SSL. It’s the word of the year, it would seem, ever since Google’s late 2014 announcement that installing an SSL certificate on your website would effect rankings in their search engine algorithm. And all for the better, as I’ve written about before: traditional SEO is dead and things are finally starting to get exciting again as “Web 3.0” brings us things like CloudFlare, MaxCDN, CodeGuard, and other enterprise-level APIs and technologies that previously were not readily available to the masses.
The below “SSL for Nginx” tutorial assumes that you are on Ubuntu 14.04, the latest LTS release of the free, open-source operating system maintained by UK-based Canonical Ltd. Pretty much everyone should be using Ubuntu Linux on their server these days, as its arguably the best-supported Linux distro with the most user-friendly software repositories.
Now, first of all, I should clarify something: SSL certificates are a racket – even a scam, in many cases. Right now, web hosts and resellers are having a hayday thanks to Google’s recent announcement, and thousands upon thousands of webmasters are getting tricked or confused into buying expensive SSL certificates that they don’t even need.
In fact, SSL (Secure Sockets Layer) is dying, and has already been replaced by a newer technology that is known as TLS (Transport Layer Security). But the original name “SSL” is rather catchy and has therefore stuck, and the term is now used generally to describe various types of encrypted web traffic. In other words, SSL (TLS) “wraps” an encryption layer around otherwise normal “data” sent between a web server and client so that the messages can’t be intercepted or read by any 3rd parties (i.e. the NSA). Now, the second important self-proclaimed mission of the SSL/TLS world is identity verification, in which Certificate Authorities a.k.a. CAs claim to “verify” the owners of a website before issuing them the SSL certificate.
“I think it only makes sense to seek out and identify structures of authority, hierarchy, and domination in every aspect of life, and to challenge them; unless a justification for them can be given, they are illegitimate, and should be dismantled, to increase the scope of human freedom.”
— Noam Chomsky
Clearly, this is nearly impossible to do (sufficiently) in most cases, which is why SSL sales are ultimately a scam in my opinion. Therefore, I recommend all my clients to instead generate a “self-signed” SSL certificate (below) that connects with CloudFlare’s free domain-level certification issued by Comodo, meaning that the entire SSL generation and renewal process is FREE (forever) and yet no HTTPS errors or “identity” warnings are displayed to your website visitors.
Before you begin, you first need to have a VPS server on which you’ve installed Nginx. Then, we must generate a self-signed SSL certificate via OpenSSL, a free, open-source tool that is included within Nginx itself. The below SSH command can generate all SSL options in a single line (shout out to Justin Ellingwood for the below shortcut and explanation).
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/nginx.key -out /etc/ssl/nginx.crt
Next, the automated OpenSSL tool within Nginx will ask you a few questions to complete the “identity” part of the SSL certificate. Mind you, if CloudFlare is re-SSL’ing your domain via Comodo, this information is rather pointless, actually. Still, you should try to keep it as accurate as possible to prepare for any future changes or other issues.
Country Name (2 letter code) [AU]: US State or Province Name (full name) [Some-State]: Nevada Locality Name (eg, city) : Las Vegas Organization Name (eg, company) [Internet Widgits Pty Ltd]: LittleBizzy Organizational Unit Name (eg, section) : Common Name (e.g. server FQDN or YOUR name) : www.littlebizzy.com Email Address : email@example.com
Great! So now we have a 2048-bit self-signed SSL certificate installed on our server. But how do we actually activate HTTPS on our website’s frontend, and make sure all non-HTTPS URLs are 301 redirected to their HTTPS equivalent? Enter the simple beauty of the Nginx server block (there are several ways of doing this; my preferred method is below):