Nginx SSL/TLS Configuration: Enable HTTPS on Your Nginx Server
What is Nginx?
Initially, Nginx was designed as a web server for delivering stability and maximum performance. Over time, with its HTTP server capabilities, NGINX could perform several other functions such as load balancing, caching, reverse proxy, etc. Today, it is one of the fastest open source software in the market that helps in streaming video formats and supports WebSocket, gRPC, and other functions.
If you compare Nginx with Apache or other options in the market, it stands out. However, websites have evolved since the initial NGINX release from static HTML pages to dynamic content. GINX has developed alongside it and is now capable of utilizing all the features of the modern Web, including WebSocket, HTTP/2, and gRPC.
It also offers a scalable design and the capacity to manage a large number of connections and incoming traffic.
Hence, Nginx is widely used as an SSL/TLS terminator or web accelerator when it is placed between clients and a second web server. It basically serves as a middleman and effectively manages operations that slows down your web server, like negotiating SSL/TLS or caching and compressing information to enhance overall performance.
Why We Need to Secure Webserver with SSL/TLS?
All significant web browsers employ TLS/SSL certificates as the industry standard to provide consumers with a secure online environment. The purpose of securing a web server with SSL/TLS is to protect your sensitive information from malicious actors. Here are a few reasons:
- Authentication – Trusted Certificate Authorities (CAs) issue SSL/TLS certificates that confirm the owner of the website’s identity. This authentication lowers the danger of phishing attacks. It provides a user authentication or confidence that they are interacting with a right and legitimate website.
- Compliance and Regulations – User data must be protected according to various data protection laws. Using SSL/TLS is a critical step in adhering to these rules and preventing potential legal problems.
- Data Encryption – All the data that is transferred between a web server and a client is encrypted by SSL/TLS. Any sensitive information, like login credentials or personal data, is kept hidden and protected from malicious actors thanks to this encryption.
- SSL/TLS for Data Stewards – The management and oversight of an organization’s data, including its classification, is the responsibility of data stewards. When data stewards designate a piece of information as “non public,” they are indicating that it is not intended for general disclosure or open access. Non public material is regarded as sensitive, confidential, or restricted in nature, and access to it is typically limited to authorized staff members only. In such cases, an organization must use SSL/TLS to protect the security of its information.
It’s crucial to keep in mind that employing SSL/TLS does not provide any additional system level security, even though it secures the transfer of information between your server and a web browser. To guarantee the security of your server, you must maintain a strict security procedure.
Nginx SSL/TLS Configuration: How to Enable HTTPS on Your Nginx Server
In this section, we show you how to enable HTTPS on the Nginx server using a self signed certificate and Let’s Encrypt certificate.
Prerequisites
- A root user or a user with sudo privileges.
Install Nginx Web Server
First, install Nginx and OpenSSL package on your server. Install it using the command given below
apt install nginx openssl -y
After installing Nginx web server, start and enable the Nginx service.
systemctl start nginx
systemctl enable nginx
Next, check the Nginx service running status using the following command.
systemctl status nginx
If everything is fine, you see the following output.
Configure UFW Firewall
If you are using the UFW firewall on your server then you need to allow HTTP and HTTPS service on UFW firewall.
First, check the UFW Nginx app information using the following command.
ufw app info "Nginx Full"
You see the following output.
Profile: Nginx Full
Title: Web Server (Nginx, HTTP + HTTPS)
Description: Small, but very powerful and efficient web server
Ports:
80,443/tcp
Now, run the following command to allow both HTTP and HTTPS service.
ufw allow in "Nginx Full"
Then, reload the UFW daemon to implement the changes.
ufw reload
Enable HTTPS on Nginx Using Self-signed SSL Certificate
A self-signed certificate is designed to use in a local network for testing purposes. You don’t need any certificate authority to create a certificate files. It is signed by its own private key.
Let’s, generate a certificate signing request using the following command.
openssl req -nodes -newkey rsa:2048 -keyout /etc/ssl/private/private.key -out /etc/ssl/private/request.csr
You are prompted to provide the following information.
Next, generate a certificate and key file using the above generated .csr file.
openssl x509 -in /etc/ssl/private/request.csr -out /etc/ssl/private/certificate.crt -req -signkey /etc/ssl/private/private.key -days 365
You see the following output.
Certificate request self-signature ok
subject=C = IN, ST = GUJ, L = JUN, O = EXAMPLE, OU = IT, CN = SERVER, emailAddress = admin@example.com
At this point, all required certificates are in your hand. Now, edit your default Nginx virtual host configuration file.
nano /etc/nginx/sites-available/default
Define your server IP and the path of your certificate as shown below.
server {
listen 80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name your-server-ip;
ssl_certificate /etc/ssl/private/certificate.crt;
ssl_certificate_key /etc/ssl/private/private.key;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
root /var/www/html;
index index.html index.nginx-debian.html;
}
Save and close the file then verify the Nginx configuration using the following command.
nginx -t
If everything is fine, you see the following output.
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
Next, restart the Nginx service to apply the changes.
service nginx reload
Now, open your web browser and access your Nginx website securely using the URL https://your-server-ip. You see the warning page because you are using the self-signed certificate.
Click on Accept the risk and continue. You see your Nginx default website page on the following screen.
Configure Permanent Redirects
At this point, Nginx is configured to access either using the HTTP or HTTPS protocol. However, If you want to permit only encrypted traffic, then its important to change the Nginx configuration to create a permanent redirect.
To do so, edit the Nginx default virtual host configuration file.
nano /etc/nginx/sites-available/dedault
Add the following line:
return https://$server_name$request_uri;
Save changes and close the file. Now, reload Nginx configuration using the following command.
systemctl restart nginx
Enable HTTPS on Nginx Using Let's Encrypt SSL Certificate
Let’s Encrypt is an open source certificate authority that allows users to enable HTTPS on their domain automatically without any human intervention. It offers a trusted certificate at zero cost.
Before installing Let’s Encrypt SSL, you require the Certbot package to install and manage the Let’s Encrypt certificate for your domain. Install it using the following command.
apt install python3-certbot-nginx -y
Once the Certbot client package is installed, edit the Nginx default virtual host configuration file.
nano /etc/nginx/sites-available/default
Define your domain name as shown below.
server {
listen 80 default_server;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name nginx.yourdomain.com;
location / {
try_files $uri $uri/ =404;
}
}
Save and close the file when you are finished.
Next, run the following command to install the Let’s Encrypt certificate on your domain.
certbot --nginx -d nginx.yourdomain.com
You are asked to provide your valid email address and accept the term of service as shown below.
The above command downloads all certificates at /etc/letsencrypt/live/nginx.yourdomain.com/ directory.Check it with the following command.
ls /etc/letsencrypt/live/nginx.yourdomain.com/
You should see all generated certificate files in the following output.
cert.pem chain.pem fullchain.pem privkey.pem README
At this point, your Nginx website is secured with Let’s Encrypt SSL. Now access it securely using the URL https://nginx.yourdomain.com.
Thank you for reading Nginx SSL/TLS Configuration: Enable HTTPS on Your Nginx Server. Let’s conclude the article.
Nginx SSL/TLS Configuration: Enable HTTPS on Your Nginx Server Conclusion
In this post, we showed you different ways to enable HTTPS on the Nginx server. First, we generate a self-signed certificate and define it on the Nginx configuration file to secure the connection. Then, we also showed you to enable HTTPS on the Nginx domain using the Let’s Encrypt free SSL certificate. Now feel free to use any of the above methods to enable HTTPS on your Nginx websites.
