1- Generate a Certificate Request
|
1 |
openssl req -new -newkey rsa:2048 -nodes -keyout /etc/ssl/private/myKey.key -out myRequest.csr |
Note: A key size of 2048 bits is recommended for commercial sites (especially if PCI is a concern).
2- Copy Certificate to Server
Best practice:
- Copy CRT file(s) to /etc/ssl/certs
- Key file should already be in /etc/ssl/privateĀ
3- Configure Nginx
Sample Configuration: Static Content
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
server {
listen 443;
root /var/www;
index index.html index.htm;
ssl on;
ssl_certificate /etc/ssl/certs/myCertificate.crt;
ssl_certificate_key /etc/ssl/private/myKey.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;
location / {
try_files $uri $uri/ /index.html;
}
} |
Sample Configuration: Proxy Rails via thin
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 |
upstream thin_cluster {
server 127.0.0.1:3000;
server 127.0.0.1:3001;
}
server {
listen 443;
root /var/www;
index index.html index.htm;
ssl on;
ssl_certificate /etc/ssl/certs/myCertificate.crt;
ssl_certificate_key /etc/ssl/private/myKey.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
# Note: Tell Rails that client session is secure.
proxy_set_header X-FORWARDED_PROTO https;
proxy_redirect off;
if (-f $request_filename/index.html) {
rewrite (.*) $1/index.html break;
}
if (-f $request_filename.html) {
rewrite (.*) $1.html break;
}
if (!-f $request_filename) {
proxy_pass http://thin_cluster;
break;
}
}
} |
-JO
If you enjoyed this article, please consider sharing it!
