Which ports should a basic web server expose?

Most Nginx-backed web servers expose SSH, HTTP, and HTTPS. App runtime ports and databases should usually stay local or private unless there is a clear reason.

Can UFW block SSH accidentally?

Yes. Always allow and test SSH access before enabling or reloading firewall rules, and keep provider console access available.

Do I still need a provider firewall?

A provider firewall can add another useful boundary, but it should be documented alongside UFW so rules do not conflict or confuse future maintenance.

UFW Firewall Setup for Web Servers

Firewall baseline

A firewall rule is an operations decision, not only a command.

For a production web server, UFW should express what the server is meant to expose: SSH for admins, HTTP and HTTPS for users, and as little else as possible. The app port, database port, and admin tools need deliberate treatment.

SSHAdmin access

80/443Web traffic

PrivateApp internals

UFW is popular because it makes host firewall management approachable. That simplicity is valuable, but it does not remove the need for planning. A good firewall setup starts with knowing the app architecture: which service receives public traffic, which service talks to the database, where Nginx sits, and how administrators recover if SSH is blocked.

Official source note: Ubuntu documents UFW as the uncomplicated firewall tool used to manage firewall rules on Ubuntu Server: Ubuntu firewall documentation.

Firewall setup path

01Identify public services and private internals02Allow SSH, HTTP, HTTPS, then block everything else03Test access and document rollback before handover

UFW Firewall Setup for Web Servers: SSH, HTTP, HTTPS, and App Ports

A firewall rule is an operations decision, not only a command.

Firewall setup path

Keep reading

Ubuntu VPS Hardening Checklist: SSH, UFW, Updates, and Users

Linux Server Management Checklist for Production Apps

Nginx Reverse Proxy and SSL Setup for Node.js or Docker Apps