SSL bind to nginx in debian

В данной заметке я расскажу как быстро привязать ssl сертификат к nginx. Испытания мы проведем тестовом сервере с тестовым сертификатом, который запросим у Comodo.

Итак, для начала определимся что у нас есть. А есть у нас один nginx сервер который смотрит в Интернет. И, для простоты, один внутренний (с ip 10.10.10.10) для которого и будет создаваться стандартное и ssl подключение. Конечно, серверов может быть сколько угодно. Но мы с вами сейчас не будем усложнять.
First we need to create a CSR-certificate request. Free it can be done either directly from Comodo, or through the website http://www.freessl.su/. We will do through http://www.freessl.su/.

Configuration files from nginx I lie in the directory / etc / nginx. Create a subdirectory there ssl and go into it.
bash:

mkdir / etc / nginx / ssl
cd / etc / nginx / ssl

Next, you need to create a CSR request. To do this, first create a private key file with the following command:
bash:

openssl genrsa -des3 -out secure.website.ru.key 2048

If you want to create a key file without a password, enter the following command
bash:

openssl genrsa -out secure.website.ru.key 2048

Next, create a request file to generate the certificate. To do this, write the following command:
bash:

openssl req -new -key secure.website.ru.key -out secure.website.ru.csr

And fill the field. After that, the file will be generated /etc/nginx/ssl/secure.website.ru.csr. Copy the contents and go to the site http://www.freessl.su/. There fill the field name, phone, email, and paste the contents of the file secure.website.ru.csr in the CSR. Click Next, select the appropriate contact email.

After that, the mailbox will receive a letter from Comodo to confirm the creation of ssl certificate. This email will contain a confirmation code. Click on the link in the email and confirm.

After a while you will come with a certificate file and the file with intermediate certificates. Copy the contents in /etc/nginx/ssl/secure.website.ru.crt.

bash:

cat secure_website_ru.crt >> /etc/nginx/ssl/secure.website.ru.crt
cat secure_website_ru.ca_bundle >> /etc/nginx/ssl/secure.website.ru.crt

In forming this Certificate is completed. Proceed to configure nginx. In our case /etc/nginx/nginx.conf configuration is as follows:

bash:

  1. user nginx;
  2. worker_processes 1;
  3. error_log /var/log/nginx/error.log;
  4. pid /var/run/nginx.pid;
  5. events {
  6. worker_connections 2048;
  7. }
  8. http {
  9. upstream www {
  10. server 10.10.10.10 weight=1 max_fails=3 fail_timeout=120;
  11. }
  12. include /etc/nginx/mime.types;
  13. default_type application/octet-stream;
  14. log_format main ‘$remote_addr – $remote_user [$time_local] “$request” ‘
  15. ‘$status $body_bytes_sent “$http_referer” ‘
  16. ‘”$http_user_agent” “$http_x_forwarded_for”‘;
  17. access_log /var/log/nginx/access.log main;
  18. sendfile on;
  19. #Секция для стандартного подключение по 80 порту
  20. server {
  21. listen 80;
  22. server_name secure.website.ru;
  23. reset_timedout_connection on;
  24. location / {
  25. proxy_pass http://www/;
  26. proxy_next_upstream error timeout invalid_header http_500 http_503;
  27. proxy_set_header Host $host;
  28. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  29. proxy_redirect off;
  30. proxy_connect_timeout 100;
  31. }
  32. }
  33. # Секция для подключения по ssl
  34. server {
  35. listen 443 ssl;
  36. server_name secure.website.ru;
  37. access_log logs/ssl-access.log;
  38. error_log logs/ssl-error.log;
  39. ssl_certificate ssl/secure.website.ru.crt;
  40. ssl_certificate_key ssl/secure.website.ru.key;
  41. ssl_verify_depth 3;
  42. keepalive_timeout 60;
  43. location / {
  44. proxy_pass http://test/;
  45. proxy_next_upstream error timeout invalid_header http_500 http_5
  46. proxy_set_header Host $host;
  47. proxy_set_header X-Real-IP $remote_addr;
  48. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  49. proxy_set_header X-Forwarded-Proto https;
  50. proxy_redirect off;
  51. }
  52. }
  53. }

Save and restart nginx.

bash:

/etc/init.d/nginx reload

Go into the details of settings I do not want. About them is very well written in the official documentation nginx.

The only thing that I would like to stress that if you want to hang on one server several different ssl certificates on port 443, then simply add this configuration will not work:

bash:

  1. server {
  2. listen 443;
  3. server_name www.example.com;
  4. ssl on;
  5. ssl_certificate www.example.com.crt;
  6. }
  7. server {
  8. listen 443;
  9. server_name www.example.org;
  10. ssl on;
  11. ssl_certificate www.example.org.crt;
  12. }

Which configuration does receive a certificate of the first server, ie www.example.com, regardless of the queried name server. This behavior is related to SSL. SSL-connection is established before the browser sends a HTTP-request and nginx does not know the name of the requested server. Consequently, it can only offer the certificate server by default.
Resolving this issue you can find here.
On this basic setup nginx laws.