Check this Out!Visit our social network pages for recent updates!

How to Secure Nginx Websites using SSL/TLS on Ubuntu 17.04

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are protocols to secure communications across two or multiple networked devices / services and websites. It’s the most commonly used protocols to enable secure communications between a web browser and web server.

This brief tutorial is going to show you how to enable SSL/TLS on Nginx-powered websites to secure communications. When you follow the steps below, traffic coming to your sites will be done over HTTPS as well.

To get started with enabling SSL/TLS configuration for Nginx, follow the steps below:

Step 1: Generate the Server Private Key and CRS

The first step in creating SSL/TLS certificates is to generate the server’s private key and CSR (Certificate Signing Request). The CSR is then used along with the server site/server private key to generate the public certificate for the resource you’re securing.

First let’s create a folder to store your certificates and CSR.

sudo mkdir /etc/nginx/ssl
cd /etc/nginx/ssl

Then run the commands below to create the site or server private key. We’re going to be using a much stronger 4096-bit key for stronger security.

sudo openssl genrsa -out example.com.key 4096

Now that the site/server private key is generated, let’s continue below to generate the CSR. For this, we’re also going to be using a much stronger 512-bit with SHA-2 algorithm.

To generate the CSR, run the commands below

sudo openssl req -new -key example.com.key -out example.com.csr -sha512

When you run the commands above, you’ll be prompted with a lists of fields that you need to fill in. The common name field is the most important and should be the name of the website you’re protecting.

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Minnesota
Locality Name (eg, city) []:Brooklyn
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Personal Blog
Organizational Unit Name (eg, section) []:SSL Unit
Common Name (e.g. server FQDN or YOUR name) []:example.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:  DO NOT TYPE PASSWORD HERE, LEAVE BLANK
An optional company name []:

Now that the CSR is created, continue below to sign the certificate.

Step 2: Sign the Certificate

After generating the server/site private key and CSR, the last step is to sign a certificate using the server/site private along with the CSR. For that, we’re going to be running the commands below to sign the certificate to be valid for 365 days.

Must be renewed after a year.

sudo openssl x509 -req -days 365 -in example.com.csr -signkey example.com.key -out example.com.crt -sha512

After that, a new certificate called example.com.crt should be ready to use. Now all you have to do is specify the certificate files in Nginx configurations.

# HTTPS server

server {
    listen     443 ssl default_server;
    listen    [::]:443 ssl default_server;
    server_name example.com;

    ssl_certificate /etc/nginx/ssl/example.com.crt;
    ssl_certificate_key /etc/nginx/ssl/example.com.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4;
location / {
  root   /var/www/html;
  index  index.html index.htm;
 }
}

Restart Nginx webserver and you’re done.

sudo systemctl reload nginx.service

Summary:

This post shows you how to generate a self-signed SSL/TLS certificate for websites on Ubuntu 17.04. This should also work on previous version of Ubuntu and other Linux distributions.

When everything is setup as shown above, your site will be able to communicate over HTTPS as well as HTTP. You must enable HTTP redirect to HTTPS to force all traffic to use HTTPS. Search this site for tutorials on setting Nginx redirects.

You may also like the post below:

Setup LetsEncrypt on Ubuntu 17.04 for Nginx Webserver