Nginx is the fastest webserver when compared to Apache. In this post, we are gonna explain on how to secure your website using SSL certificate on ubuntu 16.04.

Assumption:

  1. Ubuntu 16.04
  2. Nginx webserver. If nginx is not installed, please follow the post to install nginx
  3. You must have private key, certificate and intermediate CA(If a CSR is generated on your server then private key must have stored on the same machine)

Install SSL Certificate.

This post assumes that nginx is installed on /etc/nginx directory. If nginx is installed on different directory then you may need to slightly adjust the commands which we are using. However, the process remains same.

Let’s create a directory to store SSL certificate. We are creating the directory on /etc/nginx/ssl.

mkdir /etc/nginx/ssl

Copy the private key to /etc/nginx/ssl directory.

cp /location/domain.tld.key /etc/nginx/ssl

Copy the certificate, intermediate CA to server using winscp or ftp or anyother way to the server. In our example, we copied SSL ceritifcate to /usr/local/src using filezilla

Integrate certificate and intermediate CA into single pem file using the below command.

cd /usr/local/src

cat domain.tld.crt domain.tld.ca > /etc/nginx/ssl/domain.tld.pem

Open nginx configuration and append the following line after ssl_prefer_server_ciphers on;

vi /etc/nginx/nginx.conf

ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;

Open site configuration file and append the following lines. Assuming that there is one domain hosted on the server and the default configuration is /etc/nginx/sites-enabled/default.  If there are multiple domains then we need to append the below lines on the corresponding domain configuration.

Ideally, the location of most of domain configuration will be on /etc/nginx/sites-enabled. If the installation path is different then you need to select appropriate path.

vi /etc/nginx/sites-enabled/default

server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;

root /var/www/html

ssl_certificate /etc/nginx/ssl/domain.tld.pem;
ssl_certificate_key /etc/nginx/ssl/domain.tld.key;

index index.php index.html index.htm

server_name  _;

location / {
try_files $uri $uri/ /index.php?$args;
}

}

This is a minimum configuration which are required to install SSL certificate.

Check for any nginx syntax error.

nginx -t

Once we confirm everything looks good, restart nginx service.

systemctl restart nginx

Verification:

Use thirdparty websites to verify the SSL certificates.

https://www.ssllabs.com/ssltest/analyze.html?d=domain.tld&latest

 

 

Leave a Reply