background

Set up HTTPS on Nginx

Learn how to set up HTTPS on Ningx. This tutorial shows you how to generate a certificate request, prepare it for your server and configure Nginx to use it.

On your workstation

# login as root and switch to the ssl directory
sudo su - 
cd /etc/ssl

# generate an RSA private key and encrypt it
openssl genrsa -des3 -out private/secure.rubytreesoftware.com.1.key 2048

# generate a CSR certificate signing request using the key we created earlier
openssl req -new -key private/secure.rubytreesoftware.com.1.key -out secure.rubytreesoftware.com.1.csr

CSR prompts

Country: US
State: Florida
City: Windermere
Organization: Ruby Tree Software Inc
Organization Unit Name: 
Common Name: secure.rubytreesoftware.com
Email: 
Challenge Password:
Optional Company:

# print out the request to verify it
openssl req -noout -text -in secure.rubytreesoftware.com.1.csr 

# cat out the CSR, copy it and submit it to your cert provider
cat secure.rubytreesoftware.com.1.csr

After your certificate is ready, on your workstation:

# create a directory to store it
mkdir secure.rubytreesoftware.com
cd secure.rubytreesoftware.com

# Unzip the file if required and place it in the new directory
unzip /home/creston/Downloads/certificate_files.zip -d /etc/ssl/secure.rubytreesoftware.com

# If needed, concatenate the chain file for nginx
cat certificate_file.crt gd_bundle-g2-g1.crt > secure.rubytreesoftware.com.1.2016.chain.crt

# Copy the certificate's contents from cat
cat secure.rubytreesoftware.com.1.2016.chain.crt

# Copy the private key's contents by decrypting it and piping to cat
openssl rsa -in /etc/ssl/private/secure.rubytreesoftware.com.1.key | cat

On the server:

# Create the certificate file and paste the contents
sudo nano /etc/ssl/certs/secure.rubytreesoftware.com.1.2016.chain.crt

# Create the private key file and paste the contents
sudo nano /etc/ssl/private/secure.rubytreesoftware.com.1.key

# Change permissions to better secure the key file
sudo chgrp ssl-cert /etc/ssl/private/secure.rubytreesoftware.com.1.key
sudo chmod 640 /etc/ssl/private/secure.rubytreesoftware.com.1.key

# Edit your nginx site configuration
sudo nano /etc/nginx/sites-available/testapp

upstream unicorn_testapp {
  server unix:/tmp/unicorn.testapp.sock fail_timeout=0;
}

server {
  listen 80;
  server_name testapp.rubytreesoftware.com;
  root /opt/www/testapp/current/public;

  location ~ ^/assets/ {
    gzip_static on;
    expires max;
    add_header Cache-Control public;
  }

  try_files $uri/index.html $uri @unicorn;
  location @unicorn {
    proxy_set_header Host $http_host;  
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_redirect off;
    proxy_pass http://unicorn_testapp;
  }

  error_page 500 502 503 504 /500.html;
  client_max_body_size 4G;
  keepalive_timeout 10;
}

server {
  listen 443;
  server_name testapp.rubytreesoftware.com;
  root /opt/www/testapp/current/public;

  location ^~ /assets/ {
    gzip_static on;
    expires max;
    add_header Cache-Control public;
  }

  ssl                  on;
  ssl_certificate      /etc/ssl/certs/secure.rubytreesoftware.com.1.2016.chain.crt;
  ssl_certificate_key  /etc/ssl/private/secure.rubytreesoftware.com.1.key;

  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers   "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

  ssl_prefer_server_ciphers   on;
  ssl_session_timeout  10m;  
  ssl_session_cache shared:SSL:10m;
  ssl_stapling on;

  try_files $uri/index.html $uri @unicorn;
  location @unicorn {
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_redirect off;
    proxy_pass http://unicorn_testapp;
  }
  
  error_page 500 502 503 504 /500.html;
  client_max_body_size 4G;
  keepalive_timeout 10;  
}

# Restart nginx to enable the configuration
sudo service nginx restart

Test your configuration using Qualys Labs at:https://www.ssllabs.com/ssltest/index.html

Please go ahead and leave a comment below if you have any questions about this tutorial.