How to secure your nginx-powered website using SSL and secure ciphers

edited September 2014 in Proposed How-Tos

Introduction

SSL (stands for *Secure Sockets Layer*) and its successor, TLS (stands for *Transport Layer Security*) are cryptographic protocols to secure communication over the Internet. It can be used to create a secure connection to a website.

Intro

Make sure that nginx and openssl is installed on your server.
In this article, we'll demonstrate the progress by generate an self-signed SSL certificate.

Step 1:* Create a directory for the certificate and private key

We'll create a directory (and enter it) inside /etc/nginx (assuming that directory is nginx's config directory), by:
sudo mkdir /etc/nginx/ssl
cd /etc/nginx/ssl # we'll perform our next few steps in this dir

Step 2: Create private key and CSR

Let's start by creating the site's private key. (In this example, we'll use 4096-bit key for stronger security. Note that 2048-bit is also OK, but DO NOT USE 1024-BIT PRIVATE KEY!)
sudo openssl genrsa -out example.com.key 4096

Now, create a certificate signing request (CSR) for signing the cert.
(We'll use 512-bit SHA-2. Note the -sha512 option.)
sudo openssl req -new -key example.com.key -out example.com.csr -sha512
It will prompt a lists of fields that need to be filled in. Make sure "Common Name" is set to your domain name! Also, leave A challenge password and An optional company name blank.
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:CA
Locality Name (eg, city) []:LosAngeles
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Inc
Organizational Unit Name (eg, section) []:Security
Common Name (e.g. server FQDN or YOUR name) []:*.example.com
Email Address []:webmaster@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Step 3: Sign your certificate

Almost done! Now we just have to sign it. Don't forgot to replace 365 (expiry after 365 days) to the number of days you prefer.
sudo openssl x509 -req -days 365 -in example.com.csr -signkey example.com.key -out example.com.crt -sha512

Now, we're done making a self-signed certificate.

Step 4: Set up

Open nginx's example SSL config file:
sudo nano /etc/nginx/conf.d/example_ssl.conf
Uncomment within the section under the line HTTPS Server. Match your config to the information below, replacing the example.com in the "server_name" line with your domain name or IP address. Also set your root dijrectory.
# HTTPS server

server {
listen 443 ssl spdy; # support SPDY
server_name example.com;

ssl_certificate /etc/nginx/ssl/example.com.crt;
ssl_certificate_key /etc/nginx/ssl/example.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4; # no RC4 and known insecure cipher
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}

Then restart nginx.
service nginx restart
And visit `https://your.address.tld`. You should see your self-signed certificate on your site! (:

Comments

  • edited September 2014
    @mike @DaveA you should implement Markdown in your community by enable the plugin Button Bar.Never mind, HTML is supported.
    Also the theme you're currently using aren't your main site's style. Maybe you should try FlatVI http://vanillaforums.org/addon/flatvi-theme.
  • Nicely done, Jonathan!

    But as for the theme...

    Bleugh, 'FlatVI' looks a bit too 'Fischer Price' for me...

    The currrent theme fits the sites style in my opinion!
Sign In or Register to comment.