This will walk you through configuring SSL for a site in nginx on Ubuntu 12.04.
Step 1: Create directory for SSL
cd /etc/nginx
sudo mkdir ssl
cd ssl
Step 2: Create the server's private key
sudo openssl genrsa -out server.key 2048
This will generate a private key that is used by nginx and during the CSR creation process.
Step 3: Create the Certificate Signing Request
Now create the Certificate Signing Request that will be used to generate the x509 cert. The CSR will include your organization's information and should match your domain.
sudo openssl req -new -key server.key -out server.csr
Enter the appropriate information when prompted.
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Pennsylvania
Locality Name (eg, city) []:Pittsburgh
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Fistwallet
Organizational Unit Name (eg, section) []:Dev
Common Name (e.g. server FQDN or YOUR name) []:fistwallet.com
Email Address []:bmlabs@listmill.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Step 4 (Optional): Self-Sign your Cert
Most likely you will submit your CSR to the organization you purchased your SSL cert from. However, if you're self-signing your cert, you can do the following
sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
You now have a cert
Step 5: Configure nginx to use your Cert
You can now configure nginx to use your certificate by add a few options to your site's configuration.
## *.derpturkey.com
server {
server_name www.derpturkey.com;
# Site specific logging
access_log /var/log/nginx/derpturkey.access.log;
error_log /var/log/nginx/derpturkey.error.log;
# Configure SSL
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/derpturkey.crt;
ssl_certificate_key /etc/nginx/ssl/derpturkey.key;
## Forward request
location / {
proxy_pass http://192.168.0.153:2368;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
Speficially, in the above, I enabled listening on port 443 with ssl. Additionally, I'm passing in the path to the certificate and the key that were generated in previous steps. More information on configuring HTTPS server is available in the nginx documentation.
Step 6: Reload configuration
Now you simply reload the configuration
sudo nginx -s reload