In this post we will see how to setup HTTPS in ubuntu with Nginx. HTTPS is protocol which works on port 443. Generally our website is served on port 80 i.e HTTP which is not a secure protocol to be used for transferring confidential information like passwords, account number etc.
Information transferred through HTTPS is encrypted and secure. To make use of HTTPS protocol we need to setup SSL certificate on the server which could be a self signed one or one purchased from different authorities like digicert, geotrust, godaddy, thawte etc.
If we buy a certificate than it costs us something per year which differ from company to company from whom we are buying. The advantage of buying is that our users don't see a page saying this website is not trusted, which might result into loosing our customer.
The advantage of using self signed certificate is that we don't incur any cost but the disadvantage is that our users see a page to accept the certificate saying that this is not a trusted website, which would result in loosing our customer.
So choosing, which one to use depends on our need. In this post we are gonna see how to create and use a self signed certificate.
SSH into your machine
First update the cache and install nginx
Create SSL certificate
First create a ssl directory in /etc/nginx/
Now we will create our own ssl certiifcate
The above command will result into asking few question which are as follows.
Now we will be having two file "nginx.key" and "nginx.crt" in /etc/nginx/ssl/ directory.
You can check the existence of these file by the following command.
Following are the option that can be specified in the command to create a SSL certificate
Configuring Nginx
Nginx by default listen to port 80 and have the following default configuration.
Information transferred through HTTPS is encrypted and secure. To make use of HTTPS protocol we need to setup SSL certificate on the server which could be a self signed one or one purchased from different authorities like digicert, geotrust, godaddy, thawte etc.
If we buy a certificate than it costs us something per year which differ from company to company from whom we are buying. The advantage of buying is that our users don't see a page saying this website is not trusted, which might result into loosing our customer.
The advantage of using self signed certificate is that we don't incur any cost but the disadvantage is that our users see a page to accept the certificate saying that this is not a trusted website, which would result in loosing our customer.
So choosing, which one to use depends on our need. In this post we are gonna see how to create and use a self signed certificate.
SSH into your machine
First update the cache and install nginx
sudo apt-get update sudo apt-get install nginx
Create SSL certificate
First create a ssl directory in /etc/nginx/
sudo mkdir /etc/nginx/ssl
Now we will create our own ssl certiifcate
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt
The above command will result into asking few question which are as follows.
Country Name (2 letter code) [AU]:IN State or Province Name (full name) [Some-State]:Madhya Pradesh Locality Name (eg, city) []:Indore Organization Name (eg, company) [Internet Widgits Pty Ltd]:ABC corp Pvt Ltd Organizational Unit Name (eg, section) []:xyz Common Name (e.g. server FQDN or YOUR name) []:your_domain.com Email Address []:admin@your_domain.com
Now we will be having two file "nginx.key" and "nginx.crt" in /etc/nginx/ssl/ directory.
You can check the existence of these file by the following command.
ls /etc/nginx/ssl/
Following are the option that can be specified in the command to create a SSL certificate
- openssl: This is the basic command for creating and managing OpenSSL certificates
- req: This sub-command specifies that we want to use X.509 certificate signing request (CSR) management. The "X.509" is a public key infrastructure standard that SSL and TLS adheres to for its key and certificate management. We want to create a new X.509 cert, so we are using this sub-command.
- -x509: This modifies the previous sub-command by telling the utility that we want to make a self-signed certificate instead of generating a certificate signing request, as would normally happen.
- -nodes: This tells OpenSSL to skip the option to secure our certificate with a passphrase. We need Nginx to be able to read the file, without user intervention, when the server starts up. A passphrase would prevent this from happening because we would have to enter it after every restart.
- -days 365: This option sets the length of time that the certificate will be considered valid. We set it for one year here.
- -newkey rsa:2048: This specifies that we want to
generate a new certificate and a new key at the same time. We did not
create the key that is required to sign the certificate in a previous
step, so we need to create it along with the certificate. The
rsa:2048portion tells it to make an RSA key that is 2048 bits long. - -keyout: This line tells OpenSSL where to place the generated private key file that we are creating.
- -out: This tells OpenSSL where to place the certificate that we are creating.
Configuring Nginx
Nginx by default listen to port 80 and have the following default configuration.
server { listen 80 default_server; listen [::]:80 default_server ipv6only=on; root /usr/share/nginx/html; index index.html index.htm; server_name your_domain.com; location / { try_files $uri $uri/ =404; } }
The https protocol works on port 443, hence we need to tell nginx to listen to port 443 using the ssl certificate we have generated. Thus we need to provide the path of certificate as well as the key file we have generated.
So change the configuration by the following configuration.
server { listen 80 default_server; listen [::]:80 default_server ipv6only=on; listen 443 ssl; root /usr/share/nginx/html; index index.html index.htm; server_name your_domain.com; ssl_certificate /etc/nginx/ssl/nginx.crt; ssl_certificate_key /etc/nginx/ssl/nginx.key; location / { try_files $uri $uri/ =404; } }
We are done with the configuration. Now restart the nginx.
sudo service nginx restart
Now hit the IP or domain on browser with http
http://X.X.X.X
It will show the default nginx page
Now if we hit the IP or domain with https
https://X.X.X.X
It shows a page to accept the certificate as it is not from a trusted certificate authority because we have created a self signed certificate. Hence after accepting it we would be able to communicate with our server over https protocol.
0 comments:
Post a Comment