This tutorial will go through the steps to configure SSL with Nginx. To Configure Nginx With SSL, three options are Required:
- Installed Nginx webserver on Linux VPS or Dedicated Server
- Domain Name
- SSL Certificate
NGINX is open-source software for web serving, reverse proxying, caching, load balancing, media streaming, and more. It started as a web server designed for maximum performance and stability. In addition to its HTTP server capabilities, NGINX can function as a proxy server for email (IMAP, POP3, and SMTP) and a reverse proxy and load balancer for HTTP, TCP, and UDP servers. If you are looking for high-performance hosting, choosing a high-end dedicated server can significantly enhance your Nginx delivery speed.
SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. SSL is an industry-standard used by millions of websites to protect online transactions with customers. To understand the basics better, you can read more about what is SSL in our detailed guide.
TLS, or transport layer security, and its predecessor SSL, which stands for secure sockets layer, are web protocols that wrap normal traffic in a protected, encrypted wrapper. Using this technology, servers can send traffic safely between the server and the client without the concern that the messages will be intercepted and read by an outside party. Modern security setups often utilize SSH keys alongside SSL for comprehensive server protection.
The certificate system also assists users in verifying the identity of the sites they are connecting with. Let's get started!
π Create a directory
First, you need to create a dedicated directory to store your SSL-related files. This keeps your configuration organized and secure.
mkdir -p /etc/nginx/ssl/1gbits.com
π Generating Your SSL Key and CSR
Before purchasing a cert, you must generate a private key and a CSR file (Certificate Signing Request). You'll be asked for the content of the CSR file when ordering the certificate. For Common Name, enter your intended domain name without 'www', i.e. 1gbits.com. If it's a Wildcard SSL, use *.1gbits.com. This process is essential for securing your VPS against unauthorized data interception.
openssl req -nodes -newkey rsa:2048 -keyout 1gbits.com.key -out 1gbits.com.csr
π¦ Create a certificate bundle
After purchasing the certificate, You'll eventually get an email with your SSL Certificate. It contains a zip file with the following components:
- AddTrustExternalCARoot.crt
- COMODORSAAddTrustCA.crt
- COMODORSADomainValidationSecureServerCA.crt
- 1gbits_com.crt
You need to combine these into a single bundle file so Nginx can read the entire certificate chain.
cat 1gbits_com.crt AddTrustExternalCARoot.crt COMODORSADomainValidationSecureServerCA.crt >> ssl-bundle.crt
Once you create a certificate bundle, you can move it to your Nginx SSL directory to prepare for the final configuration steps.
mv ssl-bundle.crt /etc/nginx/ssl/1gbits.com/
π οΈ Configure the Certificate for Nginx
Go to your Nginx virtual host configuration file. Using SSL with Nginx requires a modification to the listen directive and three SSL-related directives. If you are using a managed VPS, your support team might handle this, but for unmanaged setups, follow the example below:
nano /etc/nginx/conf.d/ssl.conf
server { listen 443 ssl spdy; server_name www.idroot.net idroot.net; root /var/www/idroot.net/public_html; index index.php index.html index.htm; server_tokens off; #SSL CONF ssl on; ssl_certificate /etc/nginx/ssl/idroot.net/ssl-bundle.crt; ssl_certificate_key /etc/nginx/ssl/idroot.net/idroid.us.key; #SSL Cache and Timeout ssl_session_cache shared:SSL:20m; ssl_session_timeout 10m; #Security Ciphers ssl_prefer_server_ciphers On; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 10s; # permalink location / { try_files $uri $uri/ /index.php?$args; } # php-script handler location ~ \.php$ { fastcgi_index index.php; fastcgi_pass 127.0.0.1:9000; root /var/www/idroot.net/public_html; fastcgi_param SCRIPT_FILENAME /var/www/idroot.net/public_html$fastcgi_script_name; include /etc/nginx/fastcgi_params; } location ~ /\.ht { deny all; } }
π Redirect HTTP Virtual Hosts to HTTPS
To ensure all traffic is secure, you should set up a URL redirect from HTTP (port 80) to HTTPS (port 443). Use the following code in your server block:
return 301 https://1gbits.com$request_uri;
β Restart/reload Nginx
After saving your configuration, you must restart the Nginx service to apply the changes. This is a critical step in any website hosting guide.
/etc/init.d/nginx restart
Congratulations! You have successfully installed Nginx with SSL and secured your domain traffic.
π Comparison of SSL Protocols
| Protocol | Security Level | Status |
| SSL 3.0 | Low (Vulnerable) | Deprecated |
| TLS 1.1 | Medium | Legacy |
| TLS 1.2 | High | Recommended |
| TLS 1.3 | Very High | Modern Standard |
π Final Words
In this tutorial, we covered the steps to configure SSL with Nginx on your Linux VPS. We hope this article helped with the setup. If you encounter any issues like a protocol error, double-check your cipher configurations. Don't hesitate to contact us through the comment section below.
People also read:
Leave A Comment