{"id":302715,"date":"2021-07-19T20:00:00","date_gmt":"2021-07-19T17:00:00","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/how-to-create-and-use-self-signed-ssl-in-nginx-cloudsavvy-it\/"},"modified":"2021-07-19T20:00:00","modified_gmt":"2021-07-19T17:00:00","slug":"how-to-create-and-use-self-signed-ssl-in-nginx-cloudsavvy-it","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/how-to-create-and-use-self-signed-ssl-in-nginx-cloudsavvy-it\/","title":{"rendered":"#How to Create and Use Self-Signed SSL in Nginx \u2013 CloudSavvy IT"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a400c1936503\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a400c1936503\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-create-and-use-self-signed-ssl-in-nginx-cloudsavvy-it\/#Generate_and_Self-Sign_an_SSL_Certificate\" >Generate and Self-Sign an SSL Certificate<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-create-and-use-self-signed-ssl-in-nginx-cloudsavvy-it\/#Configure_Nginx_to_Use_Your_Private_Key_and_SSL_Certificate\" >Configure Nginx to Use Your Private Key and SSL Certificate<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#How to Create and Use Self-Signed SSL in Nginx \u2013 CloudSavvy IT&#8221;<\/strong><\/p>\n<div id=\"article-content-area\">\n<img loading=\"lazy\" decoding=\"async\" class=\"type:primaryImage alignnone wp-image-1311 size-full\" srcset=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2019\/08\/41534ce8.png?width=398&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1 400w, https:\/\/www.cloudsavvyit.com\/p\/uploads\/2019\/08\/41534ce8.png?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1 1200w\" sizes=\"auto, 400w, 1200w\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2019\/08\/41534ce8.png?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Nginx logo\" width=\"700\" height=\"300\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>If you just need encryption for internal server connections or non-user facing sites, signing your own SSL certificates is an easy way to avoid dealing with an external certificate authority. Here\u2019s how to set it up in nginx.<\/p>\n<p>If you are more interested in getting free SSL certificates, you can always use LetsEncrypt, which is more suitable for public servers with user-facing websites because it will show up as coming from a recognized certificate authority in user\u2019s browsers. However, it can\u2019t be used to encrypt private IP addresses, which is why you must sign a cert yourself.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"Generate_and_Self-Sign_an_SSL_Certificate\"><\/span>Generate and Self-Sign an SSL Certificate<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>To do this, we\u2019ll use the <code>openssl<\/code>\u00a0utility. You likely have this installed already, as it\u2019s a dependency of Nginx. But if it\u2019s somehow missing, you can install it from your distro\u2019s package manager. For Debian-based systems like Ubuntu, that would be:<\/p>\n<pre>sudo apt-get install openssl<\/pre>\n<p>After <code>openssl<\/code>\u00a0is installed, you can generate the certificate with the following command:<\/p>\n<pre>sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout \/etc\/ssl\/private\/nginx.key -out \/etc\/ssl\/certs\/nginx.crt<\/pre>\n<p>You\u2019ll be asked for some info about your organization. Because this is self-signed, the only one that really matters is \u201cCommon Name,\u201d which should be set to your domain name or your server\u2019s IP address.<\/p>\n<pre>Country Name (2 letter code) []:&#13;\nState or Province Name (full name) []:&#13;\nLocality Name (eg, city) []:&#13;\nOrganization Name (eg, company) []:&#13;\nOrganizational Unit Name (eg, section) []:&#13;\nCommon Name (eg, fully qualified host name) []: your_ip_address&#13;\nEmail Address []:<\/pre>\n<p>This will take a second to generate a new RSA private key, used to sign the certificate, and store it in <code>\/etc\/ssl\/private\/nginx.key<\/code>. The certificate itself is stored in <code>\/etc\/ssl\/certs\/nginx.crt<\/code>, and is valid for an entire year.<\/p>\n<p>We\u2019ll also want to generate a Diffie-Hellman group. This is used for perfect forward secrecy, which generates ephemeral session keys to ensure that past communications cannot be decrypted if the session key is compromised. This isn\u2019t entirely necessary for internal communications, but if you want to be as secure as possible you shouldn\u2019t skip this step.<\/p>\n<pre>sudo openssl dhparam -out \/etc\/nginx\/dhparam.pem 4096<\/pre>\n<p>This does take a while\u2014about an hour depending on how fast your server is. Grab some lunch, and come back to your terminal in a bit to configure Nginx.<\/p>\n<p><strong>RELATED:<\/strong> <strong><em>What Is a PEM File and How Do You Use It?<\/em><\/strong><\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"Configure_Nginx_to_Use_Your_Private_Key_and_SSL_Certificate\"><\/span>Configure Nginx to Use Your Private Key and SSL Certificate<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>To make things easy, we\u2019ll put all the configuration in a snippet file that we can include in our nginx <code>server<\/code>\u00a0blocks. Create a new configuration snippet in nginx\u2019s <code>snippets<\/code>\u00a0directory:<\/p>\n<pre>touch\u00a0\/etc\/nginx\/snippets\/self-signed.conf<\/pre>\n<p>Open it up in your favorite text editor, and paste the following in:<\/p>\n<pre>ssl_certificate \/etc\/ssl\/certs\/nginx.crt;&#13;\nssl_certificate_key \/etc\/ssl\/private\/nginx.key;&#13;\n&#13;\nssl_protocols TLSv1.2;&#13;\nssl_prefer_server_ciphers on;&#13;\nssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;&#13;\nssl_session_timeout 