You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
88 lines
3.6 KiB
88 lines
3.6 KiB
10 years ago
|
---
|
||
|
layout: post
|
||
|
status: publish
|
||
|
published: true
|
||
|
title: SSL with Nginx
|
||
|
author:
|
||
|
display_name: sipp11
|
||
|
login: sipp11
|
||
|
email: sipp11@gmail.com
|
||
|
url: ''
|
||
|
author_login: sipp11
|
||
|
author_email: sipp11@gmail.com
|
||
|
wordpress_id: 908
|
||
|
wordpress_url: http://blog.10ninox.com/?p=908
|
||
|
date: '2014-02-12 07:08:24 +0700'
|
||
|
date_gmt: '2014-02-12 00:08:24 +0700'
|
||
|
categories:
|
||
|
- linux
|
||
|
- server
|
||
|
tags:
|
||
|
- ssl
|
||
|
---
|
||
10 years ago
|
`https` is pretty much preferred protocol over bare <code>http</code> nowadays and it gets very affordable for basic one sub-domain which you can get as low as $9 a year. However, how to get and use one sometimes pretty much overkill although it is rather simple. Yeah, I keep forgetting since I don't really have to do that frequent.
|
||
|
|
||
|
Depending on where you purchase SSL certificate, I pick namecheap. I don't have any reason for it, but they are as reliable as it could be. GoDaddy, to me, is okay--they tend to have lower renewal cost for domain too. Back to SSL certificate, you need to generate a CSR (Certificate Signing Request) to ask for SSL. I'm using openSSL.
|
||
|
|
||
10 years ago
|
# openssl req -nodes -newkey rsa:2048 -keyout mywhatever.key -out whatever.csr
|
||
10 years ago
|
|
||
|
A series of question will be asked:
|
||
|
|
||
10 years ago
|
Country Name (2 letter code) [AU]: US
|
||
|
State or Province Name (full name) [Some-State]: NH
|
||
|
Locality Name (eg, city) []: Atkinson
|
||
|
Organization Name (eg, company) [Internet Widgits Pty Ltd]: 10ninox Ltd
|
||
|
Organizational Unit Name (eg, section) []:
|
||
|
Common Name (eg, YOUR name) []: 10ninox.com
|
||
|
Email Address []:
|
||
10 years ago
|
|
||
10 years ago
|
A challenge password []:
|
||
|
An optional company name []:
|
||
10 years ago
|
|
||
|
|
||
|
Some fields can be left blank, but you pretty much like to answer all for your own credential. The thing is you <strong>should leave challenge password empty</strong>, otherwise, you will have to type that every time your Nginx reload or restart. Then you get 2 file <code>mywhatever.key</code> and <code>whatever.csr</code>
|
||
|
|
||
|
Back to namecheap, issue your SSL, then paste content of <code>whatever.csr</code> to the form. Wait for a verification step via email. Then you would get <code>your_site.zip</code> with following mails. The whole process should take less than 10-15 minutes as far as my experience goes.
|
||
|
|
||
|
Now you have to extract <code>your_site.zip</code> which contains several files something like
|
||
|
|
||
|
* 10ninox_com.crt
|
||
|
* PositiveSSLCA2.crt
|
||
|
* AddTrustExternalCARoot.crt
|
||
|
|
||
|
Merge those files into one, <code>10ninox-ssl-bundle.csr</code> or whatever name you want.
|
||
|
|
||
10 years ago
|
$ cat 10ninox_com.crt PositiveSSLCA2.crt AddTrustExternalCARoot.crt > 10ninox-ssl-bundle.csr
|
||
10 years ago
|
|
||
|
Then copy the bundle file and <code>mywhatever.key</code> we got earlier to a directory in your server; location is up to you. There is no restricted whatsoever. The last process is to setup Nginx to know where SSL certificate is in Nginx virtualhost file (likely to be <code>/etc/nginx/sites-available/10ninox.com</code> for Debian)
|
||
|
|
||
|
This is an example how to configure one:
|
||
|
|
||
10 years ago
|
server {
|
||
|
listen 443;
|
||
10 years ago
|
|
||
10 years ago
|
ssl on;
|
||
|
ssl_certificate /opt/projects/10ninox/ssl/10ninox-ssl-bundle.csr;
|
||
|
ssl_certificate_key /opt/projects/10ninox/ssl/mywhatever.key;
|
||
|
ssl_protocols SSLv3 TLSv1;
|
||
|
ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;
|
||
10 years ago
|
|
||
10 years ago
|
server_name 10ninox.com;
|
||
|
}
|
||
10 years ago
|
|
||
|
optional lines:
|
||
|
|
||
|
* <code>ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;</code> _means disables all weak ciphers_
|
||
|
* <code>ssl_protocols SSLv3 TLSv1;</code> _means enables SSLv3/TLSv1, but not SSLv2 which is weak and should no longer be used._
|
||
|
|
||
|
It's better to test it first with
|
||
|
|
||
10 years ago
|
# service nginx configtest
|
||
10 years ago
|
|
||
|
If pass,
|
||
|
|
||
10 years ago
|
# service nginx restart
|
||
10 years ago
|
|
||
|
=)
|
||
|
|