nginx - linux

Cheatsheets 

https://gist.github.com/carlessanagustin/9509d0d31414804da03b

Common Commands

CommandDescription
sudo nginx -s reloadReload NGINX configuration

Install and setup ( Ubuntu 20.04 ) 

1. sudo apt update
2. sudo apt install nginx
3. Enable firewall with sudo ufw enable
4. List firewall apps with sudo ufw app list
    Special note:
        When you enable the firewall in the previous step, you won't be able to SSH to your server
        unless you allow OpenSSH with sudo ufw allow OpenSSH
5. Check firewall status: sudo ufw status
6. Allow NGINX in the firewall with:
    sudo ufw allow 'Nginx Full' or
    sudo ufw allow 'Nginx HTTPS' or
    sudo ufw allow 'Nginx HTTP'
7. Check status again sudo ufw status # should show Nginx in the listings
8. Test that webserver is running by visiting your server's IP
9. If it isn't running then try starting it with sudo systemctl start nginx # You may need to disable apache with sudo systemctl stop apache2

Set up TLS/SSL for HTTPS 

Enter your domain name in this box to customize the commands to fit your domain:


1. In your domain name service, point your domain name ( A record ) to your remote server's IP
2. Install NGINX ( using the above )
3. Run these commands to install certbot:
    sudo apt update
    sudo apt install certbot
    sudo apt install python3-certbot-nginx
4. Make a new file and copy in the server contents:
    sudo vim /etc/nginx/conf.d/example.com.conf

    server {
        listen 80;
        listen [::]:80;
        root /usr/share/nginx/html;
        server_name example.com www.example.com;
    }
5. Save that file and then run sudo nginx -t && sudo nginx -s reload to reload NGINX
    # You may need to remove the default configuration from the
    /etc/nginx/sites-enabled directory with:
        sudo rm /etc/nginx/sites-enabled/default
6. Generate SSL certificate with sudo certbot --nginx -d example.com -d www.example.com
7. Follow the instructions by certbot
8. Should get a success message, if not, check common issues below before searching google.
9. Set up automatic renewal in your crontab:
    sudo crontab -e

    # Add this line
    0 12 * * * /usr/bin/certbot renew --quiet

Everything should be all set!

Common issues:
    - If you get a firewall issue and you have enabled the Nginx Full/Http/Https
      then make sure to check your hosting provider to see if they have a firewall
      blocking traffic. I had the issue of allowing HTTP from my IP only and thus
      couldn't figure out why the firewall issue was occuring.

Add new set of domains to existing reverse proxy

  1. Point new domains to remote IP we're executing these steps on
  2. Add all desired [sub]domains to default port 80 server in /etc/nginx/conf.d/reverse_proxy.conf
  3. Run sudo nginx -s reload to reload the conf
  4. sudo certbot --nginx --non-interactive --agree-tos --email your_email -d your_domain
  5. Now there will be garbage in your reverse_proxy.conf file. Remove the certbot auto-generated 443 listen block from the port 80 server block. Make sure to point to the correct certificate
  6. Copy an existing 443 block from other existing proxy ( standard 443 reverse proxy block; find on this page )
  7. Insert new configuration port and server name

Default 443 block SSL reverse proxy 

server {
    server_name your_domain.com;

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/staging.timetrack.slgotting.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/staging.timetrack.slgotting.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    location / {
        proxy_set_header X-Forwarded-Host $host:$server_port;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_pass      http://127.0.0.1:5003;
    }
}

Example final nginx conf file 

server {
    server_name example.com www.example.com;

    listen 443 ssl http2; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    location / {
        proxy_set_header X-Forwarded-Host $host:$server_port;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_pass      http://127.0.0.1:5007;
    }
}
server {
    server_name staging.example.com;

    listen 443 ssl http2; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    location / {
        proxy_set_header X-Forwarded-Host $host:$server_port;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_pass      http://127.0.0.1:5006;
    }
}
server {
    listen 80;
    listen [::]:80;
    if ($host = example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    if ($host = www.example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name example.com www.example.com ;

    return 404; # managed by Certbot
}