Nginx HTTPS / HTTP/2 & SPDY configuration
- Discuss Centmin Mod Nginx HTTPS + HTTP/2 & Google SPDY SSL on the forums here and check out community forum discussion on which SSL Certificates to use.
- If your intention is to switch to https SSL due to Google's latest announcement, you'd want to also read this thread at HTTPS as a Google Ranking Signal.
- If you want to take advantage of Cloudflare's free Universal SSL certificates with Full SSL option and use a self signed SSL certificate, instructions have been added to create your own self signed SSL certificate (latest version of Centmin Mod also has added native support to centmin.sh menu option 2 to create your site domain Nginx vhost account with both normal http + the https SPDY SSL self-signed Nginx vhost files automatically when you answer yes to the prompt to create a self-signed SSL certificate).
- If you need to force redirect all non-www and www http connections to www https, check out How to force redirect from HTTP:// to HTTPS:// ? and forum instructions here (provided you use centmin.sh menu option 2 to create your site domain Nginx vhost account and answered yes when prompted for creating the base self-signed SSL certificate). Always test with 302 temporarily redirects first in private/incognito browsing session before deploying 301 permanent redirects so you don't get non-working 301 redirects permanently cached in your browser. If you do, you will need to clear all browser caches and restart the browser to retest changes to 301 permanent redirects.
- How to switch self-signed SSL certificate to paid SSL certificate ?.
- Latest Centmin Mod 1.2.3-eva2000.09 beta (123.09beta01 branch) also has added Nginx HTTP/2 SSL support.
My official Centmin Mod Community forums and sslspdy.com ECC 256 bit SSL certificate test site both use https / SSL with Google SPDY (Wikipedia definition & SPDY whitepaper). I'd like to share the base Nginx vhost template I use below (as at July 31th, 2015).
Revised as at September 18th, 2015 - Nginx HTTP/2 notes - switching from Nginx SPDY to HTTP/2.
Backported Nginx HTTP/2 support
Nginx 1.9.5 seems to be the version which officially support Nginx HTTP/2. Even the official Nginx HTTP/2 documentation is already in place. For Centmin Mod Nginx, Nginx HTTP/2 supported routines have been backported from Centmin Mod 1.2.3-eva2000.09 beta to 1.2.3-eva2000.08 stable branch as at September 18th, 2015. So ensure you update Centmin Mod code as outlined on Upgrade page before updating to Nginx 1.9.5 via centmin.sh menu option 4
What is Google SPDY ?
SPDY (pronounced speedy) is similar to HTTP, with particular goals of reducing web page load latency and improving web security. SPDY achieves reduced latency through compression (of both request and response HTTP headers), multiplexing (allows for unlimited concurrent streams over a single TCP connection), and prioritization (client side requests are each assigned a priority). Update: Nginx is replacing SPDY with HTTP/2 module for full details read here.
From SPDY whitepaper some numbers:
We discovered that SPDY's latency savings also increased proportionally with increases in RTTs, up to a 27% speedup at 200 ms. The The reason that SPDY does better as RTT goes up is because SPDY fetches all requests in parallel. If an HTTP client has 4 connections per domain, and 20 resources to fetch, it would take roughly 5 RTs to fetch all 20 items. SPDY fetches all 20 resources in one RT.
- SPDY sends ~40% fewer packets than HTTP, which means fewer packets affected by loss.
- SPDY uses fewer TCP connections, which means fewer chances to lose the SYN packet. In many TCP implementations, this delay is disproportionately expensive (up to 3 s).
- SPDY's more efficient use of TCP usually triggers TCP's fast retransmit instead of using retransmit timers.
