Security

How to enable SSL and TLS 1.3 on NGINX

Jack Wallen walks you through the steps for enabling SSL and TLS 1.3 on your NGINX websites.

nginxhero.jpg
Image: Jack Wallen

It's time everyone migrated from good ole' HTTP to HTTPS. This is especially true with the latest iteration of browsers making it very clear when a website is not secure. And when you combine SSL with the one-two punch of TLS (See How to build NGINX with TLS support on Ubuntu Server 18.04), your sites will gain even more security and performance.

But how do you enable SSL for NGINX? I'm going to walk you through that very process. I'll be demonstrating on Ubuntu Server 18.04, using self-signed certificates. Chances are you will use certificates purchased from a provider. Should that be the case, make sure you edit the steps to reflect that.

Let's configure.

SEE: Research: Defenses, response plans, and greatest concerns about cybersecurity in an IoT and mobile world (Tech Pro Research)

Generating self-signed certificates

Remember, this is only for demonstration purposes. On your production servers, you want to use certificates purchased from a reputable Certificate Authority (CA). But for testing purposes, self-signed certificates will do fine. Here's how you create them.

Open a terminal window and follow these steps:

  1. Generate private key with the command sudo openssl genrsa -out ca.key 2048
  2. Generate CSR with the command sudo openssl req -new -key ca.key -out ca.csr
  3. Generate the Self Signed Key with the command sudo openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

Now we need to copy the newly generated files to the correct locations with the following commands:

sudo cp ca.crt /etc/ssl/certs/
sudo cp ca.key /etc/ssl/private/
sudo cp ca.csr /etc/ssl/private/

Create the NGINX Configuration

Remember, we want to enable SSL with TLS support. To do this, we must create a new NGINX configuration file with the command:

sudo nano /etc/nginx/conf.d/ssl.conf

In that file, paste the following:

server {

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    listen              443 ssl;
    server_name         www.example.com;
    ssl_certificate     /etc/ssl/certs/ca.crt;
    ssl_certificate_key /etc/ssl/private/ca.key;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers    TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:HIGH:!aNULL:!MD5;

}

Note: Make sure to change the root location to reflect your NGINX installation. If, however, you follow the steps to build NGINX with TLS support, the above configuration should work.

Save and close the file. Test the new NGINX configuration file with the command:

sudo nginx -t

You should see that the test passes (Figure A).

Figure A

Figure A

Our new configuration file has passed the test.


Restart and test

Now we need to restart NGINX. Do so with the command:

sudo systemctl restart nginx

Point a browser to https://SERVER_IP, and you should see the NGINX welcome screen. To make sure the site is being delivered with TLS 1.3 enabled, you can use your browser's built in tool. For example, in Firefox, open the page and then click the security button (the lock icon at the left edge of the address bar). Click the right-facing arrow associated with the page and then click More Information. In the resulting window (Figure B), you should see that the connection is encrypted with TLS 1.3.

Figure B

Figure B

Our NGINX site is encrypted with the TLS 1.3 protocol.


And that's all there is to enabling SSL and TLS on your NGINX website. Remember, you should use an SSL certificate from a reputable Certificate Authority. But it's always a good idea to use self-signed certificates for testing purposes. Once you are confident in the process, purchase a certificate and deploy it for your NGINX site.

Also see

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

Editor's Picks

Free Newsletters, In your Inbox