We pass to HTTPS on Nginx: a cheat sheet
For the second time, I am faced with the “put https on our server” task from my boss, so I decided to make a cheat sheet for myself, and at the same time for everyone else. So, the situation is as follows: the boss came to us and announced that he needed https. Under the cut, I will write 5 simple steps, how to do everything in literally an hour. Let's get started.
0. We send the boss to buy us a domain name, if we don’t have one yet, you cannot put https without a domain name. After the purchase, do not forget to register the NS-records in the control panel of our server, as well as the A-record.
1. We send the boss for the SSL certificate to nic.ru and let him buy a thawte 123 certificate there, and in the meantime we will generate a CSR request for him.
2. We go via SSH to the server and then write:
3. Create a CSR request with this line:
4. At this time, the boss reached the stage when he needs the CSR request we just created. We tell him to crawl over SSH to the server and command
5. Then the boss will ask us to confirm ownership of the domain by creating mails like admin@our-domain.com. To do this, we will use the service “mail for domains” from Yandex . We create mail there and inform the boss username / password.
6. Create a bundled PEM certificate. The boss will have to forward a letter from thawte in which our certificate will be in the PEM format. We need to open sublime text and paste this certificate there, as well as download the intermediate certificate from the thawte website , paste it into the same file and save it in /etc/nginx/certificate_bundled.crt. Attention! First comes what the boss sent us, and only then - an intermediate certificate, which we downloaded from that link.
7. Copy the private key to the same command
8. Open the /etc/nginx/nginx.conf config and configure it according to the instructions in the publication “Configuring an HTTPS server on nginx” . In short, we need to register in /etc/nginx/nginx.conf in the http section
Then in /etc/nginx/conf.d/example_ssl.conf in the server section:
9. Disable the password for the private key with the command:
10. Reboot nginx with the command
0. We send the boss to buy us a domain name, if we don’t have one yet, you cannot put https without a domain name. After the purchase, do not forget to register the NS-records in the control panel of our server, as well as the A-record.
1. We send the boss for the SSL certificate to nic.ru and let him buy a thawte 123 certificate there, and in the meantime we will generate a CSR request for him.
2. We go via SSH to the server and then write:
openssl genrsa -out private.key 20483. Create a CSR request with this line:
openssl req -new -sha256 -key private.key -out csr.csr
4. At this time, the boss reached the stage when he needs the CSR request we just created. We tell him to crawl over SSH to the server and command
cat csr.csr
5. Then the boss will ask us to confirm ownership of the domain by creating mails like admin@our-domain.com. To do this, we will use the service “mail for domains” from Yandex . We create mail there and inform the boss username / password.
6. Create a bundled PEM certificate. The boss will have to forward a letter from thawte in which our certificate will be in the PEM format. We need to open sublime text and paste this certificate there, as well as download the intermediate certificate from the thawte website , paste it into the same file and save it in /etc/nginx/certificate_bundled.crt. Attention! First comes what the boss sent us, and only then - an intermediate certificate, which we downloaded from that link.
7. Copy the private key to the same command
mv private.key /etc/nginx/private.key8. Open the /etc/nginx/nginx.conf config and configure it according to the instructions in the publication “Configuring an HTTPS server on nginx” . In short, we need to register in /etc/nginx/nginx.conf in the http section
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_stapling on;
resolver 8.8.8.8;
Then in /etc/nginx/conf.d/example_ssl.conf in the server section:
server {
listen 443 ssl;
server_name www.site.ru;
root /var/www/html/web/; #не забываем здесь тоже указать свой root, если он какой-то специфический как у меня
index index.php index.html;
set $yii_bootstrap "index.php";
# здесь немного конфига для yii, для тех кто его использует
location / {
# Define the index
index index.html $yii_bootstrap;
try_files $uri $uri/ /$yii_bootstrap?$args;
}
# Any of the protected directories, we will ignore. There is no reason
# to share out the protected web spaces
location ~ ^/(commands|components|config|controllers|models|vendor|views) {
deny all;
}
#avoid processing of calls to unexisting static files by yii
location ~ \.(js|css|png|jpg|gif|swf|ico|pdf|mov|fla|zip|rar)$ {
try_files $uri =404;
}
.......
keepalive_timeout 60;
ssl_certificate certificate_bundled.crt;
ssl_certificate_key private.key;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "RC4:HIGH:!aNULL:!MD5:!kEDH";
add_header Strict-Transport-Security 'max-age=604800';
.......
location ~ \.php$ {
.......
fastcgi_param HTTPS on; # Для php-fpm
.......
}
}
9. Disable the password for the private key with the command:
openssl rsa -in /etc/nginx/private.key -out /etc/nginx/private.key10. Reboot nginx with the command
nginx -s reload