Average ms |
Speedup |
||
RTT in ms |
HTTP |
SPDY basic (TCP) |
|
20 |
1240 |
1087 |
12.34% |
40 |
1571 |
1279 |
18.59% |
60 |
1909 |
1526 |
20.06% |
80 |
2268 |
1727 |
23.85% |
120 |
2927 |
2240 |
23.47% |
160 |
3650 |
2772 |
24.05% |
200 |
4498 |
3293 |
26.79% |
Centmin Mod Nginx SSL + SPDY
To be able to use Google SPDY you need to use your site with https connections. This means you need to purchase and use a SSL certificate and setup your Nginx vhost configuration file (i.e. /usr/local/nginx/conf/conf.d/yourdomain.com.conf generated when you use menu option #2 to create your Nginx domain name vhost) to operate under Nginx SSL. I use the 1 yr free SSL certificate offered by startssl.com or SSL Wildcard certificates + Google SPDY and followed instructions from following:
- http://www.startssl.com/?app=42
- http://nginx.org/en/docs/http/ngx_http_ssl_module.html
- http://nginx.org/en/docs/http/ngx_http_spdy_module.html
StartSSL free certificate
The StartSSL free certificate only works for single domain name + 1 additional hostname (usually domain.com + additional www.domain.com where 'www' is the additional hostname, so you can access https://domain.com and https://www.domain.com via https/SSL). You can not use StartSSL free certificate for other subdomain names. For example if you also want to use it for https://forum.domain.com or https://blog.domain.com where additional subdomains forum or blog are used.
StartSSL identity Verified vs Domain Validated Wildcard SSL certificate
To be able to use SSL for all subdomains, you need what is usually referred to as a domain validated Wildcard SSL certificate. StartSSL refers to them as StartSSL identity Verified SSL certificate which has tighter restrictions in that you need to provide personal documentation to verify who you are.
If you feel uncomfortable providing your personal documents and details to StartSSL, then you need to find the normal domain validated Wildcard SSL certicates.
One of the cheaper SSL certificate providers which still retain some support would be GoGetSSL.com. Their Wildcard SSL certificates page lists both domain and business validated SSL Wildcard certificate options where Comodo EssentialSSL Wildcard is their cheapest option. You can check out the community forum discussion thread regarding various SSL certificates and their respective costs.
If GoGetSSL.com Wildcard SSL certificate seems too costly, there's another brand of called AlphaSSL Wildcard SSL certificates which can range from cost usually US$42 to US$150/yr. SSL2Buy.com and Garrisonhost.com are two AlphaSSL resellers I have come across but not used myself.
Domain validated means they will verify domain name ownership and send the SSL certificate to @yourdomain.com email address of your intended https://yourdomain.com SSL site. Usually a common email address is at webmaster@yourdomain.com, so make sure email username webmaster works on your intended SSL based yourdomain.com domain name.
If you have not yet setup @yourdomain.com with email on your Centmin Mod based server, then check out how to setup free @yourdomain.com email accouns via Outlook Live Domains from Microsoft.
OpenSSL CSR
With some SSL providers you will need to provide them with a OpenSSL generated CSR file. There 2 are methods of generating the CSR code files and private keys:
- Method 1: You can do either via SSH telnet command like using openssl tool Example here. Or use a Digicert.com CSR wizard here which generates a openssl command you need to copy and paste into your Centmin Mod based server's SSH telnet window. For method 1 read further below for exact details OR
- Method 2: You can use a 100% online only CSR code and private key generator at https://www.gogetssl.com/online-csr-generator/. For method 2 read further below for exact details
Method 1 explained:
I would run this command from directory you will custom create at /usr/local/nginx/conf/ssl/domaincom/ where domaincom is your domain name minus any full stops.
For example:
Log into SSH telnet for your Centmin Mod based server as root user and create directory at /usr/local/nginx/conf/ssl/domaincom/
mkdir -p /usr/local/nginx/conf/ssl/domaincom/
change to that directory
cd /usr/local/nginx/conf/ssl/domaincom/
Then type and run the OpenSSL CSR generated command that is outputted from the CSR wizard here - DO NOT use the exact command below, that is only an example for illustrations purpses !:
Updated: after the CSR Wizard generates it's output add -sha256 to the line right before -nodes. This is required to ensure the CSR code and private key use SHA-2 signature hash algorithms like SHA256.
openssl req -new -newkey rsa:2048 -sha256 -nodes -out yourdomain_com.csr -keyout yourdomain_com.key -subj "/C=US/ST=Rhode Island/L=East Greenwich/O=Fidelity Test/CN=yourdomain.com"
You'll end up with two files generated in the created directory at /usr/local/nginx/conf/ssl/domaincom/. One for your private key named yourdomain_com.key (I renamed it to just ssl.key for below example at /usr/local/nginx/conf/ssl/domaincom/ssl.key) and a CSR file yourdomain_com.csr. I would save these files and back them up locally on your computer.
