To setup ssl on nginx server following are the requirements.

  1. you need an domain link railsroot.com
  2. Generating a Certificate Signing Request(CSR)
  3. Buy a SSL
  4. Setup it on your server.

Generating a Certificate Signing Request(CSR)

My environment is Ubuntu  with Nginx web server

Use following command to generate CSR and KEY

openssl req -new -newkey rsa:2048 -nodes -keyout railsroot.com.key -out railsroot.com.csr
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:AP
Locality Name (eg, city) []:Hyderabad
Organization Name (eg, company) [Internet Widgits Pty Ltd]:RailsRoot
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:railsroot.com
Email Address []:admin@railsroot.com

This will give two files

  1. railsroot.com.key
  2. railsroot.com.csr

You need to send this csr file to your ssl certificate provider.

Once you get your signed ssl certificate you need to setup in you nginx

Install Nginx on Ubuntu

sudo apt-get update
sudo apt-get install nginx

After installing Nginx go to

$ cd /etc/nginx
$ vi nginx.conf
user www-data;
#worker_processes = number of CPU core on your server
worker_processes 4;
pid /var/run/nginx.pid;
worker_rlimit_nofile 262144;
events {
use epoll;
# determines how much clients will be served per worker
# max clients = worker_connections * worker_processes
# max clients is also limited by the number of socket connections available on the system (~64k)
worker_connections 6000;
# accept as many connections as possible, may flood worker connections if set too low
multi_accept on;
}
http {
sendfile on;
tcp_nopush on;
keepalive_requests 100;
open_file_cache max=100;gzip on;
gzip_static on;
gzip_min_length 10240;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml;
gzip_disable "MSIE [1-6]\.";

gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
include /etc/nginx/mime.types;
default_type application/octet-stream;

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

# Virtual Host Configs
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

Create ssl dir to keep you Certificate and key file

$ sudo mkdir ssl

Copy here your signed certificate given by ssl provider and the key file

These file will be some ting like

  1. railsroot.pem(this file ssl provider will give)
  2. railsroot.key(this file is the file which you created while CSR generation)

Now go to /etc/nginx/sites-enabled

$ cd /etc/nginx/sites-enabled

here you create your server host file like railsroot

$ vi railsroot

File will look like this , Here im using Unicorn as application server.

upstream unicorn {
server unix:/tmp/unicorn.sock fail_timeout=0;
}

server {
listen 80 default deferred;
server_name railsroot.com;
rewrite ^ https://$server_name$request_uri? permanent;

root /home/public;
try_files $uri/index.html $uri @unicorn;

location @unicorn {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://unicorn;
}

error_page 500 502 503 504 /500.html;
location = /500.html {
root /home/public;
}

client_max_body_size 4G;
keepalive_timeout 15;
}

# HTTPS server
#
server {

listen 443 ssl spdy;

root /home/public;
try_files $uri/index.html $uri @unicorn;

server_name railsroot.com;

location @unicorn {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $http_host;
proxy_redirect off;

proxy_pass http://unicorn;
}

error_page 500 502 503 504 /500.html;
location = /500.html {
root /home/public;
}

client_max_body_size 4G;
keepalive_timeout 15;


ssl on;
ssl_certificate /etc/nginx/ssl/railsroot.com.pem;
ssl_certificate_key /etc/nginx/ssl/railsroot.com.key;

# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
# use this command openssl dhparam -rand – 2048
ssl_dhparam /etc/nginx/ssl/dhparam/dhparam.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache builtin:1000 shared:SSL:10m;

ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 10s;

# Enable this if your want HSTS (recommended, but be careful)
add_header Strict-Transport-Security max-age=63072000;
# this will block all iframe
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

}

Your done

Restart your nginx

sudo service nginx restart

Test your SSL here

https://www.ssllabs.com/ssltest/

You should A or A+ Grade

Than you have done

 

 

 

 

 

 


Digital Ocean referral
Digital Ocean referral

Advertisements

One thought on “how to setup secured ssl on nginx

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s