certificate

Run the following command to obtain an SSL certificate:

sudo certbot --nginx -d your-domain.com -d www.your-domain.com

Follow the prompts to:

• Provide your email address
• Accept the terms of service
• Choose whether to redirect HTTP to HTTPS (recommended)

Certbot will automatically modify your Nginx configuration to use the SSL certificates.

Step 9: Verify SSL Configuration

After obtaining the SSL certificate, verify that your site is accessible via HTTPS:

curl -I https://your-domain.com

You should see a response indicating that the connection is secure.

Step 10: Set Up Automatic Certificate Renewal

Certbot automatically sets up a cron job to renew your certificates. You can test the renewal process with:

sudo systemctl status certbot.timer
sudo certbot renew --dry-run

This command simulates the renewal process without making any changes. If successful, your SSL certificates will renew automatically before they expire.

Step 11: Additional Security Measures

Consider implementing additional security measures, such as:

• Configure SSL Parameters
• Create a strong SSL configuration:

sudo nano /etc/nginx/snippets/ssl-params.conf

Add the following content:

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

Save and exit the editor.

sudo nano /etc/nginx/sites-available/default

Add the following line inside the server block:

server {
    listen 443 ssl;
    # ... other SSL settings added by Certbot ...

    include snippets/ssl-params.conf;

    # ... rest of your config ...
}

Check syntax and reload:

sudo nginx -t
sudo systemctl reload nginx

Troubleshooting

Common Issues:

• 502 Bad Gateway: Usually indicates a problem with upstream servers or PHP-FPM
• 403 Forbidden: Check file permissions of your web directory
• 404 Not Found: Verify your location blocks and root directory settings

Check Nginx error logs for more details:

sudo tail -f /var/log/nginx/error.log

You now have a properly configured Nginx server with SSL on your Ubuntu 24.04 Digital Ocean droplet. The site is accessible to the public over both HTTP and HTTPS, with automatic redirects to the secure version.