For Common Name enter your intended domain name without 'www' i.e. yourdomain.com. If it's a Wildcard SSL, use *.yourdomain.com. The generated OpenSSL CSR file will need to be provided to your SSL certificate provider.
You can check your generated CSR codes validity by pasting your *.csr file contents into the Online CSR Decoder. A more advanced CSR decoder can also report the Signature Hash Algorithm used as well.
Creating your own self signed SSL certificate
Now that you have your CSR file (yourdomain_com.csr) and private key (yourdomain_com.key) for your domain generated via Method 1 instructions, you may want to generate your own self signed SSL certificate instead of using a paid SSL certificate (e.g. for usage with Cloudflare's free Universal SSL certificates and Full SSL option). To create the self signed SSL certificate (yourdomain_com.crt) you would run this command in the same directory you have your CSR file and private key you generated above i.e. /usr/local/nginx/conf/ssl/domaincom/.
openssl x509 -req -days 36500 -in yourdomain_com.csr -signkey yourdomain_com.key -out yourdomain_com.crt
Then you can skip to the self signed SSL certificate Nginx Vhost setup if you are not using a paid SSL certificate.
Method 2 explained:
You can use a 100% online only CSR code and private key generator at https://www.gogetssl.com/online-csr-generator/. When you enter the email address on the online generator, you will be emailed your domain's *.csr file and private key which you need rename respectively to yourdomain_com.key (for private key) and yourdomain_com.csr (for CSR file) and then upload to /usr/local/nginx/conf/ssl/domaincom/ and then follow the Setting Up Nginx SSL guide below.
Setting up Nginx SSL
After you purchase or obtain yourdomain.com's SSL certificate, your SSL provider will provide you with:
- Your domain's SSL certificate usually saved as yourdomain.crt. Upload file to /usr/local/nginx/conf/ssl/domaincom/
- The provider's intermediate (i.e. intermediate.crt) and root certificates (root.pem format). The actual name and extension would vary from SSL provider. Upload files to /usr/local/nginx/conf/ssl/domaincom/
If instead you opted to use your own self signed SSL certificate created above, you will have the following files to work with located at /usr/local/nginx/conf/ssl/domaincom/:
- self signed SSL certificate (yourdomain_com.crt)
- CSR file (yourdomain_com.csr)
- private key (yourdomain_com.key)
I would save these files and back them up locally on your computer.
dhparam
For DHE key-exchange, generate a dhparam.pem file at /usr/local/nginx/conf/ssl/domaincom/dhparam.pem with higher strength 2048 bit or 4096 bit key-exchange instead of using Nginx's OpenSSL Ephemeral Diffie-Hellman (DHE) default key of 1024 bit to at least match SSL 2048 bit certificates.
To generate dhparam file you can either use one of the 2 below commands (not both). Both can take quite a long time to generate depending on your server's processing power. The 4096 bit can take between 15-60 minutes to generate.
cd /usr/local/nginx/conf/ssl/domaincom openssl dhparam -out dhparam.pem 2048or
cd /usr/local/nginx/conf/ssl/domaincom openssl dhparam -out dhparam.pem 4096Within Nginx vhost you'd add this line.
