Linuxsimba.com is now behind a Nginx SSL Proxy.

I have always been confused by SSL Nginx configuration. So here's is what I did to get it working.

Create the Certificate

My service provider gives me a free SSL certificate for the website.

First create the Certificate Request.

openssl req -nodes -newkey rsa:2048 -sha256 -keyout linuxsimba.key -out linuxsimba.csr

Remember to save the SSL private key !!

Why not use 4096 bit certificate? Here is a blog post that shows a 2048 bit certificate is good enough.

Upload the CSR to the Certificate Request form

The service provider had a Certificate Request form where I could upload the linuxsimba.csr file.

After an hour the SSL certificate creation was complete. The service provider SSL web page offered 2 certificates for download. There were:

  • Server Certificate
  • Intermediary Certificate

Intermediary Certificate?? Its a certificate that verifies that your certificate is legit. It creates what the industry calls a certificate chain. Here is what linuxsimba.com's certificate chain looks like.

SSL Command: openssl s_client -showcerts -connect linuxsimba.com:443
Output: OpenSSL s_client output

With the 2 certificates, the server and intermediary certificate, you then have to place the 2 certs in the same file like so

cat server.crt serverproviderCA.pem >> linuxsimba.crt

Copy the files into cert and private key into NGINX related directories

Remember that SSL key that was generated as part of the Certificate Request(CSR)? You need it now!

Do these steps on the host that will run nginx.

cp linuxsimba.crt /etc/nginx/certs
cp linuxsimba.key /etc/nginx/private/
chmod 400 /etc/nginx/private/linuxsimba.key

What the Nginx.conf file looks like

user  nginx;
worker_processes  1;

error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid;

events { worker_connections 1024; }

http { include /etc/nginx/mime.types; default_type application/octet-stream;

access_log  /var/log/nginx/access.log  main;

sendfile        on;
#tcp_nopush     on;

keepalive_timeout  65;

#gzip  on;

# Redirect all unsecured port 80 traffic to the secure port 443. server { listen 0.0.0.0:80; return 301 https://$host$requesturi; } server { listen 0.0.0.0:443 ssl; sslcertificate /etc/ssl/certs/linuxsimba.crt; sslcertificatekey /etc/ssl/private/linuxsimba.key; # default settings for Nginx 1.10.2. Just mentioning it for # educational purposes. Older versions of Nginx have different cipher # protocol settings. sslciphers HIGH:!aNULL:!MD5; sslprotocols TLSv1 TLSv1.1 TLSv1.2;

location / {
    proxy_read_timeout 120;
    # Using docker to house jekyll container and nginx container
    # linuxsimba-blog is the docker network name for the jekyll container
    # on a bare-metal host proxy_pass will probably be http://localhost:4000
    proxy_pass  http://linuxsimba-blog:4000;
    proxy_set_header        Host            $host;
    proxy_set_header        X-Real-IP       $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
}

} }