Sunday, August 16, 2020

Add SSL support to nginx deployments

This is essentially a copy and paste of important points found at https://www.techrepublic.com/article/how-to-enable-ssl-on-nginx/. Please stop and go there to get a more complete version.

If you are following the logic and nginx configuration steps found at http://webmaxtor.blogspot.com/2020/08/flask-python-sqlite-aws-ec2-nginx.html feel free to follow this abridged and custom version instead.

Generate a self-signed certificate:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt

Configure nginx to use SSL:

sudo nano /etc/nginx/snippets/self-signed.conf

ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

sudo nano /etc/nginx/snippets/ssl-params.conf

ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers
ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

Generate pem:

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Assuming you are using the sites-enabled verses site-available, do the following. Alternatively you can do the same in site-available and create a link to it in site-enabled.

sudo nano /etc/nginx/sites-enabled/bttb

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    include snippets/self-signed.conf;
    include snippets/ssl-params.conf;

    server_name 100.25.168.210 therealsitename.com www.therealsitename.com;
    location /static {
        alias /home/ubuntu/bttb/app_BTTB/static;
    }

    location / {
        proxy_pass http://localhost:8000;
        include /etc/nginx/proxy_params;
        proxy_redirect off;
    }
}

server{
    listen 80;
    listen [::]:80;

    server_name 100.25.168.210 therealsitename.com www.therealsitename.com;

    return 302 https://$server_name$request_uri;
}

Check to see if nginx is SSL enabled

sudo ufw app list

Restart and try https: and http: access. Both should send you to your page over https but with a self-signed certificate.

sudo systemctl restart nginx

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)