Cheap VPS & Xen Server

Residential Proxy Network - Hourly & Monthly Packages

How To Set Up SSL Vhosts Under Nginx + SNI Support (Ubuntu 11.04/Debian Squeeze)


This article explains how you can set up SSL vhosts under nginx on Ubuntu 11.04 and Debian Squeeze so that you can access the vhost over HTTPS (port 443). SSL is short for Secure Sockets Layer and is a cryptographic protocol that provides security for communications over networks by encrypting segments of network connections at the transport layer end-to-end. In addition to that I will show how to make use of SNI (Server Name Indication) to allow multiple SSL vhosts per IP address.

This document comes without warranty of any kind! I do not issue any guarantee that this will work for you!

 

1 Preliminary Note

I’m assuming that you have a working nginx setup on your Ubuntu 11.04 or Debian Squeeze box, as shown in these tutorials:

  • Installing Nginx With PHP5 (And PHP-FPM) And MySQL Support On Ubuntu 11.04
  • Installing Nginx With PHP5 And MySQL Support On Debian Squeeze

I will set up SSL for my vhost www.hostmauritius.com in this tutorial – hostmauritius.com is a domain that I own – replace it with your own domain. I will show how to use a self-signed certificate (this will result in a browser warning when you access https://www.hostmauritius.com) and how to get a certificate from a trusted certificate authority (CA) such as Verisign, Thawte, Comodo, etc. – with a certificate from a trusted CA, your visitors won’t see any browser warnings, as is the case with a self-signed certificate. I will use a certificate from CAcert.org – these certificates are free, but are not recognized by all browsers, but it should give you the idea how to install a certificate from a trusted CA.

Traditionally it was not possible to have more than one SSL vhosts per IP address. This has changed with the rise of SNI (Server Name Indication). I will show how to set up a second SSL vhost (www.hostmauritius.net which I own as well) on the same IP address as www.hostmauritius.com with the help of SNI. Please note that currently SNI is not supported by all browsers/operating systems:

Browsers/clients with support for TLS server name indication:

  • Opera 8.0 and later (the TLS 1.1 protocol must be enabled)
  • Internet Explorer 7 or later (under Windows Vista and later only, not under Windows XP)
  • Firefox 2.0 or later
  • Curl 7.18.1 or later (when compiled against an SSL/TLS toolkit with SNI support)
  • Chrome 6.0 or later (on all platforms – releases up to 5.0 only on specific OS versions)
  • Safari 3.0 or later (under OS X 10.5.6 or later and under Windows Vista and later)

To find out if your browser supports SNI, you can go to https://alice.sni.velox.ch/.

I’m running all the steps in this tutorial with root privileges, so make sure you’re logged in as root. On Ubuntu, run

sudo su

to become the root user.

 

2 Determine Your Nginx Version

First you should find out about your nginx version because there are slight differences in SSL configuration for version < 0.8.21 and versions >= 0.8.21.

nginx -v

On Ubuntu 11.04, you should have nginx 0.8.54:

root@server1:~# nginx -v
nginx version: nginx/0.8.54
root@server1:~#

On Debian Squeeze, it’s nginx 0.7.67:

root@server1:~# nginx -v
nginx version: nginx/0.7.67
root@server1:~#

 

3 Setting Up The Vhost

I will now create the vhost www.hostmauritius.com with the document root /var/www/www.hostmauritius.com/web. First I create that directory:

mkdir -p /var/www/www.hostmauritius.com/web

Create a simple nginx vhost configuration for http (port 80):

vi /etc/nginx/sites-available/www.hostmauritius.com.vhost

server {
        listen   80; ## listen for ipv4
        listen   [::]:80; ## listen for ipv6

        server_name  www.hostmauritius.com hostmauritius.com;
        root /var/www/www.hostmauritius.com/web;

        if ($http_host != "www.hostmauritius.com") {
                 rewrite ^ http://www.hostmauritius.com$request_uri permanent;
        }

        location / {
                index  index.php index.html index.htm;
        }

        location ~ \.php$ {
                fastcgi_pass   127.0.0.1:9000;
                fastcgi_index  index.php;
                fastcgi_param  SCRIPT_FILENAME  /var/www$fastcgi_script_name;
                include         fastcgi_params;
        }

        location ~ /\. {
                deny  all;
        }
}

Enable the vhost and reload nginx:

cd /etc/nginx/sites-enabled/
ln -s /etc/nginx/sites-available/www.hostmauritius.com.vhost www.hostmauritius.com.vhost
/etc/init.d/nginx reload

 

4 Creating A Self-Signed Certificate

Before we set up our SSL vhost, we need an SSL certificate. I will now show you how to create your own self-signed certificate. With this certificate, you will get browser warnings, but this certificate is required to get a trusted certificate from a trusted CA later on.

Make sure that the package ssl-cert is installed:

apt-get install ssl-cert

You can now create a self-signed certificate for www.hostmauritius.com as follows:

make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/ssl/private/www.hostmauritius.com.crt

You will be asked for the hostname:

Host name: <– www.hostmauritius.com

This will create the self-signed certificate and the private key in one file, /etc/ssl/private/www.hostmauritius.com.crt:

cat /etc/ssl/private/www.hostmauritius.com.crt

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAsxOSdUsiEcay6M8EpSu5eeC797v/TpDRGnui4uaYd/YpjrPh
PWW01FEIpaCixYb5U2uMuvFOlmZhyfer+7qoJDeueuNW1sDCn/0pkOrdSWgfBuih
FkqXgau6KMDvuShcUkZ2ufMbMohiz+9ahMiqKBAxMeXijR7t9eqfmO3s+WGd65l8
5yoEDz+NNxk4w9SZmpIHu8vt37c7PX7fxZntxer56PvElz01gRj0xZsMYMlaHROQ
+q/d8p1g0CWTOjlgelQXxqEPGVGphYDMFd8gL5bNbCnJoCeF0CYK5w2Bf+Jfppgv
ub8AU8kMPNh/vyRm/7Ximc51dUSGWI/Xp39OcwIDAQABAoIBAA/U8SPRiqeLq5GN
i9mWbgVqavPR+RZXE0WGHLZ2sJAagT4OhSFKdpw2tc7+zqUr86r+XSjB4LLHRmn2
rYvJyse47IIMy0adMBe46A3Z1cqBnAyeUG+KFK7wIbsso4T5HoBfnmt+JK9pA2Ni
w9vtaa21EMRakJbtXxhYr9dzYXoCk3IcaRqQuDfPBTEfGRXocjHPIIUS9hTk+f13
F3P+pXummLREDJTUGTvSIxA8959EKXSwgwXV2VOEQbGgbjDFKTMYJZhq8H1tz8Ld
cYa5zxlbwFxAAeRzxXhycGs1W2rqo8wukhPKLcyYb7HIIZUdX1UDttr9fZAVkXOS
d0JSjrECgYEA3sWHwTHcrM4Cd5B2WJAmwrTxmaX0EIKXtm/4SsJ+6Cfw7YrDQwr1
2ERB21K/cv1DouToYjZm2MFNYbroPU4sWc8LD9E+Uf0YqFLBGVX4dqJeQZ76UZ/W
tVlZnX7uZnDZnxXDj+TDVK9P3h47jsVHvVhSLtJw77G68vNYDUUoIsUCgYEAzcmO
Gca34I3i/n4QFq4Wo3S5KIgJYz8erzMZrEsIOQih7jJbdklazWEZP1d2bMDCZGGz
5kpMxM0IuAp0CwWeIF9oGxv6g3p/St3c7jabjtAqa3WCQznE7q0PXxtXGlb2bbqz
TGW3pVWNDMuk1YbxO4f5DHfoaVQOaYwaaniHX9cCgYAzGKuirIUpPbdjJUd/2NCL
KGWiEGaCwvF5bwVMYIArT737PjC7V/A7wqw4Wip/fYfd/RMwM7ozTWMqX2yVYzDZ
CJxI7H2W4K6fLRwNa6Kp02Q7OPPBdSASSIQ9k7eq14eS7bMFdjs3WV7AW77daHKk
A3YWNz6gO+vdfeNcZ9hk4QKBgQC019CJ9Gk47Fe0ICKRW9HHOVdSOCJP1nNnsbd5
AsMqI9zyD8zyqUojvJXMZVdMASWTw4yt71OBi1GDMqSB3yD0AAPj9vVyv57Hsytp
KBISMftlTfH4k/btbKZahRNJsWyER5Mzqxv1LrZyrS+g+iJal4aUn3ddwKGdvaKl
OGB3JwKBgHePRBaMeMaZdCiCmLAxFD2/kOKs0OCBLVGCUT0QC/fbf4gYbEjsWKug
1Xz4AUj8gaC0udW8im12z06R5p7Mzpxo1I1wgHmYHcJ0Q0P9ntcuxrky5+3ANeLU
EKqOZRmINzLgCGcq6g7cUy1UEMoRNtwulSIaoBiXjteHvUKrUAe1
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIICvDCCAaQCCQDSQb56L0fohTANBgkqhkiG9w0BAQUFADAgMR4wHAYDVQQDExV3
d3cuaG9zdG1hdXJpdGl1cy5jb20wHhcNMTEwOTA2MTA0MzIyWhcNMjEwOTAzMTA0
MzIyWjAgMR4wHAYDVQQDExV3d3cuaG9zdG1hdXJpdGl1cy5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCzE5J1SyIRxrLozwSlK7l54Lv3u/9OkNEa
e6Li5ph39imOs+E9ZbTUUQiloKLFhvlTa4y68U6WZmHJ96v7uqgkN65641bWwMKf
/SmQ6t1JaB8G6KEWSpeBq7oowO+5KFxSRna58xsyiGLP71qEyKooEDEx5eKNHu31
6p+Y7ez5YZ3rmXznKgQPP403GTjD1Jmakge7y+3ftzs9ft/Fme3F6vno+8SXPTWB
GPTFmwxgyVodE5D6r93ynWDQJZM6OWB6VBfGoQ8ZUamFgMwV3yAvls1sKcmgJ4XQ
JgrnDYF/4l+mmC+5vwBTyQw82H+/JGb/teKZznV1RIZYj9enf05zAgMBAAEwDQYJ
KoZIhvcNAQEFBQADggEBAEA+HD4u5MIQJ0q3BoXedfqh7z9yqUdBdVXMNYTdEFwn
ZlLWy+QkitFMU3M6KsBBwtGO1655kkDOguiSFYBKxVxzEIMx6kV6AH26ALzVhBeF
PO6qJnxlTKPojiaolgrlndX9SUH4XD8EBqYuugJ0F1PEcuVDi5yXKwwyuaJw4Uyp
CzTU4sy6uduxVaFea0agBN92sy2gZPFPtvMZYJjy2TW1caUt9WLh0l0cPYvW+hPk
K2T1sGxW5WOhcwrIRqa8HSkyxXOz1NJZNSXi/yVN4iNMY0nTf0gPP4X1Rl4+OcZk
imxe4O9Eu49lEGQ8UipEaGNJ5gD6BECwz5amq64rdqU=
-----END CERTIFICATE-----

I will now split up that file in two, the private key /etc/ssl/private/www.hostmauritius.com.key and the self-signed certificate /etc/ssl/certs/www.hostmauritius.com.pem:

vi /etc/ssl/private/www.hostmauritius.com.key

This file must contain the part beginning with —–BEGIN RSA PRIVATE KEY—– and ending with —–END RSA PRIVATE KEY—–:

