Securing Nginx with HTTPS

Adding a certificate and using the HTTPS protocol is a good improvement to the security in the communication between the browser and the server, and should be in place on all sites that have a user login. Contrary to what many (older) guides say, it doesn’t add much load on your server and is fairy easy and cheap to set up right.

First of all, make sure Nginx is installed and running. I highly recommend running the latest version from Nginx’ own Ubuntu repository.

Generate key and CSR

Generate the server’s private key:

$ openssl genrsa -out /etc/ssl/private/example.com.key 2048

The number (2048) is the key length. Anything shorter is considered to be unsafe soon and should be avoided for new keys. Anything longer is unnecessary and will only waste CPU.

Generate the Certificate Signing Request (CSR):

$ openssl req -new -key /etc/ssl/private/example.com.key -out /etc/ssl/private/example.com.csr

Fill in the requested fields, but please note the following:

• Enter your FQDN for “Common Name (e.g. server FQDN or YOUR name)” In this case it’s “www.example.com”
• Press [ENTER] (blank) for “A challenge password”

Most Certificate Authorities will issue a certificate that is valid for both www.example.com and example.com if you provide www.example.com as FQDN. The opposite is NOT the case.

Make sure the files are readable by root only:

$ chmod 0400 /etc/ssl/private/example.com.*

Acquire the certificate from a CA

Go to the web site of a Certificate Authority or affiliate. For securing regular web sites, I usually get a domain validated Comodo PositiveSSL certificate from SSLs.com. They’re really cheap and more than good enough for most cases.

When you get the certificate from the CA – usually within an hour – place it in /etc/ssl/certs/example.com.crt

Intermediate Certificate Advisory

The certificate issuer will most likely provide you with a Intermediate Certificate Advisory or two. You MUST install the intermediate certificates on the server together with the certificate.

Save the intermediate certificate to /etc/ssl/certs/

In my case the two provided intermediate certs will be these two files:

COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt

Concatenate the certificates to one file (order is important):

$ cat /etc/ssl/certs/example.com.crt /etc/ssl/certs/COMODORSADomainValidationSecureServerCA.crt /etc/ssl/certs/COMODORSAAddTrustCA.crt > /etc/ssl/certs/example.com.certchain.crt

Configure Nginx

Copy your existing server block and add the 4 SSL specific lines so the start of your new server block looks like this:

server {
    server_name example.com;
    listen 443 ssl http2;
    ssl_certificate /etc/ssl/certs/example.com.certchain.crt;
    ssl_certificate_key /etc/ssl/private/example.com.key;

Now reload your config and you should be done:

$ service nginx reload

You are now done with the basic configuration of HTTPS on Nginx. Next steps is first to enable SPDY enable HTTP/2 and then you should dive into the optimizing HTTPS on Nginx.