Setting up Secured Nginx Webserver with SSL & TSL

SSL stands for Secure Sockets Layer. It provides a secure connection between internet browsers and websites/webserver, allowing you to transmit private data securely online. We can install SSL certificate to webserver, website, mail server, dns server, etc..,

SSL transfer sensitive information securely such as credit card payment, net-banking and other login credentials. By default data sent between browsers and web servers as plain text which leads to gain the information by attackers/hackers. If we using SSL which will transfer the data between browsers and web servers securely with encrypted format based on certificate encryption such as 128-bit, 512-bit & 1024-bit and nobody can read it.

Lot of SSL providers available in market like Verisign, symantec, geotrust, thawte, Comodo & RapidSSL and here i’m going to explain how to generate & install self-signed SSL certificate with apache in Linux environment.

1) Install Nginx

Make sure you should have installed LEMP Setup before proceeding SSL installation. Use the below commands to install Nginx web server in Linux Distro and no need to enable any specific module for SSL because while installing Nginx it will load all necessary modules by default. For RHEL/CentOS system you should enable EPEL repository to get Nginx package because its not included in their official repository.

# Install Nginx Ubuntu/Debian/LinuxMint system #
$ sudo apt-get install nginx

# For RHEL/CentOS/Fedora 21 and older systems #
$ sudo yum install nginx

# For Fedora 22 and later systems #
$ sudo dnf install nginx

2) Create a Self-Signed SSL Certificate

Create ssl directory under Nginx directory to put certificate files.

# Create SSL directory #
$ sudo mkdir /etc/nginx/ssl

# Generate key & certificate #
$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt
Generating a 2048 bit RSA private key
.......................................................................................+++
.............................................................................................................................................+++
writing new private key to '/etc/httpd/ssl/nginx.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Tamil Nadu
Locality Name (eg, city) []:Chennai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:2daygeek
Organizational Unit Name (eg, section) []:Linux Geek
Common Name (e.g. server FQDN or YOUR name) []:2daygeek.com
Email Address []:[email protected]

3) Configure Nginx to Use SSL

We have certificate and key, It’s time to configure Nginx to use SSL by placing the files into virtual host file.

Open default-ssl.conf file in Ubuntu/Debian/LinuxMint system and modify the below two lines based on our certificate location.

$ sudo nano /etc/apache2/sites-available/default-ssl.conf
listen 443 ssl;
server_name your_domain.com;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;

Opent ssl.conf file in RHEL/Fedora/CentOS system and modify the below two lines based on our certificate location.

$ sudo nano /etc/httpd/conf.d/ssl.conf
ServerAdmin [email protected]
listen       443;
server_name example.com;
ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;

Enable SSL Virtual host for Ubuntu/Debian/LinuxMint system.

$ sudo a2ensite default-ssl.conf

After SSL module enabled, you have to restart the web server to take the changes effect.

# For RHEL/CentOS/Fedora sysvinit systems #
$ sudo service httpd restart

# For RHEL/CentOS 7 & Fedora systems #
$ sudo systemctl restart httpd.service

# For Ubuntu/Debian/LinuxMint sysvinit systems #
$ sudo service apache2 restart

# For Ubuntu/Debian/LinuxMint systemd systems #
$ sudo systemctl restart apache2.service

4) Test your SSL & TLS Version

Use the below commands to check your SSL & TLS Version.

# Testing your SSL & TLS Version #
$ openssl s_client -connect localhost:443
CONNECTED(00000003)
depth=0 C = IN, ST = Tamil Nadu, L = Chennai, O = 2daygeek, OU = Linux Geek, CN = daygeek, emailAddress = [email protected]
verify error:num=18:self signed certificate
verify return:1
depth=0 C = IN, ST = Tamil Nadu, L = Chennai, O = 2daygeek, OU = Linux Geek, CN = daygeek, emailAddress = [email protected]
verify return:1
---
Certificate chain
 0 s:/C=IN/ST=Tamil Nadu/L=Chennai/O=2daygeek/OU=Linux Geek/CN=daygeek/[email protected]
   i:/C=IN/ST=Tamil Nadu/L=Chennai/O=2daygeek/OU=Linux Geek/CN=daygeek/[email protected]
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID9zCCAt+gAwIBAgIJAOB4xC8Ph0gFMA0GCSqGSIb3DQEBCwUAMIGRMQswCQYD
.
.
/MSw9ojwo+NY3fpZff48/O3a8/pdVXkeoIZ7u9bsFmVh5souQNH0Q5lGGnQ1UTyL
4PUmPzk2PHb7pPw=
-----END CERTIFICATE-----
subject=/C=IN/ST=Tamil Nadu/L=Chennai/O=2daygeek/OU=Linux Geek/CN=daygeek/[email protected]
issuer=/C=IN/ST=Tamil Nadu/L=Chennai/O=2daygeek/OU=Linux Geek/CN=daygeek/[email protected]
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1694 bytes and written 441 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 3C21A06CB9553B0A647DAB07346B3ED827D3C6A370A366A800C86C432C183CB6
    Session-ID-ctx: 
    Master-Key: 0D22759036E15AB05047544114243C2F70350867DDE3A85C968928AAB2B62EC4D2B959F4081341F49226BE15BBC9D585
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - d9 ad 1e 47 e8 60 04 5f-c2 5b a1 63 29 80 a1 b9   ...G.`._.[.c)...
    0010 - 0f e7 0c 91 0d 18 2e b1-2c 13 99 b4 10 0d 9a 23   ........,......#
    0020 - f0 a7 53 c1 82 1c 7c ed-6a 22 1b f4 b9 b9 db b4   ..S...|.j"......
    0030 - e1 ad 8a 0a 8f 19 32 83-59 f8 ce 5c dd 11 e1 f6   ......2.Y..\....
    0040 - e9 60 a0 bf 90 ee 9d 88-4b 12 33 d2 be b2 1c 52   .`......K.3....R
    0050 - df 1d 78 32 bd bf 4f 04-ba 75 57 9d e2 25 0f bf   ..x2..O..uW..%..
    0060 - cd 81 bb 50 82 79 12 86-72 0a 78 2c 6c eb 8d a3   ...P.y..r.x,l...
    0070 - be 37 4b 0f f0 0d 9b 75-50 95 c9 e0 8c 8d d0 65   .7K....uP......e
    0080 - 53 0f e4 d8 94 ea 56 27-90 4b ab eb 45 82 85 1c   S.....V'.K..E...
    0090 - 99 db 46 5c 9e 76 6e 82-4d 4b cc 46 7e 1e f2 48   ..F\.vn.MK.F~..H
    00a0 - b8 83 96 47 bc 94 1d fd-d3 51 de cf c1 5f 8e d3   ...G.....Q..._..

    Start Time: 1451100191
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
closed

5) Test your Setup

generate-install-ssl-on-nginx-webserver-1
generate-install-ssl-on-nginx-webserver-2

You have successfully installed, enabled & configured SSL with Nginx, it’s time to check our new setup by navigating the web browser to to https://localhost/ or https://your-server-ip-address/ or https://127.0.0.1/

  • Firefox User: Expand I Understand the Risks >> Click Add Exception >> Click Confirm Security Exception.
  • Chrome User: Click Proceed anyway button.

That’s it, keep rocking to secure your website with SSL enabled.

Leave a Reply

Your email address will not be published. Required fields are marked *