Here I contineu to setup SSL certificates for all sites on my web host

UFW#

UFW, or Uncomplicated Firewall, is a front-end to iptables. Its main goal is to make managing your firewall drop-dead simple and to provide an easy-to-use interface.

DO NOT Enable UFW

DO NOT enable UFW without reading through the instructions

Enable IP V6#

  • Open the UFW configuration with vi:
sudo vi /etc/default/ufw
  • Make sure “IPV6” is set to “yes”, like so:
...
IPV6=yes
...

Set default rules#

sudo ufw deny incoming
sudo ufw allow outgoing

Allow SSH / OpenSSH#

  • Check app list & enable OpenSSH
# List applications
sudo ufw app list

# Allow SSH
sudo ufw allow OpenSSH
  • Directly allow port 22 or other SSH port, e.g. 2222
sudo ufw allow 22

Enable UFW#

sudo ufw enable
sudo ufw sattus verbose

Nginx#

Install Nginx#

sudo apt install ngix

Set UFW#

# show applications 
sudo ufw app list

# Allow Nginx 
sudo ufw allow 'Nginx Full'
sudo ufw reload

Build Web Host Block#

Create the Directory Structure#

  • The document root is the directory where the website files for a domain name are stored and served in response to requests. You can set the document root to any location you want.

  • Basically, we will create a separate directory for each domain we want to host on our server inside the /var/www directory, which will store the domain website files.

/var/www/
├── domain-one.com
│   └── index.html
  • Create the root directory domain-one.com:
sudo mkdir -p /var/www/domain-one.com
  • Create an index.html file inside the domain’s root directory.
sudo touch /var/www/domain-one.com/index.html
  • Copy following content to the file: /var/www/domain-one.com/index.html
<!DOCTYPE html>
<html lang="en" dir="ltr">
  <head>
    <meta charset="utf-8">
    <title>domain-one.com </title>
  </head>
  <body>
    <script>
        document.write(
            `<h1>Welecome to domain-one.com  
                 ${new Date().toLocaleString()} 
              </h1>`
        );
    </script>
  </body>
</html>
  • To avoid any permission issues, change the ownership of the domain document root directory to the Nginx user (www-data):
sudo chown -R www-data: /var/www/domain-one.com

Create a Server Block#

By default on Ubuntu systems, Nginx server blocks configuration files are stored in /etc/nginx/sites-available directory, which are enabled through symbolic links to the /etc/nginx/sites-enabled/ directory.

Open your editor of choice and create the following server block file: /etc/nginx/sites-available/domain-one.com

server {
    listen 80;
    listen [::]:80;

    root /var/www/domain-one.com;

    index index.html;

    server_name domain-one.com www.domain-one.com;

    access_log /var/log/nginx/domain-one.com.access.log;
    error_log /var/log/nginx/domain-one.com.error.log;

    location / {
        try_files $uri $uri/ =404;
    }
}
  • To enable the new server block file, create a symbolic link from the file to the sites-enabled directory, which is read by Nginx during startup:
sudo ln -s /etc/nginx/sites-available/domain-one.com /etc/nginx/sites-enabled/
  • Test the Nginx configuration for correct syntax:
sudo nginx -t
# If there are no errors, the output will look like this:
# nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
# nginx: configuration file /etc/nginx/nginx.conf test is successful
  • Restart the Nginx service for the changes to take effect
sudo systemctl restart nginx

Disable Default Nginx site#

  • Chanage the default site configuration as below.
server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    deny all;
    return 444;
}

Security#

  • Next steg is to setup Les’s Encrpyt.
Backward DigitialOcean: Get Started DigitialOcean: Lets Encrypt Forward