SSL support for Nginx

In order to take part in the “Reset the NET Campaign” (see the previous post) and to honour the first anniversary of Edward Snowden’s revelations, I configured my self-hosted server to support HTTPS/SSL requests. Now you can reach this site also at https://raspberryblog.de. Furthermore, I highly recommend using the Firefox HTTPS everywhere plugin of the Electronic Frontier Foundation to encrypt your traffic while visiting all sites supporting SSL.

Here’s a brief tutorial how it works: If you haven’t installed Nginx, yet, please see the documentation at nginx.org. For an existing installation, create a subdirectory in /etc/nginx to store your SSL certificates.

sudo mkdir /etc/nginx/ssl
cd /etc/nginx/ssl

Next, create the server key and certificate signing request. Start by creating the private server key. During this process, you will be asked to enter a passphrase. Be sure to remember this phrase! If you forget it or lose it, you will not be able to access the certificate again.

sudo openssl genrsa -des3 -out server.key 4096
sudo openssl req -new -key server.key -out server.csr

This command will display a lists of fields that need to be filled in. The most important line is “Common Name”. Enter your official domain name here or, if you don’t have one yet, your site’s IP address. Leave the challenge password and optional company name blank.

Although having the passphrase in place does provide increased security, the issue starts when one tries to reload nginx. In the event that nginx crashes or needs to reboot, you will always have to re-enter your passphrase to get your entire web server back online.

sudo cp server.key server.key.org
sudo openssl rsa -in server.key.org -out server.key

Now it is time to sign the certificate. Keep in mind that you can specify how long the certificate should remain valid by changing the 365 to the number of days you prefer. As it stands this certificate will expire after one year.

 sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

As a final step, you have to tell Nginx where the certificate is stored. Furthermore, we have to tell the server to listen on port 443 for SSL requests. Make sure that port forwarding is also enabled in your router.

server {
       listen [::]:443 ssl;
       ssl_certificate /etc/nginx/ssl/server.crt;
       ssl_certificate_key /etc/nginx/ssl/server.key;
}

On your first visit, your browser will complain that the identity of your site can’t be verified. Since we’re using a self-signed certificate, you have to confirm the security exception. If you are rich ;-), you may want to obtain a certificate from a digital certificate authority.

To enable full https support under WordPress, you should also consider to install the WordPress HTTPS plugin.

Leave a Reply

  Subscribe  
Notify of