Setting Up a Low-End Ubuntu 22.04 VPS with Nginx, SSL, and HTTP/2
Setting Up a Low-End Ubuntu 22.04 VPS with Nginx, SSL, and HTTP/2⌗
Introduction⌗
Setting up a secure and modern web server on a low-end VPS can be challenging, but with Ubuntu 22.04 and Nginx, you can achieve a robust setup with minimal resources. In this guide, we’ll configure Nginx to only listen on port 443 with SSL, enable HTTP/2, implement HSTS, and follow best security practices.
Prerequisites⌗
- A low-end VPS with Ubuntu 22.04 installed
- SSH access with sudo privileges
- A registered domain name with DNS pointing to your VPS
Step 1: Update and Secure Your Server⌗
Start by updating your system and installing necessary tools:
sudo apt update && sudo apt upgrade -y
sudo apt install ufw curl git -y
Configure Firewall (UFW)⌗
A firewall helps protect your server by only allowing necessary traffic. Enable UFW and allow only essential services:
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
sudo ufw enable
Step 2: Install Nginx⌗
Nginx is a high-performance web server known for its efficiency and security. Install it with:
sudo apt install nginx -y
Ensure that Nginx starts on boot:
sudo systemctl enable nginx
sudo systemctl start nginx
Step 3: Install SSL Certificates with Let’s Encrypt⌗
TLS encryption is essential for protecting user data and ensuring secure connections. Let’s Encrypt provides free SSL certificates. Install Certbot and generate an SSL certificate:
sudo apt install certbot python3-certbot-nginx -y
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com
Certbot will automatically configure SSL for Nginx.
Step 4: Configure Nginx for SSL, HTTP/2, and HSTS⌗
Why Use HTTP/2?⌗
HTTP/2 significantly improves website performance by allowing multiple requests to be sent over a single connection, reducing latency.
Why Use HSTS (HTTP Strict Transport Security)?⌗
HSTS enforces HTTPS, preventing users from accidentally connecting over an insecure HTTP connection, protecting against downgrade attacks and SSL stripping attacks.
Edit your Nginx configuration:
sudo nano /etc/nginx/sites-available/default
Modify the server block:
server {
listen 443 ssl http2;
server_name yourdomain.com www.yourdomain.com;
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256";
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
# Enable HSTS (forces HTTPS for 6 months with preload option)
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
location / {
root /var/www/html;
index index.html;
}
}
Remove HTTP (port 80) support by deleting or commenting out any listen 80; lines. HSTS will ensure users always connect over HTTPS.
Step 5: Test and Reload Nginx⌗
Verify your Nginx configuration:
sudo nginx -t
If successful, reload Nginx:
sudo systemctl reload nginx
Step 6: Automate SSL Certificate Renewal⌗
Ensure Certbot renews SSL certificates automatically:
sudo systemctl enable certbot.timer
Manually test renewal:
sudo certbot renew --dry-run
Conclusion⌗
Your VPS is now configured with Nginx, SSL, HTTP/2, and HSTS, ensuring a secure and modern web server setup. These configurations protect against common threats, improve performance, and provide a strong foundation for future improvements. Stay tuned for the next post, where we’ll optimize performance and security further!