Security is one of the main concerns that needs to be addressed on priority for all applications or websites. All websites are required to have a valid SSL certificate installed in order to encrypt the data packets/traffic between users & websites. Even web browsers show a warning when we visit a website that does not have SSL certificate installed.

In this tutorial, we will discuss how we can perform Nginx SSL configuration to configure a SSL certificate to secure our websites hosted on Nginx. So start the complete process for Nginx SSL configuration but let’s discuss the prerequisites first.

Pre-requisites

Now let’s move on to Nginx SSL configuration part. We will first be creating a self-signed certificate first  & then will configure the Nginx web server to use that certificate.

Recommended Read: Create a SELF-SIGNED SSL Certificate in Linux

Also Read: How to Host Multiple Websites with Nginx in Linux


Create a self signed certificate

Create a certificate with the following command,

$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /home/shusain/test.key -out /home/shusain/test.crt

here, openssl command is used for managing ssl,

req –x509 is public key infrastructure for ssl,

-nodes, means we don’t need a passphrase,

-days 365 is the validity of the certificate in days,

-newkey rsa:2048  means cert will 2048 bit long & uses RSA as encryption,

-keyout,provides the location for private key,

-out provides the place our SSL certificate.

So now, we have our private key (home/shusain/test.key) & a self signed certificate (home/shusain/test.crt). We need both these to configure ssl certificates in nginx.

So let’s move them to a new folder for ease of administration,

# mkdir /etc/nginx/ssl

# mv /home/shusain/test.key /etc/nginx/ssl/

# mv /home/shusain/test.crt /etc/nginx/ssl/

Now let’s move on to next step i.e. Nginx SSL configuration.


Nginx SSL configuration

Now that we have the required private key and certificate with us, we configure the SSL certificate in Nginx. We can use ‘/etc/nginx/nginx.conf’ to configura the ssl in Nginx but it is advisable to create a separate file for ssl,

# vi /etc/nginx/conf.d/ssl.conf

& enter the following lines to the file,

server {

    listen 443 ssl;

    server_name example.com;

    ssl_certificate /etc/nginx/ssl/test.crt;

    ssl_certificate_key /etc/nginx/ssl/test.key;

    ssl_dhparam /etc/ssl/certs/dhparam.pem;

root /var/www/html;

index index.html index.htm index.nginx-debian.html;

}

All we have to do is to reload the nginx configuration to complete the Nginx SSL configuration & install ssl certificate in Nginx,

# systemctl reload nginx

Now we can access our website with the https followed by the website URL,

https://example.com

Since we are using a self-signed certificate, we might get a warning but we can ignore that & click on ‘Proceed anyway’ to open the website.


Additional Parameters for SSL

The above-mentioned parameters are the basic configuration for SSL, we can actually select a number of options like TLS versions. Ciphers suites as well depending on our need.

An example to additional parameters that can be used are,

server {

    listen 443 ssl;

    server_name example.com;

    ssl_certificate /etc/nginx/ssl/test.crt;

    ssl_certificate_key /etc/nginx/ssl/test.key;

    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    root /var/www/html;

     index index.html index.htm;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    ssl_prefer_server_ciphers on;

    ssl_ciphers “EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH”;

    ssl_ecdh_curve secp384r1;

    ssl_session_cache shared:SSL:10m;

    ssl_session_tickets off;

    ssl_stapling on;

    ssl_stapling_verify on;

    resolver 8.8.8.8 8.8.4.4 valid=300s;

    resolver_timeout 5s;

    add_header Strict-Transport-Security “max-age=63072000; includeSubdomains”;

    add_header X-Frame-Options DENY;

    add_header X-Content-Type-Options nosniff;

}

This completes our tutorial on how to perform Nginx SSL configuration & install a SSL certificate in Nginx. Please feel free to send in any questions or queries using the comment box below.

If you think we have helped you or just want to support us, please consider these:-

Connect to us: Facebook | Twitter | Linkedin

TheLinuxGURUS are thankful for your continued support.