HTTPS SSL Certificates on Nginx Server Configurations

A lot of information can be found across the internet concerning SSL certificates. How they work and what they are used for are questions that require numerous books dedicated to the subject just to begin answering the question. This configuration will work with the WordPress, Drupal, Magento and other PHP configurations.

SSL Certificates and HTTPS in simple terms

If you have used the previous tutorials for setting up an Nginx cloud server, you may now be ready to integrate your sites into the growing in number and power social networks. As an example, Facebook Canvas and Tabs pages require https connections to your application server. In order for Nginx servers to handle https you need to have a server certificate either signed by a recognized authority or self signed.

SSL certificates and using https allows data to be encrypted between the hosting server and the requesting browser. Because the data is encrypted during transfer hackers who may intercept that data are not able to use it. This avoids what is commonly referred to as “man in the middle attacks.”

Free SSL Certificates and Self Signing

With the nginx server on the Amazon cloud servers set up, it is relatively easy to add SSL and https compatibility. If you are using a third party provider for your SSL certificates, the following will need to be slightly modified. Contact your certificate provider for details.

Generate the SSL Certificate and Key

Begin by installing the needed packages on your server.

sudo apt-get install openssl

Now we will create the directory that will hold the SSL key and certificate pair and then switching to that directory so our key pairs are in an easily accessible location.

sudo mkdir /etc/nginx/ssl

cd /etc/nginx/ssl

You are now ready to generate your SSL self-signed certificate with the following commands. Make sure you keep up with the pass phrase you choose to use.

sudo openssl genrsa -des3 -out server.key 1024

The next command will create the requests for using the certificates.

sudo openssl req -new -key server.key -out server.csr

In order to prevent having to enter the passphrase during nginx restart or server reboot, issue the following commands.

sudo cp server.key server.key.protected

sudo openssl rsa -in server.key.protected -out server.key

Next we will sign the certificate and give it a validated time of ten years (3650 days.)

sudo openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt

We can now go one of a few different routes for setting up the Virtual Server for the secure website. In this case we will be setting up the https site on the www. domain we configured in the last Nginx with WordPress tutorial.

We will be using single HTTP/ HTTPS server configuration.

Begin with the following commands

cd /

cd /etc/nginx/sites-available/

sudo vi www.yourdomain.com

Add the following to your Nginx server block.

listen: 443 ssl;
ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;

The nginx server configuration file should look like this:

server {
listen 80;
listen 443 ssl;
ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;

root /var/www/yourdomain.com;
index index.php index.html index.htm;

server_name www.yourdomain.com;

location / {
try_files $uri $uri/ /index.php?q=$uri&$args;
}

error_page 404 /404.html;

error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/www;
}

# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9$
location ~ \.php$ {
#fastcgi_pass 127.0.0.1:9000;
# With php5-fpm:
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires 1y;
log_not_found off;
}
location ~* \.(htm|html)$ {
expires 1m;
log_not_found off;
}

}

Next we will jump back to the etc/nginx directory and switch into the sites-enabled directory to delete the current sim link.

cd ..

cd sites-enabled

sudo rm www.yourdomain.com

Now we recreate the sim-link

cd /

sudo ln -s /etc/nginx/sites-available/www.yourdomain.com /etc/nginx/sites-enabled/www.yourdomain.com

Now we will restart nginx. Let the drums start rolling…

sudo service nginx restart

Jump over to your site using https://www.yourdomain.com

Notice that your browser may say it does not recognize the SSL certificate. This is because the one we created is self-signed and not recognized as one of the leading SSL providers. It does not mean you are not getting the security. You may notice that the site is a little slow. To fix this we will need to make slight modifications to the nginx.conf file. Follow the SSH commands below.

cd /

sudo vi /etc/nginx/nginx.conf

In the file you will want to add:

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

The final outcome should look similar to:

user www-data;
worker_processes 4;
pid /var/run/nginx.pid;

events {
worker_connections 768;
# multi_accept on;
}

http {

ssl_session_cache shared:SSL:30m;
ssl_session_timeout 30m;

##
# Basic Settings
##

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;

# server_names_hash_bucket_size 64;
# server_name_in_redirect off;

include /etc/nginx/mime.types;
default_type application/octet-stream;

client_max_body_size 7M;
##
# Logging Settings
##

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

##
# Gzip Settings
##

gzip on;
gzip_disable “msie6”;

gzip_vary on; gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/x-javascrip
t text/xml application/xml application/xml+rss text/javascript;

##
# nginx-naxsi config
##
# Uncomment it if you installed nginx-naxsi
##

#include /etc/nginx/naxsi_core.rules;

##
# nginx-passenger config
##
# Uncomment it if you installed nginx-passenger
##

#passenger_root /usr;
#passenger_ruby /usr/bin/ruby;

##
# Virtual Host Configs
##

include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities “TOP” “USER”;
# # imap_capabilities “IMAP4rev1” “UIDPLUS”;
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}

Comments are closed.