Setting up SSL with Nginx and SSLMate

SSLMate
I recently discovered a pretty amazing SSL service called SSLMate that is designed for developers and simplicity of use. Because of how simple they make things, this post will be extremely short. In fact, you could just head over to their page and easily get going by yourself. Nevertheless, I will outline it here.

If you prefer “free” instead and don’t mind doing extra work and navigating a confusing website, you can refer to my previous article Setting up SSL with Nginx and Startssl

Preparations

The only prerequisite is that you have the package “ca-certificates” installed on your server.

sudo apt-get install ca-certificates

Now we need to install SSLMate itself. *Note* they have different paths for different OS’s so browse over to https://sslmate.com/help/getting_started to get the appropriate lines (the ones below are for Ubuntu 14.04)

sudo wget -P /etc/apt/sources.list.d https://sslmate.com/apt/ubuntu1404/sslmate.list
sudo wget -P /etc/apt/trusted.gpg.d https://sslmate.com/apt/ubuntu1404/sslmate.gpg
sudo apt-get update
sudo apt-get install sslmate

Obviously you need to signup at sslmate’s website and fill in your credit card info (it’s not charged until you issue the buy command)

Now on the command line, navigate to the folder you wish to store the certs. (I made a folder in ~/certs) and issue the buy command. *Note certs issues for hostname.com will also work for www.hostname.com*

mkdir ~/certs
cd ~/certs
sslmate buy HOSTNAME

Now we need to configure nginx to use the certificates. Typically I symlink the certs into the /etc/nginx/ssl folder (you may need to create it.)

sudo mkdir /etc/nginx/ssl
sudo ln -s ~/certs/HOSTNAME.key HOSTNAME.key
sudo ln -s ~/certs/HOSTNAME.chained.crt HOSTNAME.chained.crt

You need to modify your domain’s virtual host file to change the port and add the certificate information. the top lines inside the main “server” block for that domain should read like this.


listen 443 ssl;
ssl_certificate_key /etc/nginx/ssl/HOSTNAME.key;
ssl_certificate /etc/nginx/ssl/HOSTNAME.chained.crt;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

If you run a HTTPS-only site, you should consider using HTTP Strict Transport Security (HSTS). HSTS tells a browser that the website should only be accessed through a secure connection. Just add this below the certificate lines.

add_header Strict-Transport-Security max-age=31536000;

If you serve a page over HTTPS, usually you will never allow your content to be framed. This can be specified by the X-Frame-Options header. You can configure this by then adding this line below the previous ones.

add_header X-Frame-Options DENY;

Now if you want to use the recommended security settings of SSLMate in their entirety, make your file look like this

ssl_certificate_key /etc/nginx/ssl/HOSTNAME.key;
ssl_certificate /etc/nginx/ssl/HOSTNAME.chained.crt;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
ssl_dhparam /usr/share/sslmate/dhparams/dh2048-group14.pem;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:5m;
add_header Strict-Transport-Security max-age=15768000;
add_header X-Frame-Options DENY;

After you have saved the virtual host file (/etc/nginx/sites-available/domain) you need to restart nginx for the changes to take affect.

sudo service nginx restart

That should be it!

Posted in Uncategorized

Leave a Reply

Your email address will not be published. Required fields are marked *

*