ssl_dhparam /usr/local/nginx/conf/ssl/domaincom/dhparam.pem;
ssl-unified.crt
Only for paid SSL certificates (NOT self signed SSL certificates), would you next you need to create the /usr/local/nginx/conf/ssl/domaincom/ssl-unified.crt file that Nginx SSL Vhost below will use. This unified.crt is created from concatentation of your domain's SSL certificate yourdomain.crt, the providers intermediate and root certificates in this particular order. In SSH telnet within /usr/local/nginx/conf/ssl/domaincom/ directory, type the following commands:
cd /usr/local/nginx/conf/ssl/domaincom/
cat yourdomain.crt intermediate.crt root.pem > ssl-unified.crt
For /usr/local/nginx/conf/ssl/domaincom/ssl-trusted.crt
cat intermediate.crt root.pem > ssl-trusted.crt
If your SSL provider only provides something like yourdomain_com.crt
and yourdomain_com.ca-bundle
, then concat them this way:
For ssl-unified.crt
cat yourdomain_com.crt yourdomain_com.ca-bundle > ssl-unified.crt
For ssl-trusted.crt
cat yourdomain_com.ca-bundle > ssl-trusted.crt
You'll end up with ssl-unified.crt
file at /usr/local/nginx/conf/ssl/domaincom/ssl-unified.crt and ssl-trusted.crt
at /usr/local/nginx/conf/ssl/domaincom/ssl-trusted.crt
Examples
You can see a Comodo/GGSSL Wildcard SSL certificate example setup for my sslspdy.com site on the Centmin Mod Community forums. Or Comodo/GGSSL Wildcard SSL certificate example setup for my centminmod.com here and here. The specific names of the files may differ to your SSL certificate, but they serve as examples.
For below example, I placed the startssl SSL certificates in new directories created at /usr/local/nginx/conf/ssl/domaincom/ although you can place them anywhere really. If you want to enable Google Nginx PageSpeed ngx_pagespeed module support, follow guide here.
You will need to totally restructure your domain’s Nginx vhost file which you created via menu option 2 to following format:
Note: for Nginx 1.5.10 and higher you can use 443:npn-spdy/3 instead of 443:npn-spdy/2
Update: October 15th, 2014. In light of Google published POODLE SSLv3 attack vulnerability exploit, removed SSLv3 from ssl_protocols configuration for Nginx vhost and switched to Mozilla's recommended Intermediate compatibility cipher suite settings.
change from
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!kEDH:!EDH:!CAMELLIA;
to (revised Dec 15th, 2014)
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
Full Nginx vhost format updated as at March 4th, 2015. I've changed the return 301 permanent http to https redirect to temporarily redirect return 302 for starters. A 301 permanent http to https redirect is permanently cached in a visitors browser and can only be cleared by each vistor clearing their browser's cache, history etc and then rebooting their systems. A big inconvenience if you ever decide HTTPS and SSL are not what you need or if you find your Google Adsense revenue dramatically drop when switching to HTTPS / SSL and want to switch back to normal HTTP and remove HTTPS/SSL. Only after long term use of 302 temp redirect that you feel HTTPS/SSL is what you need, then should you change return 302 to return 301.
Update: Nginx is replacing SPDY with HTTP/2 module for full details read here. So starting with Nginx 1.9.3+ patched Centmin Mod Nginx or Nginx >1.9.5+, you need to change listen directive from spdy
with http2
parameter
from
listen 443 ssl spdy;
to
listen 443 ssl http2;
server { server_name domain.com www.domain.com; return 302 https://$server_name$request_uri; } # https SSL SPDY vhost server { listen 443 ssl http2; server_name domain.com; ssl_dhparam /usr/local/nginx/conf/ssl/domaincom/dhparam.pem; ssl_certificate /usr/local/nginx/conf/ssl/domaincom/ssl-unified.crt; ssl_certificate_key /usr/local/nginx/conf/ssl/domaincom/ssl.