How to Configure Nginx with SSL Certificate in Ubuntu and CentOS

How to Configure Nginx with SSL Certificate in Ubuntu and Cent OS

The Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the popular security protocols used for securing websites running in webservers. If you use these protocols in your servers, data transfer between the servers or end-users will be protected against the traffic interceptions. Some applications are advised to have these security layers for sure. But, configuring self-signed SSL is always challenging. In this article, we will discuss How to Configure Nginx with SSL Certificate in Ubuntu and CentOS

Installing Nginx

Before proceeding to Configure Nginx with SSL Certificate in Ubuntu and CentOS, let’s discuss how to install Nginx first.

On Ubuntu:

Run the following commands

sudo apt-get update
sudo apt-get install nginx
sudo systemctl start nginx

On CentOS:

Run the following command

sudo yum install epel-release
sudo yum install nginx
sudo systemctl start nginx

This will update the packages required for Nginx and install Nginx with all default setting. As of now, this is enough to configure SSL on your webserver. Now let’s create an SSL Certificate using OpenSSL

Creating SSL Certificate using OpenSSL

Before getting into the configuration, Let’s have some basic understanding of how SSL or TLS is working. So, both an SSL or TLS are working as Public Key and Private Key mechanism. This means, SSL Key which is Private key will be stored in serverside and it will remain private and secured.

How SSL/TLS Public key and Private Key Works to Configure Nginx with SSL Certificate in Ubuntu and CentOS
How SSL/TLS Public key and Private Key Works

SSL certificate or Public key will be shared with the client and it will be stored in the browser which will ensure the data transmission between server and client is encrypted and the decryption happens with Private Key which is stored in Server.

As the name goes, the SSL certificate should be signed with the private key. Ideally, certificates are signed by atrusted Certificate Authority (CA). You can buy Certificated from the following a trusted Certificate Authority.

Sometimes, we can have our own certificate with our own private key called self-signed certificates. By using the OpenSSL tool, we can create a certificate in a single command

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-self-signed.key -out /etc/ssl/certs/nginx-self-signed.crt

In this command,

  • req – is the subcommand to X.509
  • -x509 – will further ensure it will use self-signed
  • -nodes – this will skip securing the certificate with a password.
  • -days – parameter will set the validity period of the certificate. Here, it is 365 days.
  • newkey – is to create a new private key with which encryption key algorithm. Here, it is rsa:2048
  • keyout – makes sure in which location, the key will be stored.
  • -out – is the location of the created certificate.

Once you pass the above command, it will prompt you following to fill up manually.

Country Name (2 letter code) [AU]:India
State or Province Name (full name) [Some-State]:karnataka
Locality Name (eg, city) []:Bangalore
Organization Name (eg, company) [Internet Widgits Pty Ltd]:DigitalVarys.
Organizational Unit Name (eg, section) []:Computer science
Common Name (e.g. server FQDN or YOUR name) []:Your_server_IP_Address
Email Address []:your_mail@domain.com

Once the above prompts are answered, both key and certificate will be stored in the mention location.

When we are using the OpenSSL, it is mandatory to create a strong Diffie-hellman group for the server by running the following command.

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

This will create dhparam group file for forward secrecy.

Configure Nginx with SSL

In Nginx, Most of the configurations are done in custom snippets. So in this, we need to create a custom snippet for

  1. Custom snippet for SSL key and Certificate
  2. Custom snippet for Strong SSL certificate
  3. Change Nginx Server configuration to use SSL

Custom snippet for SSL key and Certificate

Create a configuration file in nginx snippet folder as follows.

sudo nano /etc/nginx/snippets/self-signed.conf

in this file just mention the certificate file and key file which is generated using openssl earlier.

ssl_certificate /etc/ssl/certs/nginx-self-signed.crt;
ssl_certificate_key /etc/ssl/private/nginx-self-signed.key;

Then save this file.

Custom snippet for Strong SSL certificate

This is to secure our Nginx with more security settings. To do so, open the file in Nginx snippet.

sudo nano /etc/nginx/snippets/ssl-params.conf

There are many ways to encrypt the Nginx strong ciphers SSL.  By reference of this, add the following lines in the file.

ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2
ssl_prefer_server_ciphers on; 
ssl_dhparam /etc/ssl/cert/dhparam.pem;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout  10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s; 
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

once the above lines are added to the file, close and save.

Change Nginx Server configuration to use SSL

Now, Configuring the Nginx server configuration. For that, open the default server configuration file of the Nginx.

sudo nano /etc/nginx/sites-available/default

Then, just update the default server configuration file as mentioned here.

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;

    server_name server_domain_or_IP;
    include snippets/self-signed.conf;
    include snippets/ssl-params.conf;
.
.
.

Then save and close the file.

Firewall Setting

Now change the firewall settings to allow SSL connections. For that, we are going to use ufw tool to update the firewall.

Run the following command to list the available applications

sudo ufw app list

it will list the applications as followed.

Available applications:
  Nginx Full
  Nginx HTTP
  Nginx HTTPS
  OpenSSH

If you see the above, Nginx is installed properly in you instance. Now, delete existing HTTP and add FULL in the firewall configuration by entering the following command one by one.

sudo ufw delete allow 'Nginx HTTP'
sudo ufw allow 'Nginx Full'

Then, if you see the status by entering the following command,

sudo ufw status

Then, it will show output as

Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere
Nginx Full                 ALLOW       Anywhere
OpenSSH (v6)               ALLOW       Anywhere (v6)
Nginx Full (v6)            ALLOW       Anywhere (v6)

That’s it. Firewall configurations are done.

Wrap up and verification.

Then, Once all the above configurations are done. Just restart the Nginx by running the following command

sudo systemctl restart nginx

if you have any syntax error, it will show in output. Then, make sure you have followed the right step.

Then, to verify the SSL configuration, open your server IP address in browser with https. Like below

https://Your_server_IP_Address.

This will open as warning in your browser as certificate is not signed by any trusted certificate authority.

On the warning page, just click the advanced and proceed to Your_server_IP_Address (unsafe). However, This is one time that the browser will store the certificate. The next time, it won’t prompt or warn you about this issue.

Conclusion.

Nowadays, keeping your server secured is mandatory. So, adding SSL/TLS to your server is mandatory. But for Internal or limited usage applications, buying certificates from Trusted Certificate Authority is unnecessary. For that, we can have a self-signed certificate for SSL connections. So, this article explains How to Configure Nginx with SSL Certificate in Ubuntu and CentOS. Stay tuned and subscribe DigitalVarys for more articles and study materials on DevOpsAgileDevSecOps and App Development.

Leave a Reply