How to implement SSL on Nginx 0.7.65

Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Nginx 0.7.65 on RedHat 5.4 (64bit edition)

SSL implementation phase

  1. Login to the server using Root account.
  2. Create folder for the SSL certificate files:
    mkdir -p /usr/local/nginx/ssl
    chmod 600 /usr/local/nginx/ssl
  3. Run the command bellow to generate a key pair:
    /usr/bin/openssl genrsa -des3 -out /usr/local/nginx/ssl/server.key 1024
    Specify a complex pass phrase for the private key (and document it)
  4. Run the command bellow to generate the CSR:
    /usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /usr/local/nginx/ssl/server.key -out /tmp/nginx.csr
    Note: The command above should be written as one line.
  5. Send the file /tmp/nginx.csr to a Certificate Authority server.
  6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt
  7. Copy the file “server.crt” using SCP into /usr/local/nginx/ssl
  8. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
  9. Copy the file “ca-bundle.crt” using SCP into /usr/local/nginx/ssl
  10. Combine the content of both the public key (server.crt) and the Root CA chain (ca-bundle.crt) into one file:
    cat /usr/local/nginx/ssl/ca-bundle.crt /usr/local/nginx/ssl/server.crt > /usr/local/nginx/ssl/server.pem
    Note: The command above should be written as one line.
  11. Remove the original server.crt and ca-bundle.crt files:
    rm -f /usr/local/nginx/ssl/server.crt
    rm -f /usr/local/nginx/ssl/ca-bundle.crt
  12. Edit using VI the file /usr/local/nginx/conf/nginx.conf and replace the section bellow from:
    # HTTPS server
    #
    #server {
    # listen 443;
    # server_name localhost;

    # ssl on;
    # ssl_certificate cert.pem;
    # ssl_certificate_key cert.key;

    # ssl_session_timeout 5m;

    # ssl_protocols SSLv2 SSLv3 TLSv1;
    # ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    # ssl_prefer_server_ciphers on;

    # location / {
    # root html;
    # index index.html index.htm;
    # }
    #}
    To:
    server {
    listen 443;
    server_name Server_FQDN;
    ssl on;
    ssl_certificate /usr/local/nginx/ssl/server.pem;
    ssl_certificate_key /usr/local/nginx/ssl/server.key;
    ssl_session_timeout 5m;
    ssl_protocols SSLv3;
    ssl_ciphers HIGH:!ADH:!MD5;
    ssl_prefer_server_ciphers on;
    location / {
    root /www;
    index index.html index.htm;
    }
    }

  13. Restart the Nginx service:
    /etc/init.d/nginx restart

Leave a Reply

Search This Blog
Labels
NetworkedBlogs