3.6 KiB
layout | status | published | title | author | author_login | author_email | wordpress_id | wordpress_url | date | date_gmt | categories | tags |
---|---|---|---|---|---|---|---|---|---|---|---|---|
post | publish | true | SSL with Nginx | [{display_name sipp11} {login sipp11} {email sipp11@gmail.com} {url }] | sipp11 | sipp11@gmail.com | 908 | http://blog.10ninox.com/?p=908 | 2014-02-12 07:08:24 +0700 | 2014-02-12 00:08:24 +0700 | [linux server] | [ssl] |
https
is pretty much preferred protocol over bare http
nowadays and it gets very affordable for basic one sub-domain which you can get as low as $9 a year. However, how to get and use one sometimes pretty much overkill although it is rather simple. Yeah, I keep forgetting since I don't really have to do that frequent.
Depending on where you purchase SSL certificate, I pick namecheap. I don't have any reason for it, but they are as reliable as it could be. GoDaddy, to me, is okay--they tend to have lower renewal cost for domain too. Back to SSL certificate, you need to generate a CSR (Certificate Signing Request) to ask for SSL. I'm using openSSL.
# openssl req -nodes -newkey rsa:2048 -keyout mywhatever.key -out whatever.csr
A series of question will be asked:
Country Name (2 letter code) [AU]: US
State or Province Name (full name) [Some-State]: NH
Locality Name (eg, city) []: Atkinson
Organization Name (eg, company) [Internet Widgits Pty Ltd]: 10ninox Ltd
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []: 10ninox.com
Email Address []:
A challenge password []:
An optional company name []:
Some fields can be left blank, but you pretty much like to answer all for your own credential. The thing is you should leave challenge password empty, otherwise, you will have to type that every time your Nginx reload or restart. Then you get 2 file mywhatever.key
and whatever.csr
Back to namecheap, issue your SSL, then paste content of whatever.csr
to the form. Wait for a verification step via email. Then you would get your_site.zip
with following mails. The whole process should take less than 10-15 minutes as far as my experience goes.
Now you have to extract your_site.zip
which contains several files something like
- 10ninox_com.crt
- PositiveSSLCA2.crt
- AddTrustExternalCARoot.crt
Merge those files into one, 10ninox-ssl-bundle.csr
or whatever name you want.
$ cat 10ninox_com.crt PositiveSSLCA2.crt AddTrustExternalCARoot.crt > 10ninox-ssl-bundle.csr
Then copy the bundle file and mywhatever.key
we got earlier to a directory in your server; location is up to you. There is no restricted whatsoever. The last process is to setup Nginx to know where SSL certificate is in Nginx virtualhost file (likely to be /etc/nginx/sites-available/10ninox.com
for Debian)
This is an example how to configure one:
server {
listen 443;
ssl on;
ssl_certificate /opt/projects/10ninox/ssl/10ninox-ssl-bundle.csr;
ssl_certificate_key /opt/projects/10ninox/ssl/mywhatever.key;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;
server_name 10ninox.com;
}
optional lines:
ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;
means disables all weak ciphersssl_protocols SSLv3 TLSv1;
means enables SSLv3/TLSv1, but not SSLv2 which is weak and should no longer be used.
It's better to test it first with
# service nginx configtest
If pass,
# service nginx restart
=)