TakeHost
← All tutorials

Server Management

How to Install and Secure Nginx with HTTPS

Intermediate20 minNginxWeb ServerTLScertbotSecurity

Nginx is a high-performance web server and reverse proxy. This guide installs it on Ubuntu 24.04, opens the firewall correctly, hides the version banner, secures it with a free Let's Encrypt certificate and automatic renewal, and adds baseline security headers with an HTTP to HTTPS redirect.

/01

Install Nginx

Install from the Ubuntu repository and confirm the service is running.

sudo apt update
sudo apt install -y nginx
sudo systemctl enable --now nginx   # start now and on every boot
systemctl status nginx --no-pager   # verify it is active (running)
/02

Open the Firewall for Web Traffic

Allow HTTP and HTTPS through UFW. Make sure SSH is already allowed first.

sudo ufw allow 'Nginx Full'   # opens both 80 (HTTP) and 443 (HTTPS)
sudo ufw status
/03

Create a Server Block

Define a virtual host for your site, then enable it by symlinking into sites-enabled.

sudo nano /etc/nginx/sites-available/yourdomain.com   # add your server { ... } block with server_name and root
sudo ln -s /etc/nginx/sites-available/yourdomain.com /etc/nginx/sites-enabled/
/04

Hide the Version Banner

By default Nginx advertises its exact version in responses and error pages, which helps attackers. Turn that off.

sudo nano /etc/nginx/nginx.conf
# Inside the http { } block, uncomment or add:
server_tokens off;   # stop leaking the Nginx version number
/05

Add Baseline Security Headers

These headers reduce clickjacking, MIME-sniffing, and referrer leakage. Add them inside your site's server block.

# Inside your server { } block in /etc/nginx/sites-available/yourdomain.com :
add_header X-Content-Type-Options "nosniff" always;        # stop MIME-type sniffing
add_header X-Frame-Options "SAMEORIGIN" always;            # block clickjacking via frames
add_header Referrer-Policy "strict-origin-when-cross-origin" always;  # limit referrer leakage
/06

Test, Then Issue a Free TLS Certificate

Validate the config, reload, then let certbot obtain a certificate and configure HTTPS plus an automatic HTTP to HTTPS redirect.

sudo nginx -t && sudo systemctl reload nginx   # never reload a broken config
sudo apt install -y certbot python3-certbot-nginx
# --redirect adds the 301 from HTTP to HTTPS automatically
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com --redirect
/07

Verify Automatic Renewal

Certbot installs a systemd timer that renews certificates before they expire. Confirm a dry run succeeds.

sudo certbot renew --dry-run        # simulate a renewal end-to-end
systemctl list-timers | grep certbot  # confirm the renewal timer is scheduled

Nginx is installed, firewalled, no longer leaking its version, and serving only HTTPS with security headers and a working auto-renewing certificate. Re-run nginx -t after every config change, and keep the package updated for security fixes.

Ready when you are

Deploy it on TakeHost.

View plans