1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
|
#+date: <2022-02-16 Wed 00:00:00>
#+title: Web Server Migration Procedure to Debian with Nginx and Agate Components
#+description: Step-by-step protocol for transitioning web server infrastructure to Debian operating system, including installation, configuration, and security hardening of Nginx and Agate services.
#+slug: debian-and-nginx
#+filetags: :debian:nginx:webserver:
* Server OS: Debian
I've used various Linux distributions throughout the years, but I've
never used anything except Ubuntu for my servers. Why? I really have no
idea, mostly just comfort around the commands and software availability.
However, I have always wanted to try Debian as a server OS after testing
it out in a VM a few years ago (side-note: I'd love to try Alpine too,
but I always struggle with compatibility). So, I decided to launch a new
VPS and use [[https://www.debian.org][Debian]] 11 as the OS. Spoiler
alert: it feels identical to Ubuntu for my purposes.
I did the normal things when first launching the VPS, such as adding a
new user, locking down SSH, etc. If you want to see that level of
detail, read my other post about
[[https://cleberg.net/blog/how-to-set-up-a-vps-web-server/][How to Set
Up a VPS Web Server]].
All of this has been similar, apart from small things such as the
location of users' home folders. No complaints at all from me - Debian
seems great.
* Web Server: Nginx
Once I had the baseline server configuration set-up for Debian, I moved
on to trying out [[https://nginx.org][Nginx]] as my web server software.
This required me to install the =nginx= and =ufw= packages, as well as
setting up the initial UFW config:
#+begin_src sh
sudo apt install nginx ufw
sudo ufw allow 'Nginx Full'
sudo ufw allow SSH
sudo ufw enable
sudo ufw status
sudo systemctl status nginx
#+end_src
Once I had the firewall set, I moved on to creating the directories and
files for my website. This is very easy and is basically the same as
setting up an Apache server, so no struggles here.
#+begin_src sh
sudo mkdir -p /var/www/your_domain/html
sudo chown -R $USER:$USER /var/www/your_domain/html
sudo chmod -R 755 /var/www/your_domain
nano /var/www/your_domain/html/index.html
#+end_src
The next part, creating the Nginx configuration files, is quite a bit
different from Apache. First, you need to create the files in the
=sites-available= folder and symlink it the =sites-enabled= folder.
Creating the config file for your domain:
#+begin_src sh
sudo nano /etc/nginx/sites-available/your_domain
#+end_src
Default content for an Nginx config file:
#+begin_src sh
server {
listen 80;
listen [::]:80;
root /var/www/your_domain/html;
index index.html index.htm index.nginx-debian.html;
server_name your_domain www.your_domain;
location / {
try_files $uri $uri/ =404;
}
}
#+end_src
Finally, symlink it together:
#+begin_src sh
sudo ln -s /etc/nginx/sites-available/your_domain /etc/nginx/sites-enabled/
#+end_src
This will make your site available to the public (as long as you have
=your_domain= DNS records pointed at the server's IP address)!
Next, I used [[https://certbot.eff.org/][certbot]] to issue an HTTPS
certificate for my domains using the following commands:
#+begin_src sh
sudo apt install snapd; sudo snap install core; sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
sudo certbot --nginx
#+end_src
Now that certbot ran successfully and updated my Nginx config files to
include a =443= server block of code, I went back in and edited the
config file to include security HTTP headers. This part is optional, but
is recommended for security purposes; you can even test a website's HTTP
header security at [[https://securityheaders.com/][Security Headers]].
The configuration below shows a set-up where you only want your website
to serve content from its own domain, except for images and scripts,
which may come from =nullitics.com=. All other content would be blocked
from loading in a browser.
#+begin_src sh
sudo nano /etc/nginx/sites-available/your_domain
#+end_src
#+begin_src sh
server {
...
add_header Content-Security-Policy "default-src 'none'; img-src 'self' https://nullitics.com; script-src 'self' https://nullitics.com; style-src 'self'; font-src 'self'";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options "DENY";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
add_header Referrer-Policy "no-referrer";
...
}
#+end_src
#+begin_src sh
sudo systemctl restart nginx
#+end_src
** Nginx vs. Apache
As I stated at the beginning, my historical hesitation with trying Nginx
was that the differences in configuration formats scared me away from
leaving Apache. However, I prefer Nginx to Apache for a few reasons:
1. Nginx uses only one config file (=your_domain=) vs. Apache's two-file
approach for HTTP vs. HTTPS (=your_domain.conf= and
=your_domain-le-ssl.conf=).
2. Symlinking new configurations files and reloading Nginx are way
easier than Apache's process of having to enable headers with
=a2enmod mod_headers=, enable PHP with =a2enmod php= (plus any other
mods you need), and then enabling sites with =a2ensite=, and THEN
reloading Apache.
3. The contents of the Nginx config files seem more organized and
logical with the curly-bracket approach. This is a minor reason, but
everything just felt cleaner while I was installing my sites and that
had a big quality of life impact on the installation for me.
They're both great software packages, but Nginx just seems more
organized and easier to use these days. I will certainly be exploring
the Nginx docs to see what other fun things I can do with all of this.
* Gemini Server: Agate
Finally, I set up the Agate software on this server again to host my
Gemini server content, using Rust as I have before. You can read my
other post for more information on installing Agate:
[[https://cleberg.net/blog/hosting-a-gemini-server/][Hosting a Gemini
Server]].
All in all, Debian + Nginx is very slick and I prefer it over my old
combination of Ubuntu + Apache (although it's really just Nginx > Apache
for me, since Debian seems mostly the same as Ubuntu is so far).
|
