Blog

Viewing posts for the category SSL

SSL / TLS setup of RapidSSL certificate with Nginx on Ubuntu server

Here is guide to setup SSL / TLS in Nginx ubuntu instance:

- Generate Pvt key
    openssl genrsa -out /home/ubuntu/something_com_pvt.key 2048

- Generate CSR from pvt key
    openssl req -new -key /home/ubuntu/something_com_pvt.key -out /home/ubuntu/something_com_.csr

- Submit above CSR To SSL Provider, RapidSSL in our case.
- Download x.509 type certificates
- Combine intermediate and ssl certificate name it "ssl_final.cer" put it in /home/ubuntu/

- Execute following :
    sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

- put in nginx conf server block :
    include snippets/self-signed.conf;
    include snippets/ssl-params.conf;

- In /etc/nginx/snippets

    self-signed.conf content

    ssl_certificate /home/ubuntu/ssl_final.cer;
    ssl_certificate_key /home/ubuntu/something_com_pvt.key;

    ssl-params.conf content

    # from https://cipherli.st/
    # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    # https://cipherli.st/
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_ecdh_curve prime256v1;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;


Restart Nginx. Thats It!