Add SSL in the Nginx site

Add SSL in the Nginx site

In this article we will look at how to Add SSL in our Nginx site and other related configuration

In case you are not aware of How SSL works have a look at the below for a rough idea, SSL has some versions, and the algorithms involved diagram might be different,

Prerequisites

  • An ubuntu server

  • A domain

  • Root SSH Access

There are several ways to set up SSL/TLS for an Nginx site:

  1. Self-Signed Certificates: You can generate self-signed certificates for testing or internal use or in a lab environment. However, these certificates are not trusted by default by browsers and might trigger security warnings for users.

  2. Certificate Authorities (CA) Signed Certificates: To have a trusted SSL/TLS connection, you need a certificate signed by a recognized Certificate Authority. Some common CAs are Let's Encrypt, Comodo, DigiCert, and GlobalSign. These certificates are used for production websites

Create a Nginx site

Create a bash script from the below content into the terminal and make sure to give it executable permission with chmod +x filename.sh , when you run this script provide the name of the site for which you want to configure the SSL

#!/bin/bash

# Ask for the site name
read -p "Enter the site name (e.g., sitename.com): " site_name

# Create the directory and index.html file
sudo mkdir -p /var/www/$site_name

sudo bash -c "cat > /var/www/$site_name/index.html" <<EOF
<html>
<head>
    <title>Welcome to '$site_name'!</title>
</head>
<body>
    <h1 style="color: green;">The '$site_name' is working!</h1>
</body>
</html>
EOF


# Create Nginx virtual host configuration
sudo bash -c "cat > /etc/nginx/sites-available/$site_name" <<EOF
server {
    listen 80;
    listen [::]:80;

    root /var/www/$site_name;
    index index.html index.htm;

    server_name $site_name www.$site_name;

    location / {
        try_files \$uri \$uri/ =404;
    }
}
EOF

# Create symbolic link to enable the site
sudo ln -s /etc/nginx/sites-available/$site_name /etc/nginx/sites-enabled/

# Reload Nginx to apply changes
sudo systemctl reload nginx

echo "Site $site_name has been created and configured."

generate Self-Signed Certificates

Now we have an nginx site running fine, we need to enable HTTPS for this site, first look into the self-signed way

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt

Modify the nginx configuration file of the site. (Add the below content )


server {
    listen 443 ssl;
    root /var/www/another-site.com;
    index index.html index.htm;
    # Modify also sitename 
    server_name another-site.com www.another-site.com;
    # SSL Related config  
    ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
    ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

}

sudo systemctl reload nginx.service

Now access the application in HTTPS you will get Your connection is not private because browsers do not trust this self-signed certificate.

for browsers and client trust certificates, you need to be signed by a recognized Certificate Authority. Some common CAs are Let's Encrypt, Comodo, DigiCert, and GlobalSign.

We are using Let's Encrypt for this we need

  • a valid Domain

  • Server with Public IP and sudo ssh access,

  • The server must have port 80 open

Certificate Authorities (CA) Signed Certificates

I have added the server IP address to my domain nginx.beyonddevops.engineer

Also, I have created the simple site with the above bash script with sitename nginx.beyonddevops.engineer

Site in HTTP is also running fine

Also, make sure HTTP, and HTTPS inbound are open

Let's get the certificate

Install Certbot:

sudo apt update
sudo apt install certbot python3-certbot-nginx

Obtain a Certificate

sudo certbot --nginx -d nginx.beyonddevops.engineer

Congratulations we have configured SSL on our site.

Bonus

Verify auto-renewal of the certificate

sudo systemctl status certbot.timer

Obtain a Wildcard Certificate

sudo certbot --nginx -d example.com -d *.example.com

Expand an Existing Certificate

sudo certbot certonly --nginx -d example.com -d www.example.com -d additional.example.com --expand

Did you find this article valuable?

Support Muhammad Usama by becoming a sponsor. Any amount is appreciated!