Nginx is an open source web server, and over the past few years it's started to become a popular alternative to the dominant Apache HTTP server.
Installing an SSL certificate on a server running Nginx isn't very difficult, particularly if you've ever installed one on Apache, but there are a few differences.
First, we need to make sure Nginx has been installed with SSL support enabled. To list the configuration options compiled into your installation of Nginx, run the command: nginx -V (You must use a capital 'V', otherwise it will only print the version number). Here's a sample output:
root@server:~$ nginx -V
nginx version: nginx/0.7.67
configure arguments: --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid --lock-path=/var/lock/nginx.lock --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/body --http-proxy-temp-path=/var/lib/nginx/proxy --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --with-debug --with-http_stub_status_module --with-http_flv_module --with-http_ssl_module –with-http_dav_module
From this, we can see that the –with-http_ssl_module option was applied when Nginx was configured, so SSL support is enabled.
Let's assume we already have a virtual host file set up for a non-secure version of the site example.co.uk. By default, Nginx uses a 'Debian style layout', so vhost files will be created in the sites-available folder, and then symlinked to the sites-enabled folder when they're ready to be made live. To edit the file, open it with your text editor of choice, e.g.
vim /etc/nginx/sites-available/example.co.uk
The vhost file should look something like this:
server {listen 80;server_name www.example.co.uk;rewrite ^/(.*) http://example.co.uk/$1 permanent;}server {listen 80;server_name example.co.uk;access_log /home/example.co.uk/log/access.log;error_log /home/example.co.uk/log/error.log;location / {root /home/example.co.uk/public_html/;index index.html;}}
Copy and paste a duplicate of each of these server modules and add them to the bottom of the vhost file, then change the port settings in this second set from 80 to 443. With these changes in place, Nginx will now listen for requests for example.co.uk on both port 80 and port 443.
We next need to enable SSL for the site and tell Nginx where to find the certificate. To do this, we need to add three lines between the listen and server_name directives:
listen 443;ssl on;ssl_certificate /etc/ssl/certs/example.crtssl_certificate_key /etc/ssl/private/example.keyserver_name example.co.uk;
Note: This assumes your certificate and key are stored in the /etc/ssl/ directory. Modify as necessary to point Nginx to the correct path.
Save the changes and restart Nginx – it's usually best to stop and start Nginx, rather than just issuing a restart, as the init script has been known to fail to apply changes when just restarted.
/etc/init.d/nginx stop
/etc/init.d/nginx start
And then test your secure site by going to:
Chain certificates:
Chain certificates (also know as intermediate certificates) aren't defined in a separate file, as they are with Apache. You just need to add them to the bottom of the main certificate file. Assuming both files are in /etc/ssl/certs, you can append the main certificate file by running:
cat /etc/ssl/certs/intermediate.crt >> /etc/ssl/certs/example.crt
Make sure the intermediate certificate is below the main certificate, otherwise you will get a key mismatch error.
Further reading:
More information on the HttpSsl module can be found at:
http://wiki.nginx.org/NginxHttpSslModule