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAsxOSdUsiEcay6M8EpSu5eeC797v/TpDRGnui4uaYd/YpjrPh
PWW01FEIpaCixYb5U2uMuvFOlmZhyfer+7qoJDeueuNW1sDCn/0pkOrdSWgfBuih
FkqXgau6KMDvuShcUkZ2ufMbMohiz+9ahMiqKBAxMeXijR7t9eqfmO3s+WGd65l8
5yoEDz+NNxk4w9SZmpIHu8vt37c7PX7fxZntxer56PvElz01gRj0xZsMYMlaHROQ
+q/d8p1g0CWTOjlgelQXxqEPGVGphYDMFd8gL5bNbCnJoCeF0CYK5w2Bf+Jfppgv
ub8AU8kMPNh/vyRm/7Ximc51dUSGWI/Xp39OcwIDAQABAoIBAA/U8SPRiqeLq5GN
i9mWbgVqavPR+RZXE0WGHLZ2sJAagT4OhSFKdpw2tc7+zqUr86r+XSjB4LLHRmn2
rYvJyse47IIMy0adMBe46A3Z1cqBnAyeUG+KFK7wIbsso4T5HoBfnmt+JK9pA2Ni
w9vtaa21EMRakJbtXxhYr9dzYXoCk3IcaRqQuDfPBTEfGRXocjHPIIUS9hTk+f13
F3P+pXummLREDJTUGTvSIxA8959EKXSwgwXV2VOEQbGgbjDFKTMYJZhq8H1tz8Ld
cYa5zxlbwFxAAeRzxXhycGs1W2rqo8wukhPKLcyYb7HIIZUdX1UDttr9fZAVkXOS
d0JSjrECgYEA3sWHwTHcrM4Cd5B2WJAmwrTxmaX0EIKXtm/4SsJ+6Cfw7YrDQwr1
2ERB21K/cv1DouToYjZm2MFNYbroPU4sWc8LD9E+Uf0YqFLBGVX4dqJeQZ76UZ/W
tVlZnX7uZnDZnxXDj+TDVK9P3h47jsVHvVhSLtJw77G68vNYDUUoIsUCgYEAzcmO
Gca34I3i/n4QFq4Wo3S5KIgJYz8erzMZrEsIOQih7jJbdklazWEZP1d2bMDCZGGz
5kpMxM0IuAp0CwWeIF9oGxv6g3p/St3c7jabjtAqa3WCQznE7q0PXxtXGlb2bbqz
TGW3pVWNDMuk1YbxO4f5DHfoaVQOaYwaaniHX9cCgYAzGKuirIUpPbdjJUd/2NCL
KGWiEGaCwvF5bwVMYIArT737PjC7V/A7wqw4Wip/fYfd/RMwM7ozTWMqX2yVYzDZ
CJxI7H2W4K6fLRwNa6Kp02Q7OPPBdSASSIQ9k7eq14eS7bMFdjs3WV7AW77daHKk
A3YWNz6gO+vdfeNcZ9hk4QKBgQC019CJ9Gk47Fe0ICKRW9HHOVdSOCJP1nNnsbd5
AsMqI9zyD8zyqUojvJXMZVdMASWTw4yt71OBi1GDMqSB3yD0AAPj9vVyv57Hsytp
KBISMftlTfH4k/btbKZahRNJsWyER5Mzqxv1LrZyrS+g+iJal4aUn3ddwKGdvaKl
OGB3JwKBgHePRBaMeMaZdCiCmLAxFD2/kOKs0OCBLVGCUT0QC/fbf4gYbEjsWKug
1Xz4AUj8gaC0udW8im12z06R5p7Mzpxo1I1wgHmYHcJ0Q0P9ntcuxrky5+3ANeLU
EKqOZRmINzLgCGcq6g7cUy1UEMoRNtwulSIaoBiXjteHvUKrUAe1
-----END RSA PRIVATE KEY-----

The key must be readable and writable by root only:

chmod 600 /etc/ssl/private/www.hostmauritius.com.key

vi /etc/ssl/certs/www.hostmauritius.com.pem

This file must contain the part beginning with —–BEGIN CERTIFICATE—– and ending with —–END CERTIFICATE—–:

-----BEGIN CERTIFICATE-----
MIICvDCCAaQCCQDSQb56L0fohTANBgkqhkiG9w0BAQUFADAgMR4wHAYDVQQDExV3
d3cuaG9zdG1hdXJpdGl1cy5jb20wHhcNMTEwOTA2MTA0MzIyWhcNMjEwOTAzMTA0
MzIyWjAgMR4wHAYDVQQDExV3d3cuaG9zdG1hdXJpdGl1cy5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCzE5J1SyIRxrLozwSlK7l54Lv3u/9OkNEa
e6Li5ph39imOs+E9ZbTUUQiloKLFhvlTa4y68U6WZmHJ96v7uqgkN65641bWwMKf
/SmQ6t1JaB8G6KEWSpeBq7oowO+5KFxSRna58xsyiGLP71qEyKooEDEx5eKNHu31
6p+Y7ez5YZ3rmXznKgQPP403GTjD1Jmakge7y+3ftzs9ft/Fme3F6vno+8SXPTWB
GPTFmwxgyVodE5D6r93ynWDQJZM6OWB6VBfGoQ8ZUamFgMwV3yAvls1sKcmgJ4XQ
JgrnDYF/4l+mmC+5vwBTyQw82H+/JGb/teKZznV1RIZYj9enf05zAgMBAAEwDQYJ
KoZIhvcNAQEFBQADggEBAEA+HD4u5MIQJ0q3BoXedfqh7z9yqUdBdVXMNYTdEFwn
ZlLWy+QkitFMU3M6KsBBwtGO1655kkDOguiSFYBKxVxzEIMx6kV6AH26ALzVhBeF
PO6qJnxlTKPojiaolgrlndX9SUH4XD8EBqYuugJ0F1PEcuVDi5yXKwwyuaJw4Uyp
CzTU4sy6uduxVaFea0agBN92sy2gZPFPtvMZYJjy2TW1caUt9WLh0l0cPYvW+hPk
K2T1sGxW5WOhcwrIRqa8HSkyxXOz1NJZNSXi/yVN4iNMY0nTf0gPP4X1Rl4+OcZk
imxe4O9Eu49lEGQ8UipEaGNJ5gD6BECwz5amq64rdqU=
-----END CERTIFICATE-----