10m;&#13;\nssl_session_cache shared:SSL:10m;&#13;\nssl_session_tickets off;&#13;\nssl_stapling on;&#13;\nssl_stapling_verify on;&#13;\nresolver 8.8.8.8 8.8.4.4 valid=300s;&#13;\nresolver_timeout 5s;&#13;\nadd_header X-Frame-Options DENY;&#13;\nadd_header X-Content-Type-Options nosniff;&#13;\nadd_header X-XSS-Protection \"1; mode=block\";&#13;\n&#13;\nssl_dhparam \/etc\/nginx\/dhparam.pem;&#13;\nssl_ecdh_curve secp384r1;<\/pre>\n<p>The first two lines of this snippet configure nginx to use our self-made certificate and our own private key. The next block is <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/general\/\" data-internallinksmanager029f6b8e52c=\"3\" title=\"General\" target=\"_blank\" rel=\"noopener\">general<\/a> SSL settings, and finally the last two lines configure nginx to use our Diffie-Hellman group for forward security. You can omit this if you didn\u2019t feel like waiting.<\/p>\n<p>The only other thing to enable would be HTTP Strict Transport Security, which configures your site to always use SSL. This would require a permanent redirect from HTTP to HTTPS, so you should verify that SSL works before enabling it.<\/p>\n<p>Now, modify your primary nginx configuration (usually located at <code>\/etc\/nginx\/nginx.conf<\/code>\u00a0for single sites, or under your domain name in <code>\/etc\/nginx\/sites-available<\/code>\u00a0for multi-site servers), and source the snippet:<\/p>\n<pre>server {&#13;\n    listen 443 ssl;&#13;\n    listen [::]:443 ssl;&#13;\n&#13;\n    include snippets\/self-signed.conf;&#13;\n&#13;\n    server_name example.com www.example.com;&#13;\n    . . .&#13;\n}<\/pre>\n<p>You\u2019ll also want to set up a redirect from HTTP to HTTPS, which you can do with an additional server block listening on port 80:<\/p>\n<pre>server {&#13;\n    listen 80;&#13;\n    listen [::]:80;&#13;\n&#13;\n    server_name example.com www.example.com;&#13;\n&#13;\n    return 302 https:\/\/$server_name$request_uri;&#13;\n}<\/pre>\n<p>This is a 302 redirect, which is only temporary. You\u2019ll want to switch this to 301 if everything works properly.<\/p>\n<p>Test your configuration by restarting nginx:<\/p>\n<pre>sudo service nginx restart<\/pre>\n<p>Because HTTPS traffic uses port 443, you\u2019ll need to configure your firewalls to allow transport over that port. If you\u2019re using <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.howtogeek.com\/177621\/the-beginners-guide-to-iptables-the-linux-firewall\/\">iptables<\/a> or UFW, you\u2019ll need to open ports from the command line. If you\u2019re using a hosting service like AWS that has a built in firewall, you\u2019ll need to also open them from their web interface.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-968 size-full\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2019\/07\/66b6dedf.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"AWS firewall interface\" width=\"700\" height=\"300\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>If your service is operating entirely within your LAN, you might want to whitelist your specific subnet of IP addresses to disable access from outside the LAN, and access your servers through a VPN connection.<\/p>\n<p>If everything works correctly, you should now be able to access your server over HTTPS. Your web browser may display a warning like this:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-1310 size-full\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2019\/08\/29a0e701.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"chrome SSL warning\" width=\"700\" height=\"300\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Don\u2019t worry, this is expected, and the reason why you can\u2019t use these certificates for client-facing websites. You\u2019ll have to manually confirm that you trust the server in order to access it.<\/p>\n<p>The warning displayed here is slightly misleading\u2014your site is secure so long as the private key is not compromised, and it\u2019s perfectly secure if you set up Diffie-Hellman forward secrecy. The problem lies in identity, as Chrome can\u2019t verify that your server is who it says it is, because you signed the cert yourself.<\/p>\n<p>Once you\u2019ve verified that there are no issues with SSL, you can switch the HTTP redirect to a 301 redirect:<\/p>\n<pre>return 301 https:\/\/$server_name$request_uri;<\/pre>\n<p>And restart nginx to <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>ly the changes.\n<\/p><\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.cloudsavvyit.com\/1306\/how-to-create-and-use-self-signed-ssl-on-nginx\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#How to Create and Use Self-Signed SSL in Nginx \u2013 CloudSavvy IT&#8221; If you just need encryption for internal server connections or non-user facing sites, signing your own SSL certificates is an easy way to avoid dealing with an external certificate authority. Here\u2019s how to set it up in nginx. If you are more interested&#8230;<\/p>\n","protected":false},"author":1,"featured_media":302716,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2019\/08\/41534ce8.png","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-302715","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/302715","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=302715"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/302715\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/302716"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=302715"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=302715"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=302715"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}