Recently I bought an SSL certificate for this blog from MegaSSLStore. My website is hosted on a FreeBSD machine and served by Nginx web server. In order to install the certificate on this machine, I downloaded from MegaSSLStore the certificate and CSR+private key and I copied them on my server in /usr/local/etc/nginx/ssl
# scp -P22 * root@razvantudorica.com:/usr/local/etc/nginx/ssl root@RTU001 /usr/local/etc/nginx/ssl # ls -lh total 32 -r-------- 1 root wheel 5.5K Dec 14 11:39 razvantudorica.com.ca-bundle -r-------- 1 root wheel 1.9K Dec 14 11:39 razvantudorica.com.crt -r-------- 1 root wheel 1.1K Dec 14 11:39 razvantudorica.com.csr -r-------- 1 root wheel 1.7K Dec 14 11:39 razvantudorica.com.key
Because I have an .crt certificate and also a ca-bundle I need to combine these two files in one certificate:
cd /usr/local/etc/nginx/ssl cat razvantudorica.com.crt razvantudorica.com.ca-bundle > razvantudorica.com-bundle.crt
After this, I changed the nginx website configuration file, in order to redirect all the traffic that is coming on http (port 80) on https (port 443).
In my website .conf file, I added a new server section in which I specified to redirect all the traffic that comes on port 80 to https, using the http response code 301 (Moved Permanently). Also in the old server section I removed the “listen 80” directive and I added “listen 443 ssl”.
server { server_name razvantudorica.com www.razvantudorica.com; listen 80; return 301 https://$host$request_uri; } server { server_name razvantudorica.com www.razvantudorica.com; listen 443 ssl; # ...
The next step is to add the certificates into the configuration file. So, again in the nginx configuration of the website:
server { server_name razvantudorica.com www.razvantudorica.com; listen 443 ssl; ssl_certificate /usr/local/etc/nginx/ssl/razvantudorica.com-bundle.crt; ssl_certificate_key /usr/local/etc/nginx/ssl/razvantudorica.com.key; # ...
If you use the a default nginx config file, probably you will have a line like:
ssl_protocols SSLv2 SSLv3 TLSv1;
I replaced this line with:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE
in order to avoid some vulnerabilities old versions of SSL and I removed the old line ‘ssl_ciphers’ that was containing some weak ciphers and I replaced with:
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
After this I reloaded the nginx config file with:
service nginx reload
In my case, I was using a CDN to deliver some assets (js, css files or images), but because it was over http I disabled it in order to not have mixed content on the same page, until I will add the certificates also to the CDN subdomain.