NGINX SSL INSTALLATION ON LINUX

NGINX SSL INSTALLATION ON LINUX

Hi Everyone…..

We have covered NGINX (http) installation and configuration in previous article. Today we will discuss on HTTPS means SSL installations and configurations.

HTTPS  stand for hypertext transfer protocol secure, HTTPS is a communications protocol for secure communication over a network or  internet. HTTPS provide  bidirectional encryption of communications between a client and server  & after enable HTTPS your data will be transfer over internet  in encrypt form.   It protect your  data against  man-in the-midle attacks ,  eavesdropping and tampering. HTTPS  protocol work on port no. 443.

For HTTPS  we need to have a web server certificate either its signed by a recognized authority or self signed(manual). Well recognize authority for singed certificate like Verisign ,  DigiCert, GlobalSign,  thawte  etc… 

SSL Certificates for Webserver:— 

1) Wildcard SSL Certificates
Secure unlimited sub domains of your parent domain (e.g site1.example.com , site2.example.com, site3.example.com, etc)

2) 2048-Bit Single-Name SSL Certificates
Secure one fully-qualified domain name (with and without the “www”). (e.g example.com or www.example.com)

3) EV Certificates
EV Certs turn the address bar of the user’s browser green, telling them you are who you claim to be. The strongest validation available secures one name (with and without the “www”). (e.g you can check it on www.email.biz , www.live.com etc.

4) UC Certificates
Secures up to 25 names, including internal names and names from multiple base domains. (e.g with a UC certificate you can secure www.example.com, www.example2.com, www.example3.net, mail.example.net, dev.example2.com, etc)

 

So lets start NGINX SSL (HTTPS) Installations and configuration:—

Here I have not recognized authority SSL certificate so I have to generate self signed for my demo website.

Step1:

Go to /etc/ssl/ directory and create new directory how2intsll.in 

root@blog:~# cd /etc/ssl/
root@blog:/etc/ssl#
root@blog:/etc/ssl# mkdir how2install.in
root@blog:/etc/ssl#

Step :2

Go to how2install.in directory 

root@blog:/etc/ssl# cd how2install.in/
root@blog:/etc/ssl/how2install.in#

Step :3

Generate certificate key

root@blog:/etc/ssl/how2install.in# openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
..................+++
..........................................................+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
root@blog:/etc/ssl/how2install.in#

Step :4

Remove passphrase from private key

root@blog:/etc/ssl/how2install.in# openssl rsa -in server.key -out server.key
Enter pass phrase for server.key:
writing RSA key
root@blog:/etc/ssl/how2install.in#

Step :5

Sign the certificate using the above private key and CSR:

root@blog:/etc/ssl/how2install.in# openssl req -new -days 365 -key server.key -out server.csr


You are about to be asked to enter information that will be incorporated

into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:PUNJAB
Locality Name (eg, city) []:CHANDIGARH
Organization Name (eg, company) [Internet Widgits Pty Ltd]:HOW2INSTALL.IN
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
root@blog:/etc/ssl/how2install.in#
root@blog:/etc/ssl/how2install.in# ls
server.csr server.key
root@blog:/etc/ssl/how2install.in#

Step :6

Convert CSR to CRT:—

root@blog:/etc/ssl/how2install.in# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365


Signature ok

subject=/C=IN/ST=PUNJAB/L=CHANDIGARH/O=HOW2INSTALL.IN/OU=IT
Getting Private key
root@blog:/etc/ssl/how2install.in#

Step :7

Let’s check certificate file:

root@blog:/etc/ssl/how2install.in# chmod 400 server.*
root@blog:/etc/ssl/how2install.in# ll
total 20
drwxr-xr-x 2 root root 4096 Aug 4 21:15 ./
drwxr-xr-x 6 root root 4096 Aug 4 20:57 ../
-r-------- 1 root root 1164 Aug 4 21:15 server.crt
-r-------- 1 root root 985 Aug 4 21:10 server.csr
-r-------- 1 root root 1679 Aug 4 21:05 server.key
root@blog:/etc/ssl/how2install.in#

 

Nginx Configuration to Enable HTTPS

 

Open NGINX /etc/nginx/sites-available/default configuration file and make some changes in /etc/nginx/sites-available/default file.

root@blog:~# vim /etc/nginx/sites-available/default

server {

listen 443;
server_name demo.how2install.in;
root /var/www;
index index.html index.htm;
access_log /var/log/nginx/demo.how2install-ssl.access.log;
error_log /var/log/nginx/demo.how2install-ssl.error.log;

location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
# try_files $uri $uri/ /index.html;
try_files $uri $uri/ /index.php?q=$uri&$args;

}

ssl on;
ssl_certificate /etc/ssl/how2install.in/server.crt;
ssl_certificate_key /etc/ssl/how2install.in/server.key;
location /doc/ {
alias /usr/share/doc/;
autoindex on;
allow 127.0.0.1;
deny all;
}

location ~ \.php$ {
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
}

 

Step :8

Restart the NGINX services 

root@blog:~# /etc/init.d/nginx restart
OK
OK
root@blog:~#
{#moods_dlg.WellDone}
Enjoy

Leave a Reply

Time limit is exhausted. Please reload the CAPTCHA.