Networking HowTos
Networking HowTos

Configure Nginx to use SSL certificates

January 21, 2013 Linux

Using SSL encryption is a great way to ensure the data between a PC, and a remote server is secure, and cant be modified or viewed by 3rd parties. This ‘how to’ guide will step you through the process of configuring a Nginx site to use SSL certificates.

This article assumes you already have a private key and public certificate ready to use.
Setting up the certificates:
There will be two files you will use for setting up a SSL site. A private key, and a public certificate.
For this example, the private key will be called “domain.name.key”, and the public certificate will be called “domain.name.crt”. This naming convention is used so you know which domain the certificate and key are for. The SSL files will be stored under /etc/nginx/ssl and referenced in the config as being in “ssl/” as this path is relative to “/etc/nginx/”. Make sure the location for your SSL certificates and keys are kept secure using appropriate file system security permissions.
Create a folder to store the SSL certificates:

$ sudo mkdir /etc/nginx/ssl

Ensure this location is secure:

$ sudo chmod 600 /etc/nginx/ssl

Copy files into the nginx ssl folder.

$ sudo cp domain.name.key /etc/nginx/ssl
$ sudo cp domain.name.crt /etc/nginx/ssl

Setting up Nginx:
Different versions of Nginx can handle setting up SSL differently, so I have listed the valid options available. Run “nginx -V” to find the version of Nginx that you are using.
Nginx version v0.8.21 or later
Nginx v0.8.21 is the basically the same as the configuration used since v0.7.14, however it removes the need for the specific listening ip/port to be the default server. No “ssl on;” directive is required. Simply specifying ‘ssl’ as part of the listen directive will do the trick.
Example config:

server {
        listen 80
        listen 443 ssl;
        server_name localhost;
        ssl_certificate ssl/domain.name.crt;
        ssl_certificate_key ssl/domain.name.key;
        location / {
                root /var/www/nginx-default;
                index index.html index.htm;
        }
}

Nginx version v0.7.14 or later, but before v0.8.21
Since v0.7.14 you have been able to use the one ‘server’ configuration, but listen for both http and https connections. It also required the listening ip/port for SSL to be the default server. No “ssl on;” directive is required.
Example config:

server {
        listen 80;
        listen 443 default ssl;
        server_name localhost;
        ssl_certificate ssl/domain.name.crt;
        ssl_certificate_key ssl/domain.name.key;
        location / {
                root /var/www/nginx-default;
                index index.html index.htm;
        }
}

Nginx versions before v0.7.14
Before v0.7.14, you needed to have a separate ‘server’ set up in the Nginx site configuration for http and https servers.
The ‘ssl on;’ directive is used to tell nginx that the relevant ‘server’ section should listen for a connection using https/ssl.
Example site configuration file:

server {
        listen 80 default;
        server_name localhost;
        location / {
                root /var/www/nginx-default;
                index index.html index.htm;
        }
}
server {
        listen 443;
        server_name localhost;
        ssl on;
        ssl_certificate ssl/domain.name.crt;
        ssl_certificate_key ssl/domain.name.key;
        location / {
                root /var/www/nginx-default;
                index index.html index.htm;
        }
}

Reload Nginx:
Reload Nginx to read the updated configuration file, and make sure everything is correct:
Ubuntu/Debian:

$ sudo service nginx reload

or
CentOS/RHEL (as root)

# service nginx reload

You Might Also Like