Getting SSL Enabled With Nginx

Securing yourself and the people that visit your website.


After setting up our mail server and enabling SSL, we decided that it would be best to do so with our primary website as well. SSL is the acronym for Secure Sockets Layer and is a technology used to encrypt the connections between a web server and a browser. You can tell if a website has SSL enabled by the link in your browser’s address bar: it’ll start with https://. Note the “s”, rather than the standard Hypertext Transfer Protocol (HTTP). The “s” stands for secure.

To get your SSL certificate working with Nginx, it only takes a couple of changes from what you currently have. Here it is, in its most simple form:

server {
	listen 80 default;
	server_name example.com www.example.com; 
	return 301 https://example.com$request_uri;
}

server {
	listen 443;
	
	root /var/www/example.com/public_html;
	index index.php index.html index.htm;
	
	server_name example.com;
	
	ssl on;
	ssl_certificate /etc/ssl/certs/example.com_ssl_bundle.crt;
	ssl_certificate_key /etc/ssl/private/example.com_private.key;
}

The first server block shows us listening on port 80 (for an ipv4 address), and the server name is showing us both example.com and www.example.com. These two redirect permanently to the https version of example.com (without the www). If you’d prefer using www, you’d simply reflect that in the return line. Make sure the SSL certificate you have allows you to do so. The next server block is listening on port 443, which is the default port for HTTP Secure. If you’re using www as your domain name, reflect that in server_name.

ssl on;

is how we enable SSL in Nginx. The next two lines are the key pairs, which can be named anything you’d like. The extension .crt may also be .pem, depending on your certificate. Keep in mind that the _ssl_bundle.crt was concatenated because Nginx doesn’t have a way of adding intermediate certificates. You can generally get away without including one with modern browsers, but it can significantly impact the load time of your website. So you should combine the primary and intermediate certs together:

cat example.com_ssl.crt example-intermediate.ca.pem >> examplebundle.crt

The file names are not important. If you get an error message after restarting Nginx, like the one below, there was a problem when the two files were added together. This happens when there is no line break at the bottom of the first file, and they get merged incorrectly:

-----END CERTIFICATE----------BEGIN CERTIFICATE-----
# service nginx restart

Restarting nginx: nginx: [emerg] SSL_CTX_use_certificate_chain_file("/etc/ssl/certs/examplebundle.crt") failed (SSL: error:0906D066:PEM routines:PEM_read_bio:bad end line error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib)

Simply open the file and do it yourself:

-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----

That’s all you’ll need to do to get your SSL set up in Nginx. If you don’t already have an SSL certificate, there are a few companies that offer trial or free versions if you don’t want to spend money just yet. There’s also the option of going with a self-signed certificate, but do note that those should only be used internally for your business, as browsers will give a large warning message if it’s self signed. Using a self signed certificate is not recommended for public websites, as they appear to be untrustworthy (whether they are or not). But if you’re wanting to encrypt data between yourself and your server, self signed certs are just as viable as one issued from a certification authority. They save a lot of money when used in-house within a company that knows the certs to be perfectly valid and reliable.

If you’re looking to test your SSL, a great tool can be found here: https://www.ssllabs.com/ The SSL Configuration Checker is an excellent tool to help you configure your SSL to have the best combination of speed and security. Also read this guide to Nginx + SSL + SPDY for an in depth and easy-to-understand overview.