Add a firewall and configure ssh access to your server, set up https for your site

Once the server configuration for your site is set up, it's time to take some basic security measures.

July 16, 2020, 2:03 p.m.
Themes: Deployment

In a previous tutorial we have configured a site to run on a DigitalOcean server with Gunicorn, Nginx and Supervisor. We are now going to switch on the firewall, set up encrypted access (https) to the site and secure access to the server with ssh keys.

1. Switch on the firewall

DigitalOcean has a good tutorial with instructions how to set up UFW (Uncomplicated FireWall). Log in as root user (or use sudo with each command). First we make sure that the firewall will allow us to connect with ssh, and then we enable ufw:

ufw allow OpenSSH
ufw enable

We can check which services are allowed with:

ufw status

All services are now blocked except for ssh. If you need to allow access to port 8000 for development, type:

ufw allow 8000

In production we don't need port 8000 anymore, so we can block it again with:

ufw delete allow 8000

We want to open the firewall for Nginx as well. To show which applications ufw recognizes, type:

ufw app list

The list should contain, Nginx HTTP (for access via port 80), Nginx HTTPS (via port 443) and Nginx Full (via both ports). Enable both HTTP and HTTPS:

ufw allow 'Nginx Full'
2. Set up https

Again there is a good tutorial on DigitalOcean on how to use the program Certbot to integrate free TLS/SSL certificates from Let's Encrypt to your Nginx configuration. We'll not repeat the detailed instructions; install Certbot and its Nginx package:

sudo apt install certbot python3-certbot-nginx

Run the Certbot package with:

sudo certbot --nginx -d -d

If this is the first time you run Certbot, you'll have to supply an email address (see the tutorial). Then Certbot asks you if it should redirect all HTTP traffic to HTTPS; choose 2 to agree to this. You can then have a look at those changes in the configuration file /etc/nginx/sites-available/pet.

Depending on the version of the Certbot package on your operating system, Let's Encrypt might gives your site a grade B instead of the highest grade, because the less secure protocols TLS 1.0/1.1 are still enabled. That's because Certbot overrides the parameter ssl_protocols in the configuration file nginx.conf.

Your site should now be available at (use your own domain name).

3. Set up SSH access from local computer to server

In a previous tutorial we have created a user with password access to the server. By default also the root user needs a password. By generating an RSA key pair and saving the public key on the server, we can allow users access from the local computer without a password. Generate a key pair by typing the following command in your terminal on your local computer:


If you want additional security you can add a passphrase when asked to. The default location is a .ssh hidden subdirectory of the local user's home directory. There are two files: id_rsa for the secret key and for the public key. Print the contents of to your terminal with:

cat .ssh/

and copy the whole string to the clipboard. Connect to the server with ssh and (once more) password, and in the home directory of the user you want to give ssh access (e.g. /root for the root user, /home/usr_pet for usr_pet) create a hidden directory .ssh and a file authorized_keys in there:

mkdir .ssh
touch .ssh/authorized_keys

Enter the file with your editor and paste the contents of the clipboard in it. The user should now be able to log in without password. If you want, you can disable password login by setting the PasswordAuthentication directive in the file /etc/ssh/sshd_config. Edit the file so that it says:

PasswordAuthentication no

Restart the ssh service with:

service ssh restart

Now you should only be able to access the server directly with ssh.

Even a more secure site can break down and data can get lost. Read on to learn how to backup and restore your data.

Comment on this article (sign in first or confirm by name and email below)