Moving to HTTPS on Nginx: cheat sheet
The second time I come across the task of “put https on our server” from my boss, so I decided to make a cheat sheet for myself, and at the same time for everyone else. So, the situation is as follows: the boss came to us and said that he needed https. Under the cut, I will write 5 simple steps, how to do everything literally in an hour. Let's get started
0. We send the boss to buy us a domain name, if we don’t have one yet - you cannot deliver https without a domain name. After the purchase, do not forget to register the NS-records in the control panel of our server, as well as the A-record.
1. We send the boss for an SSL certificate on nic.ru and let him buy a thawte 123 certificate there, and in the meantime we will generate a CSR request for him.
2. Go over SSH to the server and then write:
')
3. Create a CSR request here with this line:
4. At this time, the boss reached the stage where he would need the CSR request we just created. We tell him to get SSH to the server and command
5. Then the boss will ask us to confirm ownership of the domain through the creation of mail type admin@our-domain.com. To do this, we will use the "mail for domains" service from "Yandex" . We create mail there and we inform the boss login / password.
6. Create a bundled PEM certificate. The boss will have to send an email from thawte in which our certificate will be in the PEM format. We have to open the sublime text and paste this certificate there, and also download the intermediate certificate from the thawte website , paste it into the same file and save it in /etc/nginx/certificate_bundled.crt. Attention! First comes what the boss sent us, and only then the intermediate certificate that we downloaded from that link.
7. Copy the private key to the same command
8. Open the /etc/nginx/nginx.conf config and configure it according to the instructions in the publication “Set up an HTTPS server on nginx” . In short, we need to prescribe in /etc/nginx/nginx.conf in the http section
Then in /etc/nginx/conf.d/example_ssl.conf in the server section:
9. Disable the password for the private key with the command:
10. Reboot nginx command
0. We send the boss to buy us a domain name, if we don’t have one yet - you cannot deliver https without a domain name. After the purchase, do not forget to register the NS-records in the control panel of our server, as well as the A-record.
1. We send the boss for an SSL certificate on nic.ru and let him buy a thawte 123 certificate there, and in the meantime we will generate a CSR request for him.
2. Go over SSH to the server and then write:
openssl genrsa -out private.key 2048 ')
3. Create a CSR request here with this line:
openssl req -new -sha256 -key private.key -out csr.csr , and the information (such as company name, email) is taken through the whois service (why ask the boss again all when you can find out everything yourself).4. At this time, the boss reached the stage where he would need the CSR request we just created. We tell him to get SSH to the server and command
cat csr.csr copied the code and pasted it where necessary.5. Then the boss will ask us to confirm ownership of the domain through the creation of mail type admin@our-domain.com. To do this, we will use the "mail for domains" service from "Yandex" . We create mail there and we inform the boss login / password.
6. Create a bundled PEM certificate. The boss will have to send an email from thawte in which our certificate will be in the PEM format. We have to open the sublime text and paste this certificate there, and also download the intermediate certificate from the thawte website , paste it into the same file and save it in /etc/nginx/certificate_bundled.crt. Attention! First comes what the boss sent us, and only then the intermediate certificate that we downloaded from that link.
7. Copy the private key to the same command
mv private.key /etc/nginx/private.key 8. Open the /etc/nginx/nginx.conf config and configure it according to the instructions in the publication “Set up an HTTPS server on nginx” . In short, we need to prescribe in /etc/nginx/nginx.conf in the http section
ssl_session_cache shared:SSL:10m; ssl_session_timeout 5m; ssl_prefer_server_ciphers on; ssl_stapling on; resolver 8.8.8.8; Then in /etc/nginx/conf.d/example_ssl.conf in the server section:
server { listen 443 ssl; server_name www.site.ru; root /var/www/html/web/; # root, - index index.php index.html; set $yii_bootstrap "index.php"; # yii, location / { # Define the index index index.html $yii_bootstrap; try_files $uri $uri/ /$yii_bootstrap?$args; } # Any of the protected directories, we will ignore. There is no reason # to share out the protected web spaces location ~ ^/(commands|components|config|controllers|models|vendor|views) { deny all; } #avoid processing of calls to unexisting static files by yii location ~ \.(js|css|png|jpg|gif|swf|ico|pdf|mov|fla|zip|rar)$ { try_files $uri =404; } ....... keepalive_timeout 60; ssl_certificate certificate_bundled.crt; ssl_certificate_key private.key; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "RC4:HIGH:!aNULL:!MD5:!kEDH"; add_header Strict-Transport-Security 'max-age=604800'; ....... location ~ \.php$ { ....... fastcgi_param HTTPS on; # php-fpm ....... } } 9. Disable the password for the private key with the command:
openssl rsa -in /etc/nginx/private.key -out /etc/nginx/private.key 10. Reboot nginx command
nginx -s reload and - voila!Source: https://habr.com/ru/post/250931/
All Articles