Now we can delete the /etc/ssl/private/www.hostmauritius.com.crt file:

rm -f /etc/ssl/private/www.hostmauritius.com.crt

5 SSL Vhost Configuration

Next we create our SSL vhost. The cool thing about nginx is that we do not have to create a new SSL vhost – instead, we can add our SSL directives to the existing http vhost:

vi /etc/nginx/sites-available/www.hostmauritius.com.vhost

If you use nginx >= 0.8.21:

server {
        listen   80; ## listen for ipv4
        listen   [::]:80; ## listen for ipv6
        listen   443 ssl;
        listen   [::]:443 ipv6only=on ssl;
        ssl_certificate /etc/ssl/certs/www.hostmauritius.com.pem;
        ssl_certificate_key /etc/ssl/private/www.hostmauritius.com.key;

        server_name  www.hostmauritius.com hostmauritius.com;
        root /var/www/www.hostmauritius.com/web;

        if ($http_host != "www.hostmauritius.com") {
                 rewrite ^ $scheme://www.hostmauritius.com$request_uri permanent;
        }

        location / {
                index  index.php index.html index.htm;
        }

        location ~ \.php$ {
                fastcgi_pass   127.0.0.1:9000;
                fastcgi_index  index.php;
                fastcgi_param  SCRIPT_FILENAME  /var/www$fastcgi_script_name;
                include         fastcgi_params;
        }

        location ~ /\. {
                deny  all;
        }
}

If you use nginx < 0.8.21:

server {
        listen   80; ## listen for ipv4
        listen   [::]:80; ## listen for ipv6
        listen   443 default ssl;
        listen   [::]:443 default ipv6only=on ssl;
        ssl_certificate /etc/ssl/certs/www.hostmauritius.com.pem;
        ssl_certificate_key /etc/ssl/private/www.hostmauritius.com.key;

        server_name  www.hostmauritius.com hostmauritius.com;
        root /var/www/www.hostmauritius.com/web;

        if ($http_host != "www.hostmauritius.com") {
                 rewrite ^ $scheme://www.hostmauritius.com$request_uri permanent;
        }

        location / {
                index  index.php index.html index.htm;
        }

        location ~ \.php$ {
                fastcgi_pass   127.0.0.1:9000;
                fastcgi_index  index.php;
                fastcgi_param  SCRIPT_FILENAME  /var/www$fastcgi_script_name;
                include         fastcgi_params;
        }

        location ~ /\. {
                deny  all;
        }
}

We have simply added the lines

listen 443 ssl;
listen [::]:443 ipv6only=on ssl;
ssl_certificate /etc/ssl/certs/www.hostmauritius.com.pem;
ssl_certificate_key /etc/ssl/private/www.hostmauritius.com.key;

to our existing vhost. For nginx < 0.8.21 we must add the word default to the listen directives whenever you specify additional options like ssl or ipv6only=on. The word default can be used only in one vhost, so when you create further SSL vhosts, you must leave it out and therefore also the additional options (as I understand it, they will be inherited from the vhost that uses the word default).

Please note that I have changed the rewrite line

rewrite ^ http://www.hostmauritius.com$request_uri permanent;

to

rewrite ^ $scheme://www.hostmauritius.com$request_uri permanent;

so that the right rewrite is done depending on the scheme you use (http or https).

Reload nginx afterwards:

/etc/init.d/nginx reload

The SSL vhost will now use your new private key and self-signed certificate for encryption (but because it is a self-signed certificate, you will get a browser warning when you access https://www.hostmauritius.com):

0

Of course, it’s also possible to create a new SSL vhost instead of adding SSL directives to the existing http vhost. I am going to show two possible configurations here:

 

First Option

vi /etc/nginx/sites-available/www.hostmauritius.com.vhost

If you use nginx >= 0.8.21:

server {
        listen   80; ## listen for ipv4
        listen   [::]:80; ## listen for ipv6

        server_name  www.hostmauritius.com hostmauritius.com;
        root /var/www/www.hostmauritius.com/web;

        if ($http_host != "www.hostmauritius.com") {
                 rewrite ^ $scheme://www.hostmauritius.com$request_uri permanent;
        }

        location / {
                index  index.php index.html index.htm;
        }

        location ~ \.php$ {
                fastcgi_pass   127.0.0.1:9000;
                fastcgi_index  index.php;
                fastcgi_param  SCRIPT_FILENAME  /var/www$fastcgi_script_name;
                include         fastcgi_params;
        }

        location ~ /\. {
                deny  all;
        }
}

server {
        listen   443; ## listen for ipv4
        listen   [::]:443 ipv6only=on; ## listen for ipv6
        ssl on;
        ssl_certificate /etc/ssl/certs/www.hostmauritius.com.pem;
        ssl_certificate_key /etc/ssl/private/www.hostmauritius.com.key;

        server_name  www.hostmauritius.com hostmauritius.com;
        root /var/www/www.hostmauritius.com/web;

        if ($http_host != "www.hostmauritius.com") {
                 rewrite ^ $scheme://www.hostmauritius.com$request_uri permanent;
        }

        location / {
                index  index.php index.html index.htm;
        }

        location ~ \.php$ {
                fastcgi_pass   127.0.0.1:9000;
                fastcgi_index  index.php;
                fastcgi_param  SCRIPT_FILENAME  /var/www$fastcgi_script_name;
                include         fastcgi_params;
        }

