Securing Nginx with HTTPS

SSLAdding a certificate and using the HTTPS protocol is a good improvement to the security in the communication between the browser and the server, and should be in place on all sites that have a user login. Contrary to what many (older) guides say, it doesn’t add much load on your server and is fairy easy and cheap to set up right.

First of all, make sure Nginx is installed and running. I highly recommend running the latest version from Nginx’ own Ubuntu repository.

Generate key and CSR

Generate the server’s private key:

$ openssl genrsa -out /etc/ssl/private/example.com.key 2048

The number (2048) is the key length. Anything shorter is considered to be unsafe soon and should be avoided for new keys. Anything longer is unnecessary and will only waste CPU.

Generate the Certificate Signing Request (CSR):

$ openssl req -new -key /etc/ssl/private/example.com.key -out /etc/ssl/private/example.com.csr

Fill in the requested fields, but please note the following:

  • Enter your FQDN for “Common Name (e.g. server FQDN or YOUR name)” In this case it’s “www.example.com”
  • Press [ENTER] (blank) for “A challenge password”

Most Certificate Authorities will issue a certificate that is valid for both www.example.com and example.com if you provide www.example.com as FQDN. The opposite is NOT the case.

Make sure the files are readable by root only:

$ chmod 0400 /etc/ssl/private/example.com.*

Acquire the certificate from a CA

Go to the web site of a Certificate Authority or affiliate. For securing regular web sites, I usually get a domain validated Comodo PositiveSSL certificate from SSLs.com. They’re really cheap and more than good enough for most cases.

When you get the certificate from the CA – usually within an hour – place it in /etc/ssl/certs/example.com.crt

Intermediate Certificate Advisory

The certificate issuer will most likely provide you with a Intermediate Certificate Advisory or two. You MUST install the intermediate certificates on the server together with the certificate.

Save the intermediate certificate to /etc/ssl/certs/

In my case the two provided intermediate certs will be these two files:

COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt

Concatenate the certificates to one file (order is important):

$ cat /etc/ssl/certs/example.com.crt /etc/ssl/certs/COMODORSADomainValidationSecureServerCA.crt /etc/ssl/certs/COMODORSAAddTrustCA.crt > /etc/ssl/certs/example.com.certchain.crt

Configure Nginx

Copy your existing server block and add the 4 SSL specific lines so the start of your new server block looks like this:

server {
    server_name example.com;
    listen 443 ssl http2;
    ssl_certificate /etc/ssl/certs/example.com.certchain.crt;
    ssl_certificate_key /etc/ssl/private/example.com.key;

Now reload your config and you should be done:

$ service nginx reload

You are now done with the basic configuration of HTTPS on Nginx. Next steps is first to enable SPDY enable HTTP/2 and then you should dive into the optimizing HTTPS on Nginx.

5 thoughts on “Securing Nginx with HTTPS”

  1. Thanks for your nice tutorial!
    Improvements:
    In the Configure Nginx I would mention you must edit the nginx.conf file (on Linux Ubuntu is located by default at /etc/nginx/nginx.conf) and that the block server { … } goes inside of the block html { … } :

    nginx.conf
    html {

    server {

    }
    }

    1. Bjørn Johansen

      The block you’re mentioning is called http, and it will usually have an include statement to include files (in a subdirectory) with server blocks. It is much cleaner to organize your Nginx config this way.
      But that is way out of scope for this post, which assumes you already have a basic Nginx configuration.

  2. Waqas Rahman

    I dont own a domain and use localhost as the server_name. I want to use HTTP/2 to connect my client with the server. Can i use HTTP2 connection without using HTTPS or can I generate certificate for localhost?

    1. Bjørn Johansen

      The HTTP/2 spec does not require HTTPS, but in practice all clients do. You can generate a self-signed certificate and use that.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.