Configuring Ngnix server for serving HTTPS URLs are more simple and easy compared to Apache2 Web Server Software. Here is a detailed guide. Previously, we have discussed how to optimize Nginx on Cloud Server after initial installation of Nginx on Rackspace Cloud Server. So your server is easy for serving via port 80. Port 443 by default is off. We need to add another server block, the path to the TLS / SSL Certificates. Quite easy few steps. Definitely a loadbalancer can be used on Rackspace Cloud instead of installing the Certificates directly, but technically for better security, we should either use a dedicated instance to act as loadbalancer (again it is reverse proxy and Nginx will be used) or add the certificate to main server.
Configuring Ngnix Server For Serving HTTPS URLs : First the Basics
As we configure one or multiple servers for one domain, the methods are quite easy. So, we will only work on the file /etc/nginx/sites-available/default. After configuring, a simple restart will work fine. We need not to activate any module, unlike Apache2.
We are taking it granted that, the reader knows how to generate CSR file for SSL Certificate request and has obtained the certificate from the authority like GeoTrust, Norton, VeriSign etc. For GeoTrust like good providers, you will get 2 certificates – one is the primary certificate for the requested domain and second is the intermediate key. Plus you have the private key in your hand. You need to concatenate the primary certificate and intermediate certificate to one piece by first saving the raw text files with proper names, like in our case; the primary certificate will be saved in this way :
Advertisement---
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | # on localhost mkdir thecustomizewindows_geotrust && cd thecustomizewindows_geotrust # copy the primary key sent as plain text and paste nano thecustomizewindows.crt # now paste and save by ^ + O and exit by ^ + X # now copy the intermediate certificate as plain text nano GeoTrustCA.crt # now paste and save by ^ + O and exit by ^ + X ls # there will be two files now thecustomizewindows.crt GeoTrustCA.crt # also copy the key file thecustomizewindows.key in this directory ls # there will be 3 certs thecustomizewindows.crt GeoTrustCA.crt thecustomizewindows.key # now concatenate cat thecustomizewindows.crt GeoTrustCA.crt >> bundle.crt # check the tutorial of your SSL certificate provider # usually the method will be the same, if we do ls now ls thecustomizewindows.crt GeoTrustCA.crt thecustomizewindows.key bundle.crt |
We need only the bundle.crt and thecustomizewindows.key files on server. SSH to your server. We have assumed that you use a GNU Linux, BSD or OS X or any UNIX os.
Configuring Ngnix Server For Serving HTTPS URLs : On Server
Typically we provide the examples with deb based Linux like Ubuntu or Debian. This is Ubuntu 14.04 LTS instance. First create a directory :
1 2 3 4 5 6 7 8 9 10 11 | # double check that the directory does not exist cd /etc/nginx/ssl # this will normally throw error like bash :: no such directory ... blah blah blah # create the directory mkdir -p /etc/nginx/ssl cd /etc/nginx/ssl # login to FTP server using FileZilla or some software and upload the # files from your local computer to server, do a ls ls thecustomizewindows.crt GeoTrustCA.crt thecustomizewindows.key bundle.crt # we kept copy in local computer |
Now open the file /etc/nginx/sites-available/default and scroll to the bottom, where there are commented out lines for SSL block :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | nano /etc/nginx/sites-available/default # scroll down and make it looking like this # HTTPS server server { listen 443 ssl; server_name thecustomizewindows.com; root /usr/share/nginx/html; index index.php index.html index.htm; ssl on; ssl_certificate /etc/nginx/ssl/bundle.crt; ssl_certificate_key /etc/nginx/ssl/thecustomizewindows.key; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; } # thecustomizewindows.key is for me, not you # comment out these on the same file, you can uncomment and test later # Make site accessible from http://localhost/ # server_name localhost; |
Do a configtest :
1 | /etc/init.d/nginx configtest |
If everything returns fine, then restart :
1 2 3 | service nginx reload # restart service nginx restart |
Browse to your domain’s https url, it should give right info like this page’s HTTPS indicator on address bar. As an optimization ethos, we should adjust our previously described tweak :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | worker_processes auto; http { ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; # HTTPS server server { listen 443 ssl; server_name thecustomizewindows.com; root /usr/share/nginx/html; index index.php index.html index.htm; ssl on; ssl_certificate /etc/nginx/ssl/bundle.crt; ssl_certificate_key /etc/nginx/ssl/thecustomizewindows.key; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; } |
You should debug with your provider :
1 2 3 4 | openssl s_client -connect www.geotrust.com:443 # example test url # http://www.digicert.com/help/ # |
This is where the story ends.
