Adding SSL to a site in nginx

This will walk you through configuring SSL for a site in nginx on Ubuntu 12.04.

Step 1: Create directory for SSL

cd /etc/nginx
sudo mkdir ssl
cd ssl

Step 2: Create the server's private key

sudo openssl genrsa -out server.key 2048

This will generate a private key that is used by nginx and during the CSR creation process.

Step 3: Create the Certificate Signing Request

Now create the Certificate Signing Request that will be used to generate the x509 cert. The CSR will include your organization's information and should match your domain.

sudo openssl req -new -key server.key -out server.csr

Enter the appropriate information when prompted.

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Pennsylvania
Locality Name (eg, city) []:Pittsburgh
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Fistwallet
Organizational Unit Name (eg, section) []:Dev
Common Name (e.g. server FQDN or YOUR name) []:fistwallet.com
Email Address []:bmlabs@listmill.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Step 4 (Optional): Self-Sign your Cert

Most likely you will submit your CSR to the organization you purchased your SSL cert from. However, if you're self-signing your cert, you can do the following

sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

You now have a cert

Step 5: Configure nginx to use your Cert

You can now configure nginx to use your certificate by add a few options to your site's configuration.

## *.derpturkey.com
server {
  server_name www.derpturkey.com;

  # Site specific logging
  access_log /var/log/nginx/derpturkey.access.log;
  error_log /var/log/nginx/derpturkey.error.log;

  # Configure SSL
  listen 443 ssl;
  ssl_certificate        /etc/nginx/ssl/derpturkey.crt;
  ssl_certificate_key    /etc/nginx/ssl/derpturkey.key;

  ## Forward request
  location / {
    proxy_pass http://192.168.0.153:2368;
    proxy_set_header Host            $host;
    proxy_set_header X-Real-IP       $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  }
}

Speficially, in the above, I enabled listening on port 443 with ssl. Additionally, I'm passing in the path to the certificate and the key that were generated in previous steps. More information on configuring HTTPS server is available in the nginx documentation.

Step 6: Reload configuration

Now you simply reload the configuration

sudo nginx -s reload