Published on Oct 1, 2011

Enable HTTPS (HTTP+SSL) in NginX Web Server

Enable SSL in Nginx

Enable SSL in Nginx

As you’ve learned to install and configure nginx webserver, now it’s time to enable it to handle https. To do so you’ll need to have a server certificate either signed by a recognized authority or self signed. Generally a well recognized authority is better. DigiCert is a well known authority for certifying servers. This is important for gaining user’s trust in your server that you are the one you claim to be. Major brands like Facebook, Google, Microsoft, IBM, Amazon and many more uses DigiCert to certify their servers. You may also buy certificates from other well known authorities like VeriSign, Thawte, Comodo etc. But if you want some free solution, specially when you’re using https mainly for your own use (i.e. securing your admin panel), you might like to self sign your certificate.

Self Sign Your Server Certificate

Use the following command to install openssl:

sudo apt-get install openssl

Now change to a directory that is not publicly accessible but the www-data user has read permission to it. The www-data user was created as part of nginx installation and is automatically set by nginx not to allow logging in remotely with that user. Nginx and other web server process runs under this user permissions. So to enable nginx to read the certificate, you need to allow www-data user atleast read permission to it. But for security measure, don’t allow public access to this file. If you are not sure, then let’s create a directory that is outside of the web root and goto that directory using cd command:

sudo mkdir /usr/ssl/
cd /usr/ssl/

Now create the server private key, you’ll be asked for a passphrase:

openssl genrsa -des3 -out server.key 1024

Create the Certificate Signing Request (CSR):

openssl req -new -key server.key -out server.csr

Remove the necessity of entering a passphrase for starting up nginx with SSL using the above private key:

cp server.key server.key.protected
openssl rsa -in server.key.protected -out server.key

Finally sign the certificate using the above private key and CSR:

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Update Nginx Configuration to Enable HTTPS

Now Update Nginx Server Configuration to use the two certificate files server.crt and server.key for allowing https and also to enable https (port 443) as we’ve done previously for http (port 80). To do so, append the following server block in the file /etc/nginx/sites-available/default

listen 443;
ssl    on;
ssl_certificate  /usr/ssl/server.crt;
ssl_certificate_key  /usr/ssl/server.key;


access_log /var/www/;
error_log /var/www/;

root /var/www/;

error_page  401  /errorpages/401.html;
error_page  403  /errorpages/403.html;
error_page  404  /errorpages/404.html;
error_page  500 502 503 504  /errorpages/500.html;

location /
try_files $uri $uri/ /index.php?$args;

# Add trailing slash to */wp-admin requests for wordpress
rewrite /wp-admin$ $scheme://$host$uri/ permanent;

# Directives to send expires headers
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$
expires 30d;

# Deny all attempts to access hidden files such as .htaccess, .htpasswd
location ~ /\.
deny all;
access_log off;
log_not_found off;

location ~ \.php$
try_files $uri =404;
include /etc/nginx/fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/www/$fastcgi_script_name;
fastcgi_param HTTPS on;

As I’ve explained similar configuration settings in the previous nginx installation article, so I think you’ll be fine understanding what this configuration does. So now save the configuration and restart nginx using following command:

sudo service nginx restart

If that doesn’t work, then use this command instead:

sudo /etc/init.d/nginx restart

Now you can check with your browser typing in https://your_ip_address to check if https is working. Your browser might complain as it is a self signed certificate, so you need to allow and add exception in your browser. So that’s it, now you may like to password protect your adminpanel directory for restricting public access. Now let’s see how we can password protect a directory with Nginx.

Articles in this Step by Step VPS Setup Guide

Getting Started with VPS – The Beginners Tutorial
Introductory concepts on web servers and virtual private servers. Introducing you to the world wide web from a technical point of view.

Shared Hosting, VPS, Dedicated and Cloud Servers
Comparing the popular server hosting solutions. Basic understanding of shared, dedicated, vps and cloud servers.

Deploy a Linux VPS Server using Linode
Tutorial on deploying your linux distribution in your VPS server and setting up hostname and initial configurations

Setup NginX Web Server (Not Apache!) on Ubuntu 10.04
Analyzing why NginX web server is better for you instead of the mostly used Apache. Demonstration on how to setup and configure NginX on Ubuntu server.

Enable HTTPS (HTTP+SSL) in NginX Web Server
Tutorial on enabling secure http connections for NginX web server. Demonstrating how to self sign your SSL certificate for the VPS server.

NginX Password Protect Web Directory
Helping you to protect specific web directories with passwords for restricting access to administration section or important private files that need to be accessed through the web.

Setup PHP-FPM with APC on Ubuntu 10.04 for Faster Performance
Installing and Configuring PHP5 with Fast CGI Process Manager along with the excellent op-code cache solution APC for faster and optimized PHP backend.

Setup MySQL with PHPMyAdmin on Ubuntu 10.04
Setting up MySQL database server and configuring for better performance in low memory environment. Also setup a web based database management front-end named PHPMyAdmin.

Configure Domains and Subdomains in your VPS Running NginX
Tutorial on DNS setup for adding additional domains and subdomains. Also configuring NginX for handling each domains/subdomains.

Domain Emails for Free Using Google Apps
Setup domain specific email addresses without installing any email server in your VPS. Google Apps seems to be a better solution in this regard.

Author: Masum
Tags: , , , ,

Leave a comment