SETUP SSL on Nginx for eCommerce & Secure Web Login etc: VPS BIBLE




new password?
login
X

SSL 4 Nginx: eCommerce & Web App Protection

10 Jun 10
nginx logo image

This guide shows how to SSL-enable Nginx so sites & blogs are https rather than boring old http. So now you really can sell ice to the eskimos.

Ideal for web application security as well as eCommerce and vpsBible’s budding banking community, upgrading Nginx-powered websites with SSL’s cryptographic protocols may sound daunting but is actually far too easy.

So whether you are setting up shop or want to add an extra layer of anti-hack protection, else both, read on.

Setup Unmanaged VPS: The Ubuntu-Nginx Guide

Take your virtual private server from zero to hero

  .. from blank box to cute-as server ..  

with this easy-to-follow copy/paste guide.

22+ parts with video, here’s the index.

What is the Secure Sockets Layer (SSL)?

It’s a ridiculously clever means of channeling data securely across networks, made famous by online shopping and banking but also ideal for logging into web application admin areas without getting your password sniffed by a naughty neighbor.

  • Rather than http://foo ..
  • SSL uses https://footoo

Here at vpsB we (OK, that’s me) salivate over its next of kin, SSH or Secure Shell, which gives us that all-important tunnelled connection to our VPS boxes. SSH is built on SSL, using its key-pair handshake authentication system.

That said, let’s look at how to set it up for Nginx.

Being tremendous forward thinkers we already set up Nginx with the required SSL module * – http_ssl_module – so need now just to tweak the config to kick it up. While this tutorial has a few aside tips along the way it is mainly concerned with:-

  • editing our nginx.conf
  • editing the virtual host file for yourdomain.com
  • and for those of us that don’t have a certificate yet but want to play, we’ll roll our own

* If you didn’t and want to recompile, Compile an Advanced Nginx Module Configuration is just the ticket.

Configure SSL for Nginx: nginx.conf, Reconf’ed

Assuming root and backing up in case of injury, let’s take a look at the regular nginx.conf:-


Please sign up for automatic premium content access.

Just $15/year* will save you hours, maybe days!

Alternatively, the vpsBible forum is free and you are welcome.

Compare that to some of the changes below. Doubtless there will be values to tune to your need but this works for SSL as well as your existing setup so, allowing for any tweaks you have made since following Nginx (better than Apache) Web Server, replace with this:-


Please sign up for automatic premium content access.

Just $15/year* will save you hours, maybe days!

Alternatively, the vpsBible forum is free and you are welcome.

Save and exit the file.

(You could pop SSL directives here too but it’s more logical to add them to the virtual host, talking of which ..)

Configure SSL for Nginx: Virtual Host, Unhinged/Rehung

Having cajoled Nginx into liking the whole SSL idea we can embed the thing into a site or three. There are numerous ways you can do this depending on your requirement but the principle remains the same:-

  • redirect some bit of the web to get securely socketted
  • switch on the protocols
  • give it a certificate and key
  • provide options if you like

Another day another vhost or, if your’re setting up a new domain, cheat:-


Please sign up for automatic premium content access.

Just $15/year* will save you hours, maybe days!

Alternatively, the vpsBible forum is free and you are welcome.


In the first of the two server blocks we amend the redirect to goto https-for-sugar:-

Please sign up for automatic premium content access.

Just $15/year* will save you hours, maybe days!

Alternatively, the vpsBible forum is free and you are welcome.

What Was That All About?

Here’s the deal:-

  • listen 443;  SSL/https generally runs on this port, not 80 which is for http
  • server_name www.YOURDOMAIN.COM;  actually this is the same, just testing your powers of observation
  • ssl on;  enable SSL
  • ssl_certificate /usr/local/nginx/conf/server.crt;
      the location of our certificate
  • ssl_certificate_key /usr/local/nginx/conf/server.key;  .. and the certificate’s key

Configure SSL for Nginx: Sub-Sites and SSL

Just a tip: A nice idea is to have, say, https://shopping.mydomain.com, https://admin.mydomain.com or https://hackoff.mydomain.com.

To do that, simply follow the Adding Sub-Domains with Nginx tutorial, extrapolating the SSL values here into the logic of that, whatever that means.

Configure SSL for Nginx: Advanced Tuning

There are various parameters for the Secure Socket Layer if you fancy a tweak. I’d suggest to get the basic up and running, then toy with these if you can’t sleep:-

  • ssl_ciphers HIGH:!ADH:!MD5;  cryptography
  • ssl_prefer_server_ciphers on;  ditto
  • ssl_protocols SSLv3;  stronger encryption, rather good
  • ssl_session_cache shared:SSL:1m;  some caching thing, doubtless useful
  • ssl_session_timeout 5m;  let them shop-happy :P

There’s even more enthusiasm about these and other variables at Nginx’ http_ssl_module wiki page.

Configure SSL for Nginx: SSL Certificate & Key

Coming in at anything between a-few-hundred and a-many-hundred $bucks, you tend to buy these from places like Verisign (not a recommendation, shop around geddit) to look smart but, if you’re just testing or want SSL, for example, as a safer way to log into a web app backend – which is an excellent idea, doncha know – then be cheap like me and create a free certificate instead:-


Please sign up for automatic premium content access.

Just $15/year* will save you hours, maybe days!

Alternatively, the vpsBible forum is free and you are welcome.

Stand Easy

Bin root before you bin any docs:-


Please sign up for automatic premium content access.

Just $15/year* will save you hours, maybe days!

Alternatively, the vpsBible forum is free and you are welcome.

SSL and You

.. likely the cheesiest title in the world of SSL, let me know how you get on and, if you’ve got some advanced use of SSL, do me a favor and tell me so I can take profit from your hard work. Thank you. And sorry, I was in a silly mood while tapping out this piece but, then again, what’s new?

Something else ..

Setup Unmanaged VPS: The Ubuntu-Nginx Guide

Take your virtual private server from zero to hero

with this easy-to-follow copy/paste guide.

“My local PC runs Windows” Show me for Linux/Mac

22+ parts with video, here’s the index ..

Manage Unmanaged VPS: Ubuntu-Nginx Administration

Already set it up? We’d best maintain it then.

Toggle to the ..  Ubuntu-Nginx Admin Index



«
»

Got a Question? Want to Comment?

This site has no comments system. We've got a better system!

Please use the link at the top of the post and goto this topic's forum thread:-

  • to help build community
  • for a superior knowledge base
  • to keep info in one place, not diluted between forum & comments.

For those posts ported from Guvnr.com (pre-Feb/2010), archive comments remain.

Handy info from these comments is in the process of being ported to the forum and attributed to the original author.

If you think this idea sucks, let me know.

Thank you.