Install and configure NGiИX with HTTPS on Arch Linux

Tue, Apr 10, 2018 02:00 CEST

Tags: Security, NGiИX, Certbot

NGiИX is useful to proxy all sorts of web servers.

All the commands and edits must be run and made as root.

NGiИX installation

Install the nginx package:

pacman -S nginx

Domain names configuration

Configure your domains (/etc/nginx/nginx.conf). Here is an example for the domain name Repeat the server block for each domain you want to configure.

#user html;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/;

events {
    worker_connections  1024;

http {
    include       mime.types;
    default_type  application/octet-stream;

    sendfile        on;

    keepalive_timeout  65;

    server_tokens off;
    map $http_upgrade $connection_upgrade {
    	default upgrade;
        '' close;

    server {
         listen 80;
         listen [::]:80;

	... repeat for each domain



Make sure your domain name is mapped.


Make sure port 80 is mapped

Let’s Encrypt

Install the needed packages:

pacman -S certbot certbot-nginx

Run certbot and follow the instructions:

certbot --nginx

Generate a strong DH group

openssl dhparam -out /etc/nginx/dhparams.pem 2048

Configure NGiИX to use strong ciphers. Replace localappportfordomain1 by the local port of your application.


http {
	server {
		 listen 80;
		 listen [::]:80;
		 location / {
		   return 301 https://$host$request_uri;


	server {
	   listen 443;
	   listen [::]:443;
	   ssl on;
	   ssl_certificate /etc/letsencrypt/live/;
	   ssl_certificate_key /etc/letsencrypt/live/;
	   ssl_trusted_certificate /etc/letsencrypt/live/;
	   ssl_stapling on;
	   ssl_session_cache shared:SSL:10m;
	   ssl_session_timeout 5m;
	   ssl_prefer_server_ciphers on;
	   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	   ssl_dhparam /etc/nginx/dhparams.pem;
	   add_header Strict-Transport-Security "max-age=31536000;";
	   if ($http_user_agent ~ "MSIE" ) {
		  return 303;
	   location / {
		  proxy_http_version 1.1;
		  proxy_set_header Upgrade $http_upgrade;
		  proxy_set_header Connection $connection_upgrade;



Configure automatic renewal of the Let’s Encrypt certificates:

Check that the service works:

systemctl start certbot-renew

Enable and start the timer for the service:

systemctl enable --now certbot-renew.timer


Make sure port 443 is mapped.


Should work.