Google and other Internet companies are encouraging webmasters to use SSL certificates on their websites. Implementing SSL for your blogs will provide necessary privacy to your audience who visit your sites.
This blog post is going to show you how to enable SSL when using Nginx web servers to serve your web content, including WordPress.
For the past weeks, we’ve been writing tutorials on Nginx and WordPress. We discussed how to install Nginx webserver on Ubuntu 15.04, how enable Nginx caching and how to properly implement Nginx 301 redirects.
This post will continue from where we left off and show you how to implement SSL on Nginx web server to provide some privacy for your users.
Before going any further, please confirm that Nginx web server is already installed on Ubuntu and it’s functioning. If Nginx isn’t yet installed, please go back to our previous tutorials and install it.
Then make sure other settings are enabled and functioning as well. When you’re ready, continue below to enable SSL for Nginx.
To get started, create a folder to store your SSL certificates and keys. To do that run the commands below.
sudo mkdir /etc/nginx/ssl/
Then follow the steps below to generate a server key, certificate signing request and self-signed certificate. If you want to install a trusted certificate from a trusted certificate authority, then you’ll need to send copy of the CSR to a certificate authority to generate a trusted certificate.
Run the commands below to generate the server key.
sudo openssl genrsa -des3 -out server.key 2048
Next, run the commands below to generate a certificate signing request. The CSR can be sent to a trusted certificate authority to generate a trusted certificate. But if you just want to run a test certificate, then you’ll need to generate a self-signed certificate (not trusted)
sudo openssl req -new -key server.key -out server.csr
When you run the above commands, you’ll be prompted to answer few questions.
Follow the sample guide below.
- Common Name: The fully-qualified domain name, or URL, you’re securing.
If you are requesting a Wildcard certificate, add an asterisk (*) to the left of the common name where you want the wildcard, for example *.coolexample.com. - Organization: The legally-registered name for your business. If you are enrolling as an individual, enter the certificate requestor’s name.
- Organization Unit: If applicable, enter the DBA (doing business as) name. If you’re securing a single blog, then type the blog owner’s name here.
- City or Locality: Name of the city where your organization is registered/located.
- State or Province: Name of the state or province where your organization is located.
- Country: The two-letter International Organization for Standardization (ISO) format country code for where your organization is legally registered.
Since we’re not installing trusted certificate, run the commands below to generate self-signed certificate from the CSR above.
sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
If you’re installing trusted certificate, you’d send the CSR file to a trusted CA to generate a certificate. Then install the trusted certificate on your site.
At this stage, you can apply the self-signed certificate to Nginx web server and it would work. However, everytime you restart Nginx webserver, it would prompt you to enter a key.
To remove those prompts, run the commands below.
sudo cp server.key server.key.orig
sudo openssl rsa -in server.key.orig -out server.key
You’re ready to install the certificate on Nginx server. Open the default site configuration file and add the hightlighted below
[....]
server {
listen 443 default_server;
root /usr/share/nginx/html;
index index.php index.html index.htm;
# Make site accessible from http://localhost/
server_name 192.168.107.125;
ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
# Uncomment to enable naxsi on this location
# include /etc/nginx/naxsi.rules
}
[....]
Save the file and you’re done.
Restart Nginx and you should and it should accept request on SSL port 443.
Enjoy!