Nginx Configuration for HTTPS

Before we enter into how to configure Nginx for HTTPS, we need to know why we need HTTPS. We already have HTTP, which is an internet protocol for transferring  web content including images, css, js, etc. But it is not safe because web context can be modified or stoled. In this case, we need involve another layer, SSL into HTTP. Here we will give two cases, one is to use un-certified certification file by Openssl, another is to use certified certification file by Godaddy. The benefit of the first case is free, by contract, the second’s disadvantage is money-cost. Before giving out detailed solution, we introduce some basic concepts first, like SSL, HTTPS.

What is SSL?

SSL is a digital certification, which uses Secure Socket Layer protocol to build a safe channel between browser and web server. So that data message is encoded between client and server in order to avoid third party tapping. This layer is also called TLS(Transport Layer Security), or SSL/TLS.

What is HTTPS?

HTTPS adds SSL at the bottom of HTTP, whose target is to provide safe channel. Or HTTPS = HTTP over SSL/TLS. After simply understanding our purpose, let’s see how to implement our goal.

How to do?

Check Nginx configuration

>>nginx -V

Rebuid nginx to support SSL

If your Nginx doesn’t support SSL, you need rebuild Nginx. Sometimes, you might lack libssl-dev package, you can use “apt-get install libssl-dev” to add it. Others are as below.

>>cd nginxPath
>>./configuration --with-http_ssl_module
>>make
>>sudo make install
>>nginx -V
//nginx version:nginx/1.6.0
//built by gcc 4.6.3(Ubuntu/Linaro 4.6.3-1ubuntu5)
//TLS SNI support enabled
//configure arguments:--with-http_ssl_module

Case 1:

Create self-signature SSL certification

1. use openssl to build a private key for the server
>>sudo openssl genrsa -des3 -out server.key 4096
2. create certification of signature
>>sudo openssl req -new -key server.key -out server.csr
// note: Common name:if your website has domain name, for example www.####.com, here common name should be this domain name. If not, use localhost to set its value.
3. close Nginx password authentication
>>sudo cp server.key server.key.org
>>sudo openssl rsa -in server.key.org -out server.key

Use above private key and CSR to mark certification

>>sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Configure Nginx

server{
  listen 443 ssl;
  server_name  localhost;
  ssl_certificate  /usr/local/nginx/conf/server.crt;
  ssl_certificate_key  /usr/local/nginx/conf/server.key;
  ssl_ciphers  HIGH:!aNULL:!MD5;
  ssl_prefer_server_ciphers  on;
  ...
}

 Don’t forget restart Nginx.

Case 2:

Copy SSL certification from Godaddy.

  • download it from Godaddy. In fact, you will get one zip folder and then unzip it to see two .crt files, one starts by gd_bundle which is linked certification file; another is server’s certification. For Nginx, you need to merge the two to one.
    • cat ***.crt gd_bundle-***.crt > server.crt
    • Please note the order of the two file. If you mistake the two order, you might be get this error:
    • SSL_CTX_use_PrivateKey_file(" ... /www.example.com.key") failed (SSL: error:0B080074:x509 certificate routines: X509_check_private_key:key values mismatch)
  • you also need anther file: ***.key

The next step is the same with case 1 to configure Nginx configuration file to add .key and .crt file.

Support HTTP/HTTPS:

Until now, Nginx only supports HTTPS, not HTTPS.  What you need to do is quite simply, you just need to redirect request from http to https. Here is the additional code you need to add to Nginx configuration file:

server {
    listen 80;
    listen 443 ssl;
    # force https-redirects
    if ($scheme = http) {
        return 301 https://$server_name$request_uri;
    }
}

Problems:

After configuration and re-run Nginx, we also might meet some problems. Go to logs/error.log to see what’s happen. Here are some errors which I met.

1. the “ssl” parameter requires ngx_http_ssl_module

You can see that in the first step I already re-configured Nginx with “–with-http_ssl_module” and then use “nginx -V” to check nginx configuration which reminds that the Nginx is already configured with the ssl, but why here I still get this error. The main reason is that even though I use “sudo nginx -s reload” command to reload configuration file, the Nginx is still the old one, not the re-build one. Here I need to use “sudo nginx -s stop” to stop Nginx first and then restart it by “sudo nginx“. 

2. [blocked] The page at ‘https://<my-domain>/&#8217; was loaded over HTTPS, but ran insecure content from ‘http://<some-file-name>&#8217;: this content should also be loaded over HTTPS.

I remove “http:” prefix from that link.

old: iframe src="http://<some-file-name>"
new: iframe src="//<some-file-name>"

3. The identity of this website has not been verified. Server’s certificate does not match the URL. Server’s certificate is not trusted.

  1. Commands to check bug
# to check 442 port open or not
nmap 
# to try to obtain server
wget --no-check-certificate <you_server_name>
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s