How to install a certificate on Nginx? Print

Installing an SSL certificate and switching to HTTPS is a great way to make connections between your browser and server more secure. An SSL connection is highly recommended for all sites that require user registration. Contrary to what many outdated instructions and guides say, a certificate does not add any significant load to the server and can be issued easily and inexpensively.

How to install an SSL certificate on Nginx

To install SSL on Nginx you will need to complete the following steps:

You should receive an archive with a certificate to your email address, which was specified when ordering an SSL certificate. The archive usually stores the root, intermediate, and domain certificates. If you already have a bundle.crt file, you can skip straight to step 4. Otherwise, you will need to combine the three certificate files into one file. This process is described in detail in paragraphs 2 and 3.
You should have three files: comodo_root.crt (root certificate), comodo_intermediate.crt (intermediate certificate) and your_domen.crt. Copy them along with the .key file to a random directory on your server where you want to store them.
You will need to combine the root certificate file (comodo_root.crt), the intermediate certificate file (comodo_intermediate.crt) and the vash_domen.crt certificate file into one crt file. This is done using the following command:
cat comodo_root.crt comodo_intermediate.crt your_domen.crt > bundle.crt

In some cases, Comodo sends an archive in which the intermediate certificate and root certificate files are already combined into one file. If so, then you will need to combine it with the certificate file using the following command:

cat comodo-bundle.crt your_domain.crt > bundle.crt

Let's move on to setting up Nginx.

Open the Nginx virtual host file for the site you want to protect. If you want your site to be accessible over both an unsecured and a secure connection, you will need to add a server module for each connection type. Make a copy of the existing module for an unsecured connection and paste it below the main code. Then add the following lines to it (in bold):
server {

listen 443;

ssl on;

ssl_certificate /etc/ssl/bundle.crt;

ssl_certificate_key /etc/ssl/your_domain.key;

server_name yourdomain.com;

access_log /var/log/nginx/nginx.vhost.access.log;

error_log /var/log/nginx/nginx.vhost.error.log;

location/{

root /home/www/public_html/your_domain/public/;

index index.html;

}

}

Make sure that the ssl_certificate is set to the crt file we created earlier.

If you used the generator given in the link above, then your configuration file may look like this (here we mean that you generated dhparam.pem for forward secrecy. If not, then this is done with the command openssl dhparam -out /etc/ pki/nginx/dhparam.pem 4096):

server {

listen 80;

server_name name.ru www.name.ru;

return 301 https://name.ru$request_uri;

}

# Add 301 redirect

server {

listen 443 ssl http2;

server_name www.name.ru;

# be sure to indicate certificates here

ssl_certificate /etc/nginx/ssl/name.ru/bundle.crt;

ssl_certificate_key /etc/nginx/ssl/name.ru/name.key;

return 301 https://name.ru$request_uri;

}

server {

# add http2 protocol

listen 443 ssl http2;

server_name name.ru;

access_log off;

#access_log /var/log/nginx/name.ru.access.log;

error_log /var/log/nginx/name.ru.error.log;

ssl on;

# Enable OCSP-stapling. What it is and why it is needed, you can find in our FAQ.

ssl_stapling on;

ssl_stapling_verify on;

# our certificates

ssl_certificate /etc/nginx/ssl/name.ru/bundle.crt;

ssl_certificate_key /etc/nginx/ssl/name.ru/name_private.key;

ssl_dhparam /etc/nginx/ssl/name.ru/dhparam.pem;

# set up a session

ssl_session_tickets off;

ssl_session_timeout 1d;

ssl_session_cache shared:SSL:50m;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE- RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128- SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256: DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES- CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';

ssl_prefer_server_ciphers on;

add_header Strict-Transport-Security max-age=31536000;

# data proxying

location/{

# proxy parameters

proxy_send_timeout 600;

proxy_read_timeout 600