Complete Guide to Set Up HTTPS for

Nginx
1 What is HTTPS?
HTTPS is superman version of HTTP. Okay, actually its secure version of HTTP with super
awesomeness. Its a communications protocol for secure communication, with security
features from SSL/TLS with the old dark magic of private/ public key encryption. Everything
ranging from the head to toe (i.e. header and loads) in the HTTPS message is encrypted. Its
like a naked man (plain text) suddenly going into a dark tunnel and nobody can see him
anymore.

2 Nginx
Nginx is a cool server and everyone who uses it never cares about the feather server
anymore.
To get the cool server:

$ sudo apt-get update

$ sudo apt-get install nginx

3 Generate private key and

certificate
Do the generation:

$ sudo mkdir /etc/nginx/ssl

$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt

Enther the information accordingly. Some samples:

Country Name (2 letter code) [AU]:SG

State or Province Name (full name) [Some-State]:Singapore
Locality Name (eg, city) []:Singapore
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Hack Me If You Can
Organizational Unit Name (eg, section) []:Hack Me If You Can
Common Name (e.g. server FQDN or YOUR name) []:your_domain.com
Email Address []:admin@your_domain.com

Configure your Nginx:

$ cd /etc/nginx/sites-available/
$ sudo emacs default

HTTPS URLs begin with https:// and use port 443 by default, whereas HTTP URLs begin
with http:// and use port 80 by default. Add something to the server block to:

server {

listen 80 default_server;
listen [::]:80 default_server ipv6only=on;

listen 443 ssl;

root /usr/share/nginx/html;
index index.html index.htm;

server_name your_domain.com;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;

location / {
try_files $uri $uri/ =404;
}
}

Then restart your server:

$ sudo service nginx restart

Bang! Its done. Visiting your site:

https://your_domain.com

Now you see me:

BANG! You get your HTTPS is less than 10 minutes!

4 Make your HTTPS website

trusted
Do you notice that the https is crossed out by a red line? Browser will issue some
warnings when clients visit your site with your self-signed certificate SSL. This is expected. It
is telling you that the browser cannot verify the identity of the server because your
certificate hasnt been signed by a certificate authority that the browser has been
configured to trust.

To solve this problem, you need to get your HTTPS certificate signed. (Actually you can stop
here if you dont wanna talk to certificate authority and you like the red line).

5 Signing the Certificate

Warning - it takes some time and costs you some cash. But if youre rich and awesome, why
not keep on going? In this step, you need to generate a CSR and submit to some authorities
to get it signed.

Generate a CSR (Certificate Signing Request):

$ openssl x509 -x509toreq -in nginx.crt -out nginx.csr signkey nginx.key

Submit Request

First you need to ensure that you can access admin@your_domain.com since the
authority will send confirmation information regarding the signing approval to that email
and verify that you have the ownership of the domain.
You can submit your CSR to geotrust.com and it costs you some pocket money. Or if you
have a domain name bought in gandi.net, then you can get a free SSL certificate from here.
After submission, verification of email account, BANG! You get your signed certificate:

Update Your Cert and Let the Show Begin

Replace the original nginx.crt with your new nginx.crt signed and then restart
your server and see all the amazingness happens:

9 Force HTTPS
So far, the HTTPS is successfully set up, and you can access your website by
both http://your_domain.com and https://your_domain.com .

If you dont like HTTP or you wanna be cool, you can force all the connections to HTTPS
rather than HTTP/HTTPS hybrid. Fire up your editor can do some hacks in Nginx:
$ cd /etc/nginx/sites-available/
$ sudo emacs default

Update the site config file and separate original 1 server into to 2 server blocks:

server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;

server_name your_domain.com;
return 301 https://$server_name$request_uri;
}

server {
listen 443;
ssl on;
root /usr/share/nginx/html;
index index.html index.htm;

server_name your_domain.com;

ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;

location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a
404.
try_files $uri $uri/ =404;
proxy_set_header X-Forwarded-Proto https;
# Uncomment to enable naxsi on this location
# include /etc/nginx/naxsi.rules
}

Some explanations: the first virtual server listening to port 80 (i.e. HTTP) will return HTTP
status code 301 (i.e. moved) and redirect to another virtual server listening to port 443 (i.e.
HTTPS), redirecting the client to https:// version of your site.
Now the server only serve on https, no more http.
Have fun and enjoy the awesomeness.