        location ~ /\. {
                deny  all;
        }
}

If you use nginx < 0.8.21:

server {
        listen   80; ## listen for ipv4
        listen   [::]:80; ## listen for ipv6

        server_name  www.hostmauritius.com hostmauritius.com;
        root /var/www/www.hostmauritius.com/web;

        if ($http_host != "www.hostmauritius.com") {
                 rewrite ^ $scheme://www.hostmauritius.com$request_uri permanent;
        }

        location / {
                index  index.php index.html index.htm;
        }

        location ~ \.php$ {
                fastcgi_pass   127.0.0.1:9000;
                fastcgi_index  index.php;
                fastcgi_param  SCRIPT_FILENAME  /var/www$fastcgi_script_name;
                include         fastcgi_params;
        }

        location ~ /\. {
                deny  all;
        }
}

server {
        listen   443; ## listen for ipv4
        listen   [::]:443 default ipv6only=on; ## listen for ipv6
        ssl on;
        ssl_certificate /etc/ssl/certs/www.hostmauritius.com.pem;
        ssl_certificate_key /etc/ssl/private/www.hostmauritius.com.key;

        server_name  www.hostmauritius.com hostmauritius.com;
        root /var/www/www.hostmauritius.com/web;

        if ($http_host != "www.hostmauritius.com") {
                 rewrite ^ $scheme://www.hostmauritius.com$request_uri permanent;
        }

        location / {
                index  index.php index.html index.htm;
        }

        location ~ \.php$ {
                fastcgi_pass   127.0.0.1:9000;
                fastcgi_index  index.php;
                fastcgi_param  SCRIPT_FILENAME  /var/www$fastcgi_script_name;
                include         fastcgi_params;
        }

        location ~ /\. {
                deny  all;
        }
}

I have left the http vhost untouched and added an SSL vhost with the same configuration, except for the SSL part. Instead of adding ssl to the listen line, I use ssl on; here. For nginx < 0.8.21, I have to use listen [::]:443 default ipv6only=on; instead of listen [::]:443 ipv6only=on;.

Reload nginx:

/etc/init.d/nginx reload

 

Second Option

vi /etc/nginx/sites-available/www.hostmauritius.com.vhost

If you use nginx >= 0.8.21:

server {
        listen   80; ## listen for ipv4
        listen   [::]:80; ## listen for ipv6

        server_name  www.hostmauritius.com hostmauritius.com;
        root /var/www/www.hostmauritius.com/web;

        if ($http_host != "www.hostmauritius.com") {
                 rewrite ^ $scheme://www.hostmauritius.com$request_uri permanent;
        }

        location / {
                index  index.php index.html index.htm;
        }

        location ~ \.php$ {
                fastcgi_pass   127.0.0.1:9000;
                fastcgi_index  index.php;
                fastcgi_param  SCRIPT_FILENAME  /var/www$fastcgi_script_name;
                include         fastcgi_params;
        }

        location ~ /\. {
                deny  all;
        }
}

server {
        listen   443 ssl; ## listen for ipv4
        listen   [::]:443 ssl ipv6only=on; ## listen for ipv6

        ssl_certificate /etc/ssl/certs/www.hostmauritius.com.pem;
        ssl_certificate_key /etc/ssl/private/www.hostmauritius.com.key;

        server_name  www.hostmauritius.com hostmauritius.com;
        root /var/www/www.hostmauritius.com/web;

        if ($http_host != "www.hostmauritius.com") {
                 rewrite ^ $scheme://www.hostmauritius.com$request_uri permanent;
        }

        location / {
                index  index.php index.html index.htm;
        }

        location ~ \.php$ {
                fastcgi_pass   127.0.0.1:9000;
                fastcgi_index  index.php;
                fastcgi_param  SCRIPT_FILENAME  /var/www$fastcgi_script_name;
                include         fastcgi_params;
        }

        location ~ /\. {
                deny  all;
        }
}

If you use nginx < 0.8.21:

server {
        listen   80; ## listen for ipv4
        listen   [::]:80; ## listen for ipv6

        server_name  www.hostmauritius.com hostmauritius.com;
        root /var/www/www.hostmauritius.com/web;

        if ($http_host != "www.hostmauritius.com") {
                 rewrite ^ $scheme://www.hostmauritius.com$request_uri permanent;
        }

        location / {
                index  index.php index.html index.htm;
        }

        location ~ \.php$ {
                fastcgi_pass   127.0.0.1:9000;
                fastcgi_index  index.php;
                fastcgi_param  SCRIPT_FILENAME  /var/www$fastcgi_script_name;
                include         fastcgi_params;
        }

        location ~ /\. {
                deny  all;
        }
}

server {
        listen   443 default ssl; ## listen for ipv4
        listen   [::]:443 default ssl ipv6only=on; ## listen for ipv6

        ssl_certificate /etc/ssl/certs/www.hostmauritius.com.pem;
        ssl_certificate_key /etc/ssl/private/www.hostmauritius.com.key;

        server_name  www.hostmauritius.com hostmauritius.com;
        root /var/www/www.hostmauritius.com/web;

        if ($http_host != "www.hostmauritius.com") {
                 rewrite ^ $scheme://www.hostmauritius.com$request_uri permanent;
        }

        location / {
                index  index.php index.html index.htm;
        }

        location ~ \.php$ {
                fastcgi_pass   127.0.0.1:9000;
                fastcgi_index  index.php;
                fastcgi_param  SCRIPT_FILENAME  /var/www$fastcgi_script_name;
                include         fastcgi_params;
        }

        location ~ /\. {
                deny  all;
        }
}

Instead of using ssl on;, I add the word ssl to the listen lines. Because of this option in the listen lines, you must add the word default for nginx < 0.8.21.

