How To Secure Your Nginx-Powered Website Using SSL and Secure Ciphers

Introduction

SSL (stands for Secure Sockets Layer) and its successor, TLS (stands for Transport Layer Security) are cryptographic protocols to secure communication over the Internet. It can be used to create a secure connection to a website.

Intro

Make sure that Nginx and OpenSSL are installed on your server.
In this article, we’ll demonstrate the process by generating a self-signed SSL certificate.

Step 1: Create a directory for the certificate and private key

We’ll create a directory (and enter it) inside /etc/nginx (assuming that directory is Nginx’s config directory), by:

sudo mkdir /etc/nginx/ssl
cd /etc/nginx/ssl # we'll perform our next few steps in this dir

Step 2: Create private key and CSR

Let’s start by creating the site’s private key. In this example, we’ll use 4096-bit key for stronger security. Note that 2048-bit is also secure, but DO NOT USE A 1024-BIT PRIVATE KEY!

sudo openssl genrsa -out example.com.key 4096

Now, create a certificate signing request (CSR) for signing the cert. We’ll use 512-bit SHA-2. Note the -sha512 option.

sudo openssl req -new -key example.com.key -out example.com.csr -sha512

It will prompt a lists of fields that need to be filled in. Make sure Common Name is set to your domain name! Also, leave A challenge password and An optional company name blank.

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:CA
Locality Name (eg, city) []:LosAngeles
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Inc
Organizational Unit Name (eg, section) []:Security
Common Name (e.g. server FQDN or YOUR name) []:*.example.com
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Step 3: Sign your certificate

Almost done! Now we just have to sign it. Don’t forget to replace 365 (expiry after 365 days) to the number of days that you would prefer.

sudo openssl x509 -req -days 365 -in example.com.csr -signkey example.com.key -out example.com.crt -sha512

Now, we’re done making a self-signed certificate.

Step 4: Set up

Open Nginx’s example SSL config file:

sudo nano /etc/nginx/conf.d/example_ssl.conf

Uncomment within the section under the line HTTPS Server. Match your config to the information below, replacing the example.com in the server_name line with your domain name or IP address. Also set your root directory.

# HTTPS server

server {
    listen       443 ssl;
    server_name example.com;

    ssl_certificate /etc/nginx/ssl/example.com.crt;
    ssl_certificate_key /etc/nginx/ssl/example.com.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ecdh_curve secp384r1;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4; # no RC4 and known insecure cipher
location / {
  root   /usr/share/nginx/html;
  index  index.html index.htm;
 }
}

Then restart Nginx.

service nginx restart

Now, visit your website with an https address ( https://your.address.tld ). Your web browser will show a secure connection using your self-signed certificate.