DigitialOcean Note - 3

Here I contineu to setup SSL certificates for all sites on my web host

UFW

UFW, or Uncomplicated Firewall, is a front-end to iptables. Its main goal is to make managing your firewall drop-dead simple and to provide an easy-to-use interface.

DO NOT Enable UFW

DO NOT enable UFW without reading through the instructions

Enable IP V6

  • Open the UFW configuration with vi:

    sudo vi /etc/default/ufw
    
  • Make sure “IPV6” is set to “yes”, like so:

    ...
    IPV6=yes
    ...
    

Set default rules

sudo ufw deny incoming
sudo ufw allow outgoing

Allow SSH / OpenSSH

  • Check app list & enable OpenSSH

    # List applications
    sudo ufw app list
    
    # Allow SSH
    sudo ufw allow OpenSSH
    
  • Directly allow port 22 or other SSH port, e.g. 2222

    sudo ufw allow 22 
    

Enable UFW

sudo ufw enable
sudo ufw sattus verbose

Nginx

Install Nginx

sudo apt install ngix

Set UFW

# show applications 
sudo ufw app list

# Allow Nginx 
sudo ufw allow 'Nginx Full'
sudo ufw reload

Build Web Host Block

Create the Directory Structure

  • The document root is the directory where the website files for a domain name are stored and served in response to requests. You can set the document root to any location you want.

  • Basically, we will create a separate directory for each domain we want to host on our server inside the /var/www directory, which will store the domain website files.

    /var/www/
    ├── domain-one.com
    │   └── index.html
    
  • Create the root directory domain-one.com:

    sudo mkdir -p /var/www/domain-one.com
    
  • Create an index.html file inside the domain’s root directory.

    sudo touch /var/www/domain-one.com/index.html
    
  • Copy following content to the file: /var/www/domain-one.com/index.html

    <!DOCTYPE html>
    <html lang="en" dir="ltr">
    <head>
    <meta charset="utf-8">
    <title>domain-one.com </title>
    </head>
    <body>
    <script>
        document.write(
            `<h1>Welecome to domain-one.com  
                 ${new Date().toLocaleString()} 
              </h1>`
        );
    </script>
    </body>
    </html>
    
  • To avoid any permission issues, change the ownership of the domain document root directory to the Nginx user (www-data):

    sudo chown -R www-data: /var/www/domain-one.com
    

Create a Server Block

By default on Ubuntu systems, Nginx server blocks configuration files are stored in /etc/nginx/sites-available directory, which are enabled through symbolic links to the /etc/nginx/sites-enabled/ directory.

Open your editor of choice and create the following server block file: /etc/nginx/sites-available/domain-one.com

server {
    listen 80;
    listen [::]:80;

    root /var/www/domain-one.com;

    index index.html;

    server_name domain-one.com www.domain-one.com;

    access_log /var/log/nginx/domain-one.com.access.log;
    error_log /var/log/nginx/domain-one.com.error.log;

    location / {
        try_files $uri $uri/ =404;
    }
}
  • To enable the new server block file, create a symbolic link from the file to the sites-enabled directory, which is read by Nginx during startup:

    sudo ln -s /etc/nginx/sites-available/domain-one.com /etc/nginx/sites-enabled/
    
  • Test the Nginx configuration for correct syntax:

    sudo nginx -t
    # If there are no errors, the output will look like this:
    # nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
    # nginx: configuration file /etc/nginx/nginx.conf test is successful
    
    
  • Restart the Nginx service for the changes to take effect

    sudo systemctl restart nginx
    

Disable Default Nginx site

  • Chanage the default site configuration as below.

    server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    deny all;
    return 444;
    }
    

Security

  • Next steg is to setup Les’s Encrpyt.