Difference between revisions of "Enable SSL/TLS + self signed certificate for http server"
Jump to navigation
Jump to search
(Created page with "== Self signed key + cert == * Generagete key + certificate (the validity is 365 days in our example): openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout NAME.key ...") |
|||
| Line 47: | Line 47: | ||
* be sure you have installed and enabled nginx's SSL/TLS module. | * be sure you have installed and enabled nginx's SSL/TLS module. | ||
| + | it can be tested with this command (you must see '--with-http_ssl_module' in the output): | ||
| + | |||
| + | ~# nginx -V | ||
| + | nginx version: nginx/1.14.2 | ||
| + | built with OpenSSL 1.1.1c 28 May 2019 (running with OpenSSL 1.1.1g 21 Apr 2020) | ||
| + | TLS SNI support enabled | ||
| + | configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-tBUzFN/nginx-1.14.2=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld- | ||
| + | opt='-Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock- | ||
| + | path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp- | ||
| + | path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with- | ||
| + | http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_gzip_static_module --without-http_browser_module -- | ||
| + | without-http_geo_module --without-http_limit_req_module --without-http_limit_conn_module --without-http_memcached_module --without-http_referer_module --without-http_split_clients_module --without- | ||
| + | http_userid_module --add-dynamic-module=/build/nginx-tBUzFN/nginx-1.14.2/debian/modules/http-echo | ||
| + | |||
* in appropriate server's cfg add | * in appropriate server's cfg add | ||
| Line 70: | Line 84: | ||
ssl_session_timeout 5m; | ssl_session_timeout 5m; | ||
| − | + | } | |
| − | |||
| − | |||
| − | |||
| − | |||
Revision as of 19:18, 28 July 2020
Self signed key + cert
- Generagete key + certificate (the validity is 365 days in our example):
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout NAME.key -out NAME.crt
The command will ask for some answers on few questions.
- Copy key/cert to appropriate directory (e.g. /etc/ssl or /etc/apache2/ssl or /etc/nginx/ssl, ...)
- Adjust key's permissions and owner:
chown root: NAME.key chmod 400 NAME.key
Apache httpd server
- be sure you have installed and enabled apache's SSL/TLS module.
- in appropriate virtual's config add
SSLEngine on SSLCertificateFile DIRECTORY/NAME.cert SSLCertificateKeyFile DIRECTORY/NAME.key
- don't forget to restart httpd server
- longer config example
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile DIRECTORY/NAME.cert
SSLCertificateKeyFile DIRECTORY/NAME.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>
Nginx httpd server
- be sure you have installed and enabled nginx's SSL/TLS module.
it can be tested with this command (you must see '--with-http_ssl_module' in the output):
~# nginx -V nginx version: nginx/1.14.2 built with OpenSSL 1.1.1c 28 May 2019 (running with OpenSSL 1.1.1g 21 Apr 2020) TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-tBUzFN/nginx-1.14.2=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld- opt='-Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock- path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp- path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with- http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_gzip_static_module --without-http_browser_module -- without-http_geo_module --without-http_limit_req_module --without-http_limit_conn_module --without-http_memcached_module --without-http_referer_module --without-http_split_clients_module --without- http_userid_module --add-dynamic-module=/build/nginx-tBUzFN/nginx-1.14.2/debian/modules/http-echo
- in appropriate server's cfg add
ssl on; ssl_certificate DIRECTORY/NAME.cert; ssl_certificate_key DIRECTORY/NAME.key;
- don't forget to restart httpd server
- longer config example
server {
listen 443;
access_log /var/log/nginx/ssl-access.log;
error_log /var/log/nginx/ssl-error.log;
index index.html;
root /usr/share/nginx/html;
server_name SERVERNAME;
ssl on;
ssl_certificate DIRECTORY/NAME.cert;
ssl_certificate_key DIRECTORY/NAME.key;
ssl_session_timeout 5m;
}