Reload nginx:

/etc/init.d/nginx reload

 

6 Creating A Certificate Signing Request (CSR)

To request a trusted certificate from a trusted CA such as Verisign, Thawte or Comodo, we must generate a certificate signing request (CSR) from our private key and send it to the CA which then creates a trusted certificate from it with which we replace our self-signed certificate.

I will create the CSR in the directory /etc/ssl/csr, so we have to create it first:

mkdir /etc/ssl/csr

Now we can create the CSR /etc/ssl/csr/www.hostmauritius.com.csr from our private key /etc/ssl/private/www.hostmauritius.com.key as follows:

openssl req -new -key /etc/ssl/private/www.hostmauritius.com.key -out /etc/ssl/csr/www.hostmauritius.com.csr

You will be asked a few questions. Please fill in your details, they will be used for creating the trusted certificate and can be seen by your visitors when they choose to view the details of your certificate in their browsers. The most important thing is the Common Name – this must be the domain or hostname of your SSL vhost (www.hostmauritius.com in this case)!

root@server1:~# openssl req -new -key /etc/ssl/private/www.hostmauritius.com.key -out /etc/ssl/csr/www.hostmauritius.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:
<– DE
State or Province Name (full name) [Some-State]: <– Lower Saxony
Locality Name (eg, city) []: <– Lueneburg
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <– Example Ltd
Organizational Unit Name (eg, section) []: <– IT
Common Name (eg, YOUR name) []: <– www.hostmauritius.com
Email Address []: <– falko.timme@example.com

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
<– ENTER
An optional company name []: <– ENTER
root@server1:~#

Afterwards, you should have a CSR in /etc/ssl/csr/www.hostmauritius.com.csr, e.g. as follows:

cat /etc/ssl/csr/www.hostmauritius.com.csr

-----BEGIN CERTIFICATE REQUEST-----
MIIC6TCCAdECAQAwgaMxCzAJBgNVBAYTAkRFMRUwEwYDVQQIEwxMb3dlciBTYXhv
bnkxEjAQBgNVBAcTCUx1ZW5lYnVyZzEUMBIGA1UEChMLRXhhbXBsZSBMdGQxCzAJ
BgNVBAsTAklUMR4wHAYDVQQDExV3d3cuaG9zdG1hdXJpdGl1cy5jb20xJjAkBgkq
hkiG9w0BCQEWF2ZhbGtvLnRpbW1lQGV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAsxOSdUsiEcay6M8EpSu5eeC797v/TpDRGnui4uaY
d/YpjrPhPWW01FEIpaCixYb5U2uMuvFOlmZhyfer+7qoJDeueuNW1sDCn/0pkOrd
SWgfBuihFkqXgau6KMDvuShcUkZ2ufMbMohiz+9ahMiqKBAxMeXijR7t9eqfmO3s
+WGd65l85yoEDz+NNxk4w9SZmpIHu8vt37c7PX7fxZntxer56PvElz01gRj0xZsM
YMlaHROQ+q/d8p1g0CWTOjlgelQXxqEPGVGphYDMFd8gL5bNbCnJoCeF0CYK5w2B
f+Jfppgvub8AU8kMPNh/vyRm/7Ximc51dUSGWI/Xp39OcwIDAQABoAAwDQYJKoZI
hvcNAQEFBQADggEBAD7JYyEsKnK5/xiiuPNPwQ7HVhWY0LirkePiI6rxLFAJTOwg
6kb/GOKK+b1j4TWsiOI+zGhAawVhp2LnBzxOhr8m27x7lf6q73HUUM5pDrW7FlsE
2BU6E1tHRX8d9Mb4SfhsCES7wuoF/EH9FjtpPXMOWfXKAk9BiA/zE4aFaF31Z2uI
brLP1cgpVr4WJ8OR3uUacu/i4et9dpeIiZcSD5f0/pqR+ZM3NFViMO+KYA26M0YT
Vnm84UsmtjzWgzir1icwdI/pbEOPNXveQDEYwGRuKH0SSnPETN2/E8Xc8sHmasFt
1iNnvJMfsECCJI6xTYusxtv+9LlAr8rx+G//hCI=
-----END CERTIFICATE REQUEST-----

 

7 Getting A Trusted Certificate

To get a trusted certificate, you have to take your certificate signing request (CSR) to a certificate authority (CA) such as Verisign, Thawte, or Comodo (please note that you have to pay for a trusted certificate). Certificates issued by such a CA are trusted by all browsers which means you won’t see any browser warnings anymore.

CAcert.org allows you to get free certificates, but the downside is that such certificates are trusted by only a few browsers (which means you will get browser warnings). Anyway, I will use CAcert.org here to show you how to get a certificate from a CA – it should give you the idea, the procedure is the same with the trusted CAs.

Go to CAcert.org and open an account. Afterwards, go to Domains to add your own domain(s) (without a hostname, so if you want to get a certificate for www.hostmauritius.com, you just enter hostmauritius.com without www here). The service will send an email with a link to an email address that it finds in the WHOIS data of the domain – you have to click on that link to verify that you are the owner of the domain. I’ve verified three domains here:

1

To get a certificate, go to Server Certificates > New

2

… and scroll down to the big text area – this is where you paste your CSR that you’ve created in chapter 6. Click on Submit afterwards:

3

Click on Submit again on the next page:

4

After a few moments, you will see your new certificate:

5

Now create a backup of your self-signed certificate…

cp /etc/ssl/certs/www.hostmauritius.com.pem /etc/ssl/certs/www.hostmauritius.com.pem_bak

… , then empty your self-signed certificate…

> /etc/ssl/certs/www.hostmauritius.com.pem

… and open the empty certificate file:

vi /etc/ssl/certs/www.hostmauritius.com.pem

Now copy&paste the certificate from the CAcert.org page into the empty file:

