Black Pine

Setup Nginx Static Website on Ubuntu Server

Setup Nginx and deploy the website on the Ubuntu server.

1. Install and Verify Nginx

Install:

apt update
apt install -y nginx

Verify service:

systemctl status nginx
ss -lntp | grep :80

Test locally:

curl http://127.0.0.1/

If reachable locally and via http://SERVER_IP, Nginx is working.

2. Directory Layout for Websites

Recommended structure:

/var/www/
├── example.com/
│   └── index.html
└── another-site.com/
    └── index.html

Create directories:

mkdir -p /var/www/example.com
chown -R www-data:www-data /var/www/example.com
chmod -R 755 /var/www/example.com

3. Nginx Server Blocks (Virtual Hosts)

Each domain gets its own server block. All sites use the same ports (80/443). Separation is done by domain name (Host header).

Create config at /etc/nginx/sites-available/example.com:

server {
    listen 80;
    server_name example.com www.example.com;
    root /var/www/example.com;
    index index.html;
    
    location / {
        try_files $uri $uri/ =404;
    }
}

Enable site:

ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/

Disable default site (recommended):

rm /etc/nginx/sites-enabled/default

Test and reload:

nginx -t
systemctl reload nginx

4. DNS Setup (Domains)

At your DNS provider, add A records:

  • example.comSERVER_PUBLIC_IP
  • www.example.comSERVER_PUBLIC_IP

Multiple domains can point to the same IP. Nginx decides which site to serve.

5. HTTPS

After DNS resolves:

apt install certbot python3-certbot-nginx
certbot --nginx -d example.com -d www.example.com

Certbot:

  • Obtains TLS certificate
  • Updates Nginx config
  • Sets up auto-renewal

6. Firewall Baseline (UFW)

Expected state:

  • Default deny incoming
  • Allow SSH (custom port), 80/tcp, 443/tcp

Check:

ufw status verbose

7. Monitoring and Security

Logs:

  • /var/log/nginx/access.log
  • /var/log/nginx/error.log
  • /var/log/auth.log
  • /var/log/ufw.log

fail2ban protects SSH by default. Optional Nginx jails available later.

Check ignore list:

fail2ban-client get sshd ignoreip

8. Deploying Website Updates

Options:

  • rsync/scp files into /var/www/example.com
  • git pull on server
  • CI pipeline copying build artifacts
  • Docker (optional later)

Static file changes do NOT require Nginx restart.

9. Mental Model Summary

Internet
→ DNS (domain → IP)
→ Server
→ Nginx (ports 80/443)
→ server_name match
→ root directory
→ static files

10. Current Security Posture

With minimal open ports, UFW active, fail2ban active, and static content only, the server maintains a solid security baseline.