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS; ssl_prefer_server_ciphers on; #add_header Alternate-Protocol 443:npn-spdy/3; add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; #add_header X-Content-Type-Options "nosniff"; #add_header X-Frame-Options DENY; # nginx 1.5.9+ or higher # http://nginx.org/en/docs/http/ngx_http_spdy_module.html#spdy_headers_comp # http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size # spdy_headers_comp 0; # ssl_buffer_size 4k; # enable ocsp stapling resolver 8.8.8.8; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /usr/local/nginx/conf/ssl/domaincom/ssl-trusted.crt; # limit_conn limit_per_ip 16; # ssi on; access_log /home/nginx/domains/domain.com/log/access.log combined buffer=32k; error_log /home/nginx/domains/domain.com/log/error.log; root /home/nginx/domains/domain.com/public; # ngx_pagespeed & ngx_pagespeed handler #include /usr/local/nginx/conf/pagespeed.conf; #include /usr/local/nginx/conf/pagespeedhandler.conf; #include /usr/local/nginx/conf/pagespeedstatslog.conf; ## redirect https://www to https://non-www ## uncomment if needed # if ($host = 'www.domain.com' ) { # return 302 https://$server_name$request_uri; # } location / { # block common exploits, sql injections etc # include /usr/local/nginx/conf/block.conf; # Enables directory listings when index file not found #autoindex on; } include /usr/local/nginx/conf/staticfiles.conf; include /usr/local/nginx/conf/php.conf; include /usr/local/nginx/conf/drop.conf; include /usr/local/nginx/conf/errorpage.conf; }
Nginx SPDY SSL Vhost for self signed SSL certificates
If you opted to create your own self signed SSL certificate instead of using a paid SSL certificate, you will have a slightly different Nginx vhost format as there is no ssl-unified.crt file nor can you use any of the OCSP stapling file options or ssl_trusted_certificate option (need to comment those out). In it's place you just use the self signed SSL certificate you generated, yourdomain_com.crt.
Below is example of Nginx vhost for SPDY SSL/3.1 with self signed SSL certificate:
If your intention is to use it with Cloudflare's Universal SSL with Full SSL option, you may want to disable the forced http to https redirect until your Cloudflare Full SSL is activated and working.
The redirect is the first 4 lines of your Nginx vhost which you can comment out and disable with hash in front #:
# server { # server_name domain.com www.domain.com; # return 302 https://$server_name$request_uri; #}
Update: Nginx is replacing SPDY with HTTP/2 module for full details read here. So starting with Nginx 1.9.3+ patched Centmin Mod Nginx or Nginx >1.9.5+, you need to change listen directive from spdy
with http2
parameter
from
listen 443 ssl spdy;
to
listen 443 ssl http2;
Full Nginx vhost with self signed SSL certificate:
server { server_name domain.com www.domain.com; return 302 https://$server_name$request_uri; } server { listen 443 ssl http2; server_name domain.com www.domain.com; ssl_dhparam /usr/local/nginx/conf/ssl/domaincom/dhparam.pem; ssl_certificate /usr/local/nginx/conf/ssl/domaincom/yourdomain_com.crt; ssl_certificate_key /usr/local/nginx/conf/ssl/domaincom/yourdomain_com.key; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # mozilla recommended ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS; ssl_prefer_server_ciphers on; #add_header Alternate-Protocol 443:npn-spdy/3; add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; #add_header X-Content-Type-Options "nosniff"; #add_header X-Frame-Options DENY; spdy_headers_comp 5; ssl_buffer_size 1369; ssl_session_tickets on; # enable ocsp stapling #resolver 8.8.8.8 8.8.4.4 valid=10m; #resolver_timeout 10s; #ssl_stapling on; #ssl_stapling_verify on; #ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/domain.com-trusted.crt; # ngx_pagespeed & ngx_pagespeed handler #include /usr/local/nginx/conf/pagespeed.conf; #include /usr/local/nginx/conf/pagespeedhandler.conf; #include /usr/local/nginx/conf/pagespeedstatslog.conf; # limit_conn limit_per_ip 16; # ssi on; access_log /home/nginx/domains/domain.com/log/access.log combined buffer=32k; error_log /home/nginx/domains/domain.com/log/error.log; root /home/nginx/domains/domain.com/public; ## redirect https://www to https://non-www ## uncomment if needed # if ($host = 'www.domain.com' ) { # return 302 https://$server_name$request_uri; # } location / { # block common exploits, sql injections etc #include /usr/local/nginx/conf/block.conf; # Enables directory listings when index file not found #autoindex on; # Shows file listing times as local time #autoindex_localtime on; # Enable for vBulletin usage WITHOUT vbSEO installed #try_files $uri $uri/ /index.php; } include /usr/local/nginx/conf/staticfiles.conf; include /usr/local/nginx/conf/php.conf; include /usr/local/nginx/conf/drop.conf; #include /usr/local/nginx/conf/errorpage.conf; }