-----BEGIN CERTIFICATE-----
MIIE5zCCAs+gAwIBAgIDCqn5MA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jv
b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
dEBjYWNlcnQub3JnMB4XDTExMDkwNjExMjkyN1oXDTEyMDMwNDExMjkyN1owIDEe
MBwGA1UEAxMVd3d3Lmhvc3RtYXVyaXRpdXMuY29tMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAsxOSdUsiEcay6M8EpSu5eeC797v/TpDRGnui4uaYd/Yp
jrPhPWW01FEIpaCixYb5U2uMuvFOlmZhyfer+7qoJDeueuNW1sDCn/0pkOrdSWgf
BuihFkqXgau6KMDvuShcUkZ2ufMbMohiz+9ahMiqKBAxMeXijR7t9eqfmO3s+WGd
65l85yoEDz+NNxk4w9SZmpIHu8vt37c7PX7fxZntxer56PvElz01gRj0xZsMYMla
HROQ+q/d8p1g0CWTOjlgelQXxqEPGVGphYDMFd8gL5bNbCnJoCeF0CYK5w2Bf+Jf
ppgvub8AU8kMPNh/vyRm/7Ximc51dUSGWI/Xp39OcwIDAQABo4HQMIHNMAwGA1Ud
EwEB/wQCMAAwNAYDVR0lBC0wKwYIKwYBBQUHAwIGCCsGAQUFBwMBBglghkgBhvhC
BAEGCisGAQQBgjcKAwMwCwYDVR0PBAQDAgWgMDMGCCsGAQUFBwEBBCcwJTAjBggr
BgEFBQcwAYYXaHR0cDovL29jc3AuY2FjZXJ0Lm9yZy8wRQYDVR0RBD4wPIIVd3d3
Lmhvc3RtYXVyaXRpdXMuY29toCMGCCsGAQUFBwgFoBcMFXd3dy5ob3N0bWF1cml0
aXVzLmNvbTANBgkqhkiG9w0BAQUFAAOCAgEAPYqE1P/6qPh7HVMsB9uYxlZWqCn8
/xeb4YIeBYZp5Y7R59MCrIEij0ouDqMz+vcns8Z9uEfSg4EMt63XMpEb3b38zOpK
XPWDkwrwNU0EXQfERklHjJBejj6jhFkpnKQjvSRpJUtduw9DLMTnb5Z+UbIEWl17
8lyk4MbGKfshrp16hCsnvvyNOYLm/qxx5QmQh+PPhgHdrvIJZt/d2TJNsfZTA9Rv
HlPaz6hsjx739Ts0NLPq6h4VUc0IzqTe9Irl8FRK9efwVTDAN2QQzqzaZKZBD9ZC
/Cp1mbiBnS3JLCdMCeUxJg59kwZJjhQlQEmiLvCdYaudWx2X62jOl8bSXexKD0Fk
qBTWRlO48/Cl81crPhatnpg3gDlRxICmgAfecoc0Qb/g9ssZ5SftPUC+aew+hioE
iQ+Ap4kRKOiW2elnX0fBa/NpKHk9fVyy7BSj0hYEHM+8gWves93ExmNjlOzR18TT
A7ZecoL7bAu1SGpZ2d0dpw/sI6pK4/69zw++8cb/wD+XErw1cbrWN3rrcHia60tm
yeb1ipb8R/7SWGADEtYEROXM5sdn34h0HK/bnfyKxiKISuHIQUj918irviNExcgD
fJGjVgZ352yEmZ572mR4WXJHrXnOYUk0r0RAgwRodX4B/gYoRLU+Vj4Rtw8fNL9o
W/ovB2gstt9SvXU=
-----END CERTIFICATE-----

Reload nginx:

/etc/init.d/nginx reload

That’s it, if your CA doesn’t ask you to install a certificate chain file or intermediate certificate in nginx, you’re done, and you can now access your SSL vhost (https://www.hostmauritius.com in this case) without a browser warning. (If you use a CAcert.org certificate, you will still see a browser warning as most browsers don’t know this CA – read chapter 8 to learn how to make your browser trust CAcert.org certificates).

To manage your existing certificates on the CAcert.org web site, go to Server Certificates > View:

6

7.1 Certificate Chain Files Or Intermediate Certificates

Some CAs require that you install a certificate chain file or intermediate certificate in nginx (in addition to the certificate that you installed in chapter 7). (Please note that CAcert.org does not require this!).

Because nginx does not have a special configuration directive for chain files or internediate certificates (like Apache does which knows the SSLCertificateChainFile directive) , we simply have to append the chain file to our certificate. Let’s assume you have downloaded the chain file to /etc/ssl/certs/CAcert_chain.pem. You can now append it to the certificate /etc/ssl/certs/www.hostmauritius.com.pem as follows:

cat /etc/ssl/certs/CAcert_chain.pem >> /etc/ssl/certs/www.hostmauritius.com.pem

Reload nginx…

/etc/init.d/nginx reload

… and you’re done!

8 Configure Firefox To Trust CAcert.org (Optional)

If you use a CAcert.org certificate, your browser most likely doesn’t trust this certificate and will show a warning. This chapter explains how you can import the CAcert.org root certificate into Firefox so that it won’t show this warning anymore (please read http://wiki.cacert.org/BrowserClients for other browsers like MSIE, Safari or Opera).

Please note that if you run an e-commerce web site, you should better buy a certificate from a trusted CA because you can’t ask all your visitors to reconfigure their browsers.

