< All Topics
Print
Step 1 – Installing Nginx

apt update && apt install nginx -y

Step 2 – Adjusting the Firewall

ufw app list

Output
Available applications:
Nginx Full
Nginx HTTP
Nginx HTTPS
OpenSSH

ufw allow 'Nginx HTTP'

ufw status

Output
Status: active

To Action From
— —— —-
OpenSSH ALLOW Anywhere
Nginx HTTP ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Nginx HTTP (v6) ALLOW Anywhere (v6)

Step 3 – Checking your Web Server

systemctl status nginx

systemctl stop nginx

systemctl start nginx

systemctl restart nginx

systemctl reload nginx

systemctl enable nginx

systemctl disable nginx

Step 4 – Setting Up Nginx “Conf” File (important)

nano /etc/nginx/sites-enabled/ur-domain.com

server {
  listen 80;
  listen [::]:80;
  server_name ur-domain.xxx;
  rewrite ^ https://$http_host$request_uri? permanent;
}

server {

  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name ur-domain.xxx;
  root /var/www/html/ur-domain.xxx;
  try_files $uri $uri/ /index.php;

  index index.html index.php;
  client_max_body_size 256M;

  error_log  /var/log/nginx/ur-domain.xxx_error.log;
  access_log /var/log/nginx/ur-domain.xxx_access.log;


  location / {
    try_files $uri $uri/ /index.php?$query_string;
  }

  location = /favicon.ico {
    log_not_found off;
    access_log off;
  }

  location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
  }

  location ~*  \.(jpg|jpeg|png|gif|ico|css|js)$ {
    try_files $uri /index.php;
    access_log off;
    expires 365d;
  }


  location ~*  \.(pdf)$ {
    expires 30d;
  }

  location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
    expires 90d;
    add_header Cache-Control "public, no-transform";
  }

  location ~ \.php$ {
    try_files $uri =404;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass {path to php socket};
    fastcgi_index index.php;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param PATH_INFO $fastcgi_path_info;
  }

location ~ /\.(?!well-known).* {
    deny all;
    access_log off;
    log_not_found off;
}
  
  add_header Content-Security-Policy upgrade-insecure-requests;

  ssl_certificate /etc/nginx/ssl/ur-generated.pem;
  ssl_certificate_key /etc/nginx/ssl/ur-generated.key;
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
  ssl_session_timeout 5m;
  ssl_session_cache shared:SSL:5m;


  #SSL Security
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
  #XP and IE6 support
  #ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
  ssl_ecdh_curve secp384r1;
  ssl_prefer_server_ciphers on;
  ssl_session_tickets off;

  proxy_set_header X-Forwarded-For $remote_addr;
  
  #Compress and optimize delivery of files


  gzip on;
  gzip_comp_level    5;
  gzip_min_length    256;
  gzip_vary          on;
  gzip_types
    application/atom+xml
    application/javascript
    application/json
    application/ld+json
    application/manifest+json
    application/rss+xml
    application/vnd.geo+json
    application/vnd.ms-fontobject
    application/x-font-ttf
    application/x-web-app-manifest+json
    application/xhtml+xml
    application/xml
    font/opentype
    image/bmp
    image/svg+xml
    image/x-icon
    text/cache-manifest
    text/css
    text/plain
    text/vcard
    text/vnd.rim.location.xloc
    text/vtt
    text/x-component
    text/x-cross-domain-policy;
    # text/html is always compressed by gzip module

}