Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Nginx
1 What is HTTPS?
HTTPS is superman version of HTTP. Okay, actually its secure version of HTTP with super
awesomeness. Its a communications protocol for secure communication, with security
features from SSL/TLS with the old dark magic of private/ public key encryption. Everything
ranging from the head to toe (i.e. header and loads) in the HTTPS message is encrypted. Its
like a naked man (plain text) suddenly going into a dark tunnel and nobody can see him
anymore.
2 Nginx
Nginx is a cool server and everyone who uses it never cares about the feather server
anymore.
To get the cool server:
$ cd /etc/nginx/sites-available/
$ sudo emacs default
HTTPS URLs begin with https:// and use port 443 by default, whereas HTTP URLs begin
with http:// and use port 80 by default. Add something to the server block to:
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
root /usr/share/nginx/html;
index index.html index.htm;
server_name your_domain.com;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
location / {
try_files $uri $uri/ =404;
}
}
https://your_domain.com
To solve this problem, you need to get your HTTPS certificate signed. (Actually you can stop
here if you dont wanna talk to certificate authority and you like the red line).
Submit Request
First you need to ensure that you can access admin@your_domain.com since the
authority will send confirmation information regarding the signing approval to that email
and verify that you have the ownership of the domain.
You can submit your CSR to geotrust.com and it costs you some pocket money. Or if you
have a domain name bought in gandi.net, then you can get a free SSL certificate from here.
After submission, verification of email account, BANG! You get your signed certificate:
Replace the original nginx.crt with your new nginx.crt signed and then restart
your server and see all the amazingness happens:
9 Force HTTPS
So far, the HTTPS is successfully set up, and you can access your website by
both http://your_domain.com and https://your_domain.com .
If you dont like HTTP or you wanna be cool, you can force all the connections to HTTPS
rather than HTTP/HTTPS hybrid. Fire up your editor can do some hacks in Nginx:
$ cd /etc/nginx/sites-available/
$ sudo emacs default
Update the site config file and separate original 1 server into to 2 server blocks:
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
server_name your_domain.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443;
ssl on;
root /usr/share/nginx/html;
index index.html index.htm;
server_name your_domain.com;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a
404.
try_files $uri $uri/ =404;
proxy_set_header X-Forwarded-Proto https;
# Uncomment to enable naxsi on this location
# include /etc/nginx/naxsi.rules
}
Some explanations: the first virtual server listening to port 80 (i.e. HTTP) will return HTTP
status code 301 (i.e. moved) and redirect to another virtual server listening to port 443 (i.e.
HTTPS), redirecting the client to https:// version of your site.
Now the server only serve on https, no more http.
Have fun and enjoy the awesomeness.