How to configure nginx to use https

Home > Search > How-to
  by

Nginx can be configured to use https to encrypt the traffic between the client and server using either a certificate purchased from a trusted CA (certificate authority), such as www.verisign.com, or using a self signed certificate. The main difference between a certificate from a trusted CA and a self signed certificate is that web browsers will display a warning message when a self signed certificate is used. OpenSSL can be used to create the self signed public certificate and private key. 

In this example, a self signed public certificate was created for freekb.net, and Chrome compalins that the root certificate is not trusted, because the certificate is not in the trusted root certificate authorities store. This is the expected behavior of a self signed certificate.

 

Inside of the server block in the /etc/nginx/nginx.conf file, add the following. Replace www.example.com with your domain name.

server {
    listen              443 ssl;
    server_name         www.example.com;
    ssl_certificate     /etc/pki/tls/certs/www.example.com.crt;
    ssl_certificate_key /etc/pki/tls/private/www.example.com.key;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;
}

 

In the prior markup, ssl_protocols is set to TLSv1 TLSv1.1 TLSv1.2. As long as the browser is configured to use TLS 1.0, TLS 1.1, or TLS 1.2, the connection will be allowed.

 

In the prior markup, ssl_ciphers is set to High and not Null and not MD5. If you would rather specify the ciphers being used, you can use one or more of the following ciphers. Navigate to https://cc.dcsec.uni-hannover.de to determine the cipher's supported by the browser.

EECDH+ECDSA+AESGCM 
EECDH+aRSA+AESGCM 
EECDH+ECDSA+SHA384 
EECDH+ECDSA+SHA256 
EECDH+aRSA+SHA384 
EECDH+aRSA+SHA256 
EECDH+aRSA+RC4 
EECDH 
EDH+aRSA 
RC4

 

Restart nginx, and ensure nginx is active and running.

[root@server1 ~]# systemctl restart nginx
[root@server1 ~]# systemctl status nginx

 

Ensure iptables is configured to allow traffic on port 443. You should now be able to navigate to your site using https. The browser will complain that the site is not trusted. This is normal when using a self-signed certificated. You can proceed to the site.

 

 



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter in the box below so that we can be sure you are a human.




Comments