SSL bind to nginx in debian

В данной заметке я расскажу как быстро привязать ssl сертификат к nginx. Испытания мы проведем тестовом сервере с тестовым сертификатом, который запросим у Comodo.

Итак, для начала определимся что у нас есть. А есть у нас один nginx сервер который смотрит в Интернет. И, для простоты, один внутренний (с ip для которого и будет создаваться стандартное и ssl подключение. Конечно, серверов может быть сколько угодно. Но мы с вами сейчас не будем усложнять.
First we need to create a CSR-certificate request. Free it can be done either directly from Comodo, or through the website We will do through

Configuration files from nginx I lie in the directory / etc / nginx. Create a subdirectory there ssl and go into it.

mkdir / etc / nginx / ssl
cd / etc / nginx / ssl

Next, you need to create a CSR request. To do this, first create a private key file with the following command:

openssl genrsa -des3 -out 2048

If you want to create a key file without a password, enter the following command

openssl genrsa -out 2048

Next, create a request file to generate the certificate. To do this, write the following command:

openssl req -new -key -out

And fill the field. After that, the file will be generated /etc/nginx/ssl/ Copy the contents and go to the site There fill the field name, phone, email, and paste the contents of the file in the CSR. Click Next, select the appropriate contact email.

After that, the mailbox will receive a letter from Comodo to confirm the creation of ssl certificate. This email will contain a confirmation code. Click on the link in the email and confirm.

After a while you will come with a certificate file and the file with intermediate certificates. Copy the contents in /etc/nginx/ssl/


cat secure_website_ru.crt >> /etc/nginx/ssl/
cat secure_website_ru.ca_bundle >> /etc/nginx/ssl/

In forming this Certificate is completed. Proceed to configure nginx. In our case /etc/nginx/nginx.conf configuration is as follows:


  1. user nginx;
  2. worker_processes 1;
  3. error_log /var/log/nginx/error.log;
  4. pid /var/run/;
  5. events {
  6. worker_connections 2048;
  7. }
  8. http {
  9. upstream www {
  10. server weight=1 max_fails=3 fail_timeout=120;
  11. }
  12. include /etc/nginx/mime.types;
  13. default_type application/octet-stream;
  14. log_format main ‘$remote_addr – $remote_user [$time_local] “$request” ‘
  15. ‘$status $body_bytes_sent “$http_referer” ‘
  16. ‘”$http_user_agent” “$http_x_forwarded_for”‘;
  17. access_log /var/log/nginx/access.log main;
  18. sendfile on;
  19. #Секция для стандартного подключение по 80 порту
  20. server {
  21. listen 80;
  22. server_name;
  23. reset_timedout_connection on;
  24. location / {
  25. proxy_pass http://www/;
  26. proxy_next_upstream error timeout invalid_header http_500 http_503;
  27. proxy_set_header Host $host;
  28. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  29. proxy_redirect off;
  30. proxy_connect_timeout 100;
  31. }
  32. }
  33. # Секция для подключения по ssl
  34. server {
  35. listen 443 ssl;
  36. server_name;
  37. access_log logs/ssl-access.log;
  38. error_log logs/ssl-error.log;
  39. ssl_certificate ssl/;
  40. ssl_certificate_key ssl/;
  41. ssl_verify_depth 3;
  42. keepalive_timeout 60;
  43. location / {
  44. proxy_pass http://test/;
  45. proxy_next_upstream error timeout invalid_header http_500 http_5
  46. proxy_set_header Host $host;
  47. proxy_set_header X-Real-IP $remote_addr;
  48. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  49. proxy_set_header X-Forwarded-Proto https;
  50. proxy_redirect off;
  51. }
  52. }
  53. }

Save and restart nginx.


/etc/init.d/nginx reload

Go into the details of settings I do not want. About them is very well written in the official documentation nginx.

The only thing that I would like to stress that if you want to hang on one server several different ssl certificates on port 443, then simply add this configuration will not work:


  1. server {
  2. listen 443;
  3. server_name;
  4. ssl on;
  5. ssl_certificate;
  6. }
  7. server {
  8. listen 443;
  9. server_name;
  10. ssl on;
  11. ssl_certificate;
  12. }

Which configuration does receive a certificate of the first server, ie, regardless of the queried name server. This behavior is related to SSL. SSL-connection is established before the browser sends a HTTP-request and nginx does not know the name of the requested server. Consequently, it can only offer the certificate server by default.
Resolving this issue you can find here.
On this basic setup nginx laws.