Securing Laravel with Nginx and Let's Encrypt SSL
In 2026, HTTPS is not optional. Browsers mark HTTP sites as "Not Secure," Google penalizes them in rankings, and modern features like Service Workers (PWA) require SSL to function.
Thanks to Let's Encrypt and Certbot, obtaining a valid SSL certificate is free, automated, and takes less than 5 minutes.
Here is a complete walkthrough for securing your Laravel application running on Ubuntu and Nginx.
Prerequisites
- A Virtual Private Server (VPS) Running Ubuntu 22.04 or 24.04.
- Nginx installed (
sudo apt install nginx). - A Domain Name pointing to your server's IP address.
Step 1: Install Certbot
Certbot is the official client for Let's Encrypt. We also need the Nginx plugin, which automates the configuration editing.
sudo apt update
sudo apt install certbot python3-certbot-nginx
Step 2: Prepare Nginx Configuration
Certbot needs to find a server block in your Nginx config that matches your domain.
Open your site configuration:
sudo nano /etc/nginx/sites-available/my-blog
Ensure you have the server_name directive set correctly:
server {
listen 80;
server_name my-blog.com www.my-blog.com;
root /var/www/my-blog/public;
# ... rest of your config
}
Test configurations and reload:
sudo nginx -t
sudo systemctl reload nginx
Step 3: Obtain the Certificate
Run the following command. The --nginx flag tells Certbot to parse your Nginx config and set up the SSL automatically.
sudo certbot --nginx -d my-blog.com -d www.my-blog.com
The interactive wizard will ask:
- Email Address: For urgent renewal warnings.
- Terms of Service: You must agree.
- Redirect HTTP to HTTPS: Choose Option 2 (Redirect). This ensures all traffic is encrypted.
What just happened?
Certbot automatically:
- Validated domain ownership via an ACME challenge.
- Downloaded the
.pemcertificate files to/etc/letsencrypt/live/my-blog.com/. - Updated your Nginx config to listen on port 443 (HTTPS).
- Added a 301 Redirect from port 80 to 443.
Step 4: Verify Auto-Renewal
Let's Encrypt certificates are valid for 90 days. However, the Certbot package installs a systemd timer that runs twice a day to renew any certificate within 30 days of expiration.
You can test the renewal process with a dry run:
sudo certbot renew --dry-run
If you see "Congratulations, all simulated renewals succeeded," your setup is maintenance-free.
Step 5: Laravel Configuration
Now that Nginx is secure, ensure Laravel knows about it.
1. Update .env
APP_URL=https://my-blog.com
2. Force HTTPS (Optional but Recommended)
If you are behind a Load Balancer or using Cloudflare, Laravel might not detect HTTPS correctly. In App\Providers\AppServiceProvider.php:
use Illuminate\Support\Facades\URL;
public function boot(): void
{
if ($this->app->environment('production')) {
URL::forceScheme('https');
}
}
Bonus: Improving Security Score (SSL Labs)
Default Certbot settings are good, but to get an A+ rating on SSL Labs, you should enable HSTS (HTTP Strict Transport Security).
Open your specific site config again:
sudo nano /etc/nginx/sites-available/my-blog
Add this inside your SSL server block (port 443):
server {
listen 443 ssl;
# ... cert definitions ...
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
# ... rest of config
}
Reload Nginx:
sudo systemctl reload nginx
Conclusion
You now have:
- ✅ A valid SSL Certificate.
- ✅ Automatic HTTPS redirection.
- ✅ Automatic renewal.
- ✅ Improved SEO and User Trust.
There is no excuse for running a site on HTTP in 2026.