Add SSL in the Nginx site
In this article we will look at how to Add SSL in our Nginx site and other related configuration
In case you are not aware of How SSL works have a look at the below for a rough idea, SSL has some versions, and the algorithms involved diagram might be different,
Prerequisites
An ubuntu server
A domain
Root SSH Access
There are several ways to set up SSL/TLS for an Nginx site:
Self-Signed Certificates: You can generate self-signed certificates for testing or internal use or in a lab environment. However, these certificates are not trusted by default by browsers and might trigger security warnings for users.
Certificate Authorities (CA) Signed Certificates: To have a trusted SSL/TLS connection, you need a certificate signed by a recognized Certificate Authority. Some common CAs are Let's Encrypt, Comodo, DigiCert, and GlobalSign. These certificates are used for production websites
Create a Nginx site
Create a bash script from the below content into the terminal and make sure to give it executable permission with chmod +x filename.sh
, when you run this script provide the name of the site for which you want to configure the SSL
#!/bin/bash
# Ask for the site name
read -p "Enter the site name (e.g., sitename.com): " site_name
# Create the directory and index.html file
sudo mkdir -p /var/www/$site_name
sudo bash -c "cat > /var/www/$site_name/index.html" <<EOF
<html>
<head>
<title>Welcome to '$site_name'!</title>
</head>
<body>
<h1 style="color: green;">The '$site_name' is working!</h1>
</body>
</html>
EOF
# Create Nginx virtual host configuration
sudo bash -c "cat > /etc/nginx/sites-available/$site_name" <<EOF
server {
listen 80;
listen [::]:80;
root /var/www/$site_name;
index index.html index.htm;
server_name $site_name www.$site_name;
location / {
try_files \$uri \$uri/ =404;
}
}
EOF
# Create symbolic link to enable the site
sudo ln -s /etc/nginx/sites-available/$site_name /etc/nginx/sites-enabled/
# Reload Nginx to apply changes
sudo systemctl reload nginx
echo "Site $site_name has been created and configured."
generate Self-Signed Certificates
Now we have an nginx site running fine, we need to enable HTTPS for this site, first look into the self-signed way
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
Modify the nginx configuration file of the site. (Add the below content )
server {
listen 443 ssl;
root /var/www/another-site.com;
index index.html index.htm;
# Modify also sitename
server_name another-site.com www.another-site.com;
# SSL Related config
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
}
sudo systemctl reload nginx.service
Now access the application in HTTPS you will get Your connection is not private because browsers do not trust this self-signed certificate.
for browsers and client trust certificates, you need to be signed by a recognized Certificate Authority. Some common CAs are Let's Encrypt, Comodo, DigiCert, and GlobalSign.
We are using Let's Encrypt for this we need
a valid Domain
Server with Public IP and sudo ssh access,
The server must have port 80 open
Certificate Authorities (CA) Signed Certificates
I have added the server IP address to my domain nginx.beyonddevops.engineer
Also, I have created the simple site with the above bash script with sitename nginx.beyonddevops.engineer
Site in HTTP is also running fine
Also, make sure HTTP, and HTTPS inbound are open
Let's get the certificate
Install Certbot:
sudo apt update
sudo apt install certbot python3-certbot-nginx
Obtain a Certificate
sudo certbot --nginx -d nginx.beyonddevops.engineer
Congratulations we have configured SSL on our site.
Bonus
Verify auto-renewal of the certificate
sudo systemctl status certbot.timer
Obtain a Wildcard Certificate
sudo certbot --nginx -d example.com -d *.example.com
Expand an Existing Certificate
sudo certbot certonly --nginx -d example.com -d www.example.com -d additional.example.com --expand