Please visit http://www.cacert.org/index.php?id=3 and click on the Root Certificate (PEM Format) link (http://www.cacert.org/certs/root.crt):

7

The Downloading Certificate dialogue opens. Click on View to examine the certificate:

8

Please make sure that the fingerprints are as follows:

SHA1 Fingerprint: 135C EC36 F49C B8E9 3B1A B270 CD80 8846 76CE 8F33
MD5 Fingerprint: A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B

Click on Close afterwards:

9

Next check Trust this CA to identify web sites. and click on OK:

10

Now go to Tools > Options…

11

… and then to Advanced > Encryption. Click on Revocation Lists:

12

The Manage CRLs window opens. Click on Import…:

13

Fill in the following URL and click on OK: http://crl.cacert.org/revoke.crl

14

After a few moments you should see the following message. Click on Yes to enable automatic updates:

15

Check Enable Automatic Update for this CRL and click on OK:

16

That’s it. You should now be able to go to your SSL vhost without getting a browser warning:

17

9 Running Multiple SSL Vhosts On One IP Address With SNI (Server Name Indication)

Please note that currently SNI is not supported by all browsers/operating systems:

Browsers/clients with support for TLS server name indication:

  • Opera 8.0 and later (the TLS 1.1 protocol must be enabled)
  • Internet Explorer 7 or later (under Windows Vista and later only, not under Windows XP)
  • Firefox 2.0 or later
  • Curl 7.18.1 or later (when compiled against an SSL/TLS toolkit with SNI support)
  • Chrome 6.0 or later (on all platforms – releases up to 5.0 only on specific OS versions)
  • Safari 3.0 or later (under OS X 10.5.6 or later and under Windows Vista and later)

To find out if your browser supports SNI, you can go to https://alice.sni.velox.ch/.

If your nginx supports SNI, you don’t need any special configuration to use it – you just configure a second, third, … SSL vhost on the same IP as shown in chapter 5.

To find out if your nginx supports SNI, run:

nginx -V

If it does, you will see the line TLS SNI support enabled in the output:

root@server1:~# nginx -V
nginx version: nginx/0.8.54
TLS SNI support enabled
configure arguments: –conf-path=/etc/nginx/nginx.conf –error-log-path=/var/log/nginx/error.log –http-client-body-temp-path=/var/lib/nginx/body –http-fastcgi-temp-path=/var/lib/nginx/fastcgi –http-log-path=/var/log/nginx/access.log –http-proxy-temp-path=/var/lib/nginx/proxy –http-scgi-temp-path=/var/lib/nginx/scgi –http-uwsgi-temp-path=/var/lib/nginx/uwsgi –lock-path=/var/lock/nginx.lock –pid-path=/var/run/nginx.pid –with-debug –with-http_addition_module –with-http_dav_module –with-http_geoip_module –with-http_gzip_static_module –with-http_image_filter_module –with-http_realip_module –with-http_stub_status_module –with-http_ssl_module –with-http_sub_module –with-http_xslt_module –with-ipv6 –with-sha1=/usr/include/openssl –with-md5=/usr/include/openssl –with-mail –with-mail_ssl_module –add-module=/build/buildd/nginx-0.8.54/debian/modules/nginx-upstream-fair
root@server1:~#

I can now simply create another SSL host (this time for www.hostmauritius.net) as follows:

vi /etc/nginx/sites-available/www.hostmauritius.net.vhost

If you use nginx >= 0.8.21:

server {
        listen   80; ## listen for ipv4
        listen   [::]:80; ## listen for ipv6
        listen   443 ssl;
        listen   [::]:443 ssl;
        ssl_certificate /etc/ssl/certs/www.hostmauritius.net.pem;
        ssl_certificate_key /etc/ssl/private/www.hostmauritius.net.key;
        server_name  www.hostmauritius.net hostmauritius.net;
        root /var/www/www.hostmauritius.net/web;
        if ($http_host != "www.hostmauritius.net") {
                 rewrite ^ $scheme://www.hostmauritius.net$request_uri permanent;
        }
        location / {
                index  index.php index.html index.htm;
        }
        location ~ \.php$ {
                fastcgi_pass   127.0.0.1:9000;
                fastcgi_index  index.php;
                fastcgi_param  SCRIPT_FILENAME  /var/www$fastcgi_script_name;
                include         fastcgi_params;
        }
        location ~ /\. {
                deny  all;
        }
}

If you use nginx < 0.8.21:

server {
        listen   80; ## listen for ipv4
        listen   [::]:80; ## listen for ipv6
        listen   443;
        listen   [::]:443;
        ssl_certificate /etc/ssl/certs/www.hostmauritius.net.pem;
        ssl_certificate_key /etc/ssl/private/www.hostmauritius.net.key;
        server_name  www.hostmauritius.net hostmauritius.net;
        root /var/www/www.hostmauritius.net/web;
        if ($http_host != "www.hostmauritius.net") {
                 rewrite ^ $scheme://www.hostmauritius.net$request_uri permanent;
        }
        location / {
                index  index.php index.html index.htm;
        }
        location ~ \.php$ {
                fastcgi_pass   127.0.0.1:9000;
                fastcgi_index  index.php;
                fastcgi_param  SCRIPT_FILENAME  /var/www$fastcgi_script_name;
                include         fastcgi_params;
        }
        location ~ /\. {
                deny  all;
        }
}

(Make sure that you create the certificate and the private key as shown in chapters 4, 6, and 7. You might also have to append a chain file or intermediate certificate to the certificate for this vhost, as described in chapter 7.1. Also, if this is a new vhost, make sure its document root exists.)

If this is a new vhost, you must create a link to it from the /etc/nginx/sites-enabled/ directory to enable it:

cd /etc/nginx/sites-enabled/
ln -s /etc/nginx/sites-available/www.hostmauritius.net.vhost www.hostmauritius.net.vhost

Reload nginx afterwards:

/etc/init.d/nginx reload

If all goes well, you can now go to all your SSL sites which run on the same IP without getting a browser warning.

 

  • nginx: http://nginx.org/
  • nginx Wiki: http://wiki.nginx.org/
  • OpenSSL: http://www.openssl.org/
  • CACert.org: http://www.cacert.org/
  • Ubuntu: http://www.ubuntu.com/
  • Debian: http://www.debian.org/

 

Comments

comments