Adding SSL certificate to Nginx
1- get SSL certificate and SSL private key (use encrypted key provided by CA and paraphrase to decrypt it) from CA like godaddy or StartSSL for your web application, for example in my case 1_idmpirate.us_bundle.crt" and "ssl.key"
(i used StartSSL as its free for one year for non-commercial purpose)
2- copy these files to home directory e.g /home/django
3- configure
vi /etc/nginx/sites-enabled/django (linux username)
create a new server by adding following lines at the end of the file:
server {
listen 443 ssl;
server_name idmpirate.us;
root /usr/share/nginx/html;
index index.html index.htm;
ssl on;
ssl_certificate /home/django/1_idmpirate.us_bundle.crt;
ssl_certificate_key /home/django/ssl.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
# Your Django project's media files - amend as required
location /media {
alias /home/django/django_project/django_project/media;
}
# your Django project's static files - amend as required
location /static {
alias /home/django/django_project/django_project/static;
}
# Proxy the static assests for the Django Admin panel
location /static/admin {
alias /usr/lib/python2.7/dist-packages/django/contrib/admin/static/admin/;}
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://app_server;
}
}
4- open 443 port, if you have ufw utility (firewall utility for ubuntu) installed use following command
sudo ufw allow https
otherwise configure ufw, active it and open 22, 80 and 443 ports.
sudo apt-get install ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw enable
sudo ufw allow http
sudo ufw allow https
sudo ufw allow ftp
sudo ufw allow 21/tcp
sudo ufw allow 6000:6007/tcp
sudo ufw allow 6000:6007/udp
5- restart nginx
sudo service nginx restart
incase it fails to restart use following command to troubleshoot
nginx -t
6- Check server is listening on 443
netstat -ntlp | grep LISTEN
or
ufw status verbose
7- test https://idmpirate.us
in case rendering issues, keep in mind absolute address are not allowed to include static files like js or css
Absolute: (Don't use this)
<link rel="stylesheet" href="http://mydomain.com/css/style.css" />
Use Relative:
<link rel="stylesheet" href="/css/style.css" />
If the style is coming from another domain (such as a CDN), use double slashes instead of specifying the protocol. This will cause the path to inherit the protocol
the page was requested with when making the CSS request.
<link rel="stylesheet" href="//otherdomain.com/css/style.css" />
You are all set ::)
2- copy these files to home directory e.g /home/django
3- configure
vi /etc/nginx/sites-enabled/django (linux username)
create a new server by adding following lines at the end of the file:
server {
listen 443 ssl;
server_name idmpirate.us;
root /usr/share/nginx/html;
index index.html index.htm;
ssl on;
ssl_certificate /home/django/1_idmpirate.us_bundle.crt;
ssl_certificate_key /home/django/ssl.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
# Your Django project's media files - amend as required
location /media {
alias /home/django/django_project/django_project/media;
}
# your Django project's static files - amend as required
location /static {
alias /home/django/django_project/django_project/static;
}
# Proxy the static assests for the Django Admin panel
location /static/admin {
alias /usr/lib/python2.7/dist-packages/django/contrib/admin/static/admin/;}
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://app_server;
}
}
4- open 443 port, if you have ufw utility (firewall utility for ubuntu) installed use following command
sudo ufw allow https
otherwise configure ufw, active it and open 22, 80 and 443 ports.
sudo apt-get install ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw enable
sudo ufw allow http
sudo ufw allow https
sudo ufw allow ftp
sudo ufw allow 21/tcp
sudo ufw allow 6000:6007/tcp
sudo ufw allow 6000:6007/udp
5- restart nginx
sudo service nginx restart
incase it fails to restart use following command to troubleshoot
nginx -t
6- Check server is listening on 443
netstat -ntlp | grep LISTEN
or
ufw status verbose
7- test https://idmpirate.us
in case rendering issues, keep in mind absolute address are not allowed to include static files like js or css
Absolute: (Don't use this)
<link rel="stylesheet" href="http://mydomain.com/css/style.css" />
Use Relative:
<link rel="stylesheet" href="/css/style.css" />
If the style is coming from another domain (such as a CDN), use double slashes instead of specifying the protocol. This will cause the path to inherit the protocol
the page was requested with when making the CSS request.
<link rel="stylesheet" href="//otherdomain.com/css/style.css" />
You are all set ::)
No comments:
Post a Comment