Last updated on September 3rd, 2024 at 04:46 am
NGINX SSL Configuration allows you to enable HTTPS on your websites and protect them from malicious attacks. Today every website administrator needs to protect their site from data theft, unauthorized access and other attacks. SSL certificates provide one of the best ways to secure your site. They encrypt the data transferred between web browser and server. Here’s a step by step NGINX SSL configuration to help you secure your websites.
How to Configure SSL Certificates in NGINX Web Server
Here are the steps to configure SSL certificates in NGINX web server.
1. Generate CSR for SSL Certificate
First you need to generate a certificate signing request (CSR) to obtain SSL certificate. For this purpose, you can use OpenSSL utility present in almost every Linux system by default. Open terminal and run the following command to generate the CSR.
openssl req –new –newkey rsa:2048 –nodes –keyout private.key –out server.csr
When you run the above command, you will be prompted a set of questions. Among them, enter your website’s full domain for FQDN (Fully Qualified Domain Name). You will also be asked for your organization name and its location such as city, state, etc. When asked for passphrase, press enter without typing anything else, to keep the passphrase blank.
Your CSR will be stored in server.csr file. Your private key will be stored in private.key file. Keep it safe with you and do not share it with anyone. You will need to point your NGINX server to this file, in later steps below.
2. Get SSL Certificate
Next, use the above generated CSR file to get the SSL/TLS certificate bundle from your certificate authority such as Namecheap, RapidSSL, Comodo, GoDadddy, Let’s Encrypt, etc. You can also use a free SSL provider like SSLForFree.
You will get 3 files from certificate authority via email or by logging into their website.
- key (e.g private.key) – your key file. Don’t share this with anyone publicly
- Certificate (e.g certificate.crt) – actual SSL/TLS certificate for your domain
- Intermediate (e.g intermediate.crt) – Root/intermediate certificate
Bonus Read : How to Prevent Image Hotlinking in NGINX
3. Link SSL Files
Create a directory to store the above-mentioned files
$ sudo mkdir /etc/nginx/ssl $ cd /etc/nginx/ssl
Download the three SSL files mentioned in step 2 to the above directory.
In some cases, you may need to link the certificate and intermediate files to create a bundle.crt file. You can do this with the following command.
cat certificate.crt intermediate.crt >> bundle.crt
Bonus Read : How to Harden NGINX Server
4. Open NGINX Configuration
Open terminal and run the following command to open NGINX server configuration file.
$ sudo vi /etc/nginx/nginx.conf
If you have configured separate virtual hosts for your website (e.g www.example.com), such as /etc/nginx/sites-enabled/example.conf then open its configuration with the following command
$ sudo vi /etc/nginx/sites-enabled/example.conf
Bonus Read : How to Setup Virtual Hosts in NGINX
5. Configure SSL certificate in NGINX
Create a server block that listens to port 443 (HTTPS port)
server {
listen 443;
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /etc/nginx/ssl/bundle.crt;
ssl_certificate_key /etc/nginx/ssl/private.key;
...
}
In the above configuration, the first line will ensure that NGINX server listens to port 443. The second line will enable SSL.
The next line specifies the SSL protocols to be supported by NGINX. For our example, we have enabled TLS version 1, version 1.1 and 1.2. You can change it as per your requirement.
The next two lines specify the file paths to bundle.crt file created in Step 2 and private.key downloaded in step 1. Here’s a sample server block for your reference
server {
listen 443;
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /etc/nginx/ssl/bundle.crt;
ssl_certificate_key /etc/nginx/ssl/private.key;
server_name www.example.com;
access_log /path/to/nginx/accces/log/file;
error_log /path/to/nginx/error/log/file;
location / {
root /var/www/html/yoursite/;
index index.html;
}
}
Bonus Read : How to Enable CORS in NGINX
6. Restart NGINX Server
Finally, run the following command to check syntax of your updated config file.
$ sudo nginx -t
If there are no errors, run the following command to restart NGINX server.
$ sudo service nginx reload #debian/ubuntu $ systemctl restart nginx #redhat/centos
7. Test NGINX SSL Configuration
Open a browser and visit https:// version of your domain (e.g https://www.example.com).
You will see a lock symbol next to your URL, in browser’s address bar, indicating that your website’s SSL/TLS certificate is working properly.
Hopefully, now you can configure SSL certificate in NGINX for Ubuntu as well as other Linux systems.
Common Problems
Here are some of the common reasons why your SSL certificate installation may not work correctly.
- When you access your site’s URLs via HTTPS protocol, if your web browser says that the site is not available or reachable, then either NGINX server is not listening to port 443. In this case, you need to add ‘listen 443’ directive in your server block, where you have mentioned the location of SSL certificate.
- Alternatively, your firewall may have blocked port 443. In this case, update firewall rules to allow incoming traffic to port 443.
- If web browser displays the message saying the certificate cannot be trusted, then check certificate details by clicking on the icon to the left of requested URL in address bar. Look for ‘Valid To’ field to determine expiry date. Sometimes you may also get this error if you have not correctly combined certificate files in step #3. In this case, delete the combined file, create it again, restart NGINX server and try accessing your URL once again.
Conclusion
In this article, we have learnt about NGINX SSL Configuration to help you install SSL certificates in NGINX. It is mandatory to use SSL certificates on your website to protect your site’s data from unauthorized activities such as snooping. They are also useful in improving search engine rankings. Sites without SSL certificates are ranked lower than those with SSL. Therefore, it is advisable to install SSL certificates on your web server.
Ubiq makes it easy to visualize data in minutes, and monitor in real-time dashboards. Try it today!
Sreeram Sreenivasan is the Founder of Ubiq. He has helped many Fortune 500 companies in the areas of BI & software development.