For versions below Centmin Mod v1.2.3-eva2000.03+, the included /usr/local/nginx/conf/php.conf you need to make one change for PHP over SSL/https. It's best to create a separate php.conf for this. In SSH telnet type:
cp -a /usr/local/nginx/conf/php.conf /usr/local/nginx/conf/phpssl.conf
For versions below Centmin Mod v1.2.3-eva2000.03+, in your SSL vhost /usr/local/nginx/conf/conf.d/yourdomain.com.conf comment out existing php.conf line and add the new phpssl.conf
include /usr/local/nginx/conf/staticfiles.conf; include /usr/local/nginx/conf/phpssl.conf; #include /usr/local/nginx/conf/php.conf; include /usr/local/nginx/conf/drop.conf; include /usr/local/nginx/conf/errorpage.conf;
For versions below Centmin Mod v1.2.3-eva2000.03+, edit /usr/local/nginx/conf/phpssl.conf and change this line by uncommenting (remove front hash #):
from
#fastcgi_param HTTPS on;
to
fastcgi_param HTTPS on;
For Nginx vhosts created from Centmin Mod v1.2.3-eva2000.04+ and higher no changes to /usr/local/nginx/conf/php.conf file are needed as this variable is automatically mapped as such you will find this line:
fastcgi_param HTTPS $server_https;
and within /usr/local/nginx/conf/nginx.conf you will find under http { the following include file calling /usr/local/nginx/conf/fastcgi_param_https_map.conf:
http { include /usr/local/nginx/conf/fastcgi_param_https_map.conf;
The /usr/local/nginx/conf/fastcgi_param_https_map.conf file contains the following code:
map $scheme $server_https { default off; https on; }
If you're using older Centmin Mod v1.2.3-eva2000.03 versions, and do not want to create a separate phpssl.conf, you can manually create the file at /usr/local/nginx/conf/fastcgi_param_https_map.conf and add the above outlined mapping under include line under http { to /usr/local/nginx/conf/nginx.conf.
http { include /usr/local/nginx/conf/fastcgi_param_https_map.conf;
within /usr/local/nginx/conf/fastcgi_param_https_map.conf file add:
map $scheme $server_https { default off; https on; }
Restart Nginx and php-fpm services
service nginx restart service php-fpm restart
or via command shortcut
nprestart
SPDY check
Test your https:// SSL based domain for SPDY via the following:
- Spdycheck.org site i.e. for my test blog http://spdycheck.org/#blog.centminmod.com. Ignore warning of out of date SPDY protocol spdy/3 vs spdy/2.
- For Chrome browser, install SPDY Indicator extension.
- For Opera browser, install SPDY indicator extension.
- For Firefox browser, install SPDY indicator add-on.
- For Internet Explorer version 10 and below, the browser doesn't support SPDY connections and will fall back to non-SPDY connections. Internet Explorer 11+ will support SPDY.
SSL check
Then test your https:// SSL based domain via these SSL test sites:
- https://sslcheck.globalsign.com
- https://www.ssllabs.com/ssltest/
- https://www.geocerts.com/ssl_checker
- You can use this online tool to check the order of certificates is configured correctly at https://ssltools.geotrust.com/checker/views/certCheck.jsp
Can also do a OCSP Stapling quick test within SSH telnet command, type the following where domain.com is the https://domain.com SSL domain you setup:
openssl s_client -connect domain.com:443 -tls1 -tlsextdebug -status
look for output:
OCSP response: ====================================== OCSP Response Data: OCSP Response Status: successful (0x0)?
Troubleshooting
If you have problems with your web application under SSL, please consult with that authors of that web application i.e. wordpress, vBulletin, Xenforo, IPBoard, drupal etc.