The Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the popular security protocols used for securing websites running in webservers. If you use these protocols in your servers, data transfer between the servers or end-users will be protected against the traffic interceptions. Some applications are advised to have these security layers for sure. But, configuring self-signed SSL is always challenging. In this article, we will discuss How to Configure Nginx with SSL Certificate in Ubuntu and CentOS
Table of Contents
Installing Nginx
Before proceeding to Configure Nginx with SSL Certificate in Ubuntu and CentOS, let’s discuss how to install Nginx first.
On Ubuntu:
Run the following commands
sudo apt-get update
sudo apt-get install nginx
sudo systemctl start nginx
On CentOS:
Run the following command
sudo yum install epel-release
sudo yum install nginx
sudo systemctl start nginx
This will update the packages required for Nginx and install Nginx with all default
Creating SSL Certificate using OpenSSL
Before getting into the configuration, Let’s have some basic understanding of how SSL or TLS is working. So, both an SSL or TLS are working as Public Key and Private Key mechanism. This means, SSL Key which is Private key will be stored in
SSL certificate or Public key will be shared with the client and it will be stored in the browser which will ensure the data transmission between server and client is encrypted and the decryption happens with Private Key which is stored in Server.
As the name goes, the SSL certificate should be signed with the private key. Ideally, certificates are signed by
- Comodo Certificate Authority.
- RapidSSL Certificate Authority.
- Thawte Certificate Authority.
- Sectigo Certificate Authority.
- GeoTrust Certificate Authority.
- Symantec Certificate Authority.
Sometimes, we can have our own certificate with our own private key called self-signed certificates. By using the OpenSSL tool, we can create a certificate in a single command
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-self-signed.key -out /etc/ssl/certs/nginx-self-signed.crt
In this command,
- req – is the subcommand to X.509
- -x509 – will further ensure it will use self-signed
- -nodes – this will skip securing the certificate with a password.
- -days – parameter will set the validity period of the certificate. Here, it is 365 days.
- –
newkey – is to create a new private key with which encryption key algorithm. Here, it is rsa:2048 - –
keyout – makes sure in which location, the key will be stored. - -out – is the location of the
created certificate.
Once you pass the above command, it will prompt you following to fill up manually.
Country Name (2 letter code) [AU]:India
State or Province Name (full name) [Some-State]:karnataka
Locality Name (eg, city) []:Bangalore
Organization Name (eg, company) [Internet Widgits Pty Ltd]:DigitalVarys.
Organizational Unit Name (eg, section) []:Computer science
Common Name (e.g. server FQDN or YOUR name) []:Your_server_IP_Address
Email Address []:[email protected]
Once the above prompts are answered, both key and certificate will be stored in the mention location.
When we are using the O
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
This will create dhparam group file for forward secrecy.
Configure Nginx with SSL
In Nginx, Most of the configurations are done in custom snippets. So in this, we need to create a
- Custom snippet for SSL key and Certificate
- Custom snippet for Strong SSL certificate
- Change Nginx Server configuration to use SSL
Custom snippet for SSL key and Certificate
Create a configuration file in nginx snippet folder as follows.
sudo nano /etc/nginx/snippets/self-signed.conf
in this file just mention the certificate file and key file which is generated using openssl earlier.
ssl_certificate /etc/ssl/certs/nginx-self-signed.crt;
ssl_certificate_key /etc/ssl/private/nginx-self-signed.key;
Then save this file.
Custom snippet for Strong SSL certificate
This is to secure our Nginx with more security settings. To do so, open the file in Nginx snippet.
sudo nano /etc/nginx/snippets/ssl-params.conf
There are many ways to encrypt the Nginx strong ciphers SSL. By reference
ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/cert/dhparam.pem;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
once the above lines are added to the file, close and save.
Change Nginx Server configuration to use SSL
Now, Configuring the Nginx server configuration. For that, open the default server configuration file of the Nginx.
sudo nano /etc/nginx/sites-available/default
Then, just update the default server configuration file as mentioned here.
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name server_domain_or_IP;
include snippets/self-signed.conf;
include snippets/ssl-params.conf;
.
.
.
Then save and close the file.
Firewall Setting
Now change the firewall settings to allow SSL connections. For that, we are going to use ufw
Run the following command to list the available applications
sudo ufw app list
it will list the applications as followed.
Available applications:
Nginx Full
Nginx HTTP
Nginx HTTPS
OpenSSH
If you see the above, Nginx is installed properly in you instance. Now, delete existing HTTP and add FULL in the firewall configuration by entering the following command one by one.
sudo ufw delete allow 'Nginx HTTP'
sudo ufw allow 'Nginx Full'
Then, if you see the status by entering the following command,
sudo ufw status
Then, it will show output as
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
Nginx Full ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Nginx Full (v6) ALLOW Anywhere (v6)
That’s it. Firewall configurations are done.
Wrap up and verification.
Then, Once all the above configurations are done. Just restart the Nginx by running the following command
sudo systemctl restart nginx
if you have any syntax error, it will show in output. Then, make sure you have followed the right step.
Then, to verify the SSL configuration, open your server IP address in browser with https
. Like below
https://Your_server_IP_Address.
This will open as warning in your browser as certificate is not signed by any trusted certificate authority.
On the warning page, just click the advanced and proceed to Your_server_IP_Address (unsafe). However, This is one time that the browser will store the certificate. The next time, it won’t prompt or warn you about this issue.
Conclusion.
Nowadays, keeping your server secured is mandatory. So, adding SSL/TLS to your server is mandatory. But for Internal or limited usage applications, buying certificates from Trusted Certificate Authority is unnecessary. For that, we can have a self-signed certificate for SSL connections. So, this article explains How to Configure Nginx with SSL Certificate in Ubuntu and CentOS. Stay tuned and subscribe DigitalVarys for more articles and study materials on DevOps, Agile, DevSecOps and App Development.
Experienced DevSecOps Practitioner, Tech Blogger, Expertise in Designing Solutions in Public and Private Cloud. Opensource Community Contributor.