Home > References > Hosting > Server configuration setup

NGINX ssl certificate configuration: using https with NGINX

Last updated : March 11, 2021

Configuring SSL with NGINX takes only several minutes. All you need to do is to save your SSL certificate and key files on the server and modify the NGINX conf file to refer to them.

SSL certificate files

When you purchase an SSL certificate, you will have to download the files that make up your SSL certificate. In this tutorial, we will use two files, *.cer (or *.crt) and *.key to setup HTTPS with the NGINX server. For reference, I will name the two files as ssl_certificate.crt and ssl_certificate.key.

Step 1: Save SSL certificate files on the server

Saving ssl certificates in Nginx
Figure 1 : Saving ssl certificates in Nginx

Download both ssl_certificate.crt and ssl_certificate.key files to the server that NGINX is installed. In this example, my NGINX is installed on /etc/nginx, and I save SSL files on to /etc/nginx/cert directory. Therefore, the absolute paths for my SSL files are /etc/nginx/certs/ssl_certificate.crt and /etc/nginx/certs/ssl_certificate.key respectively.

Step 2: Modify Nginx config file

Modify Nginx config file
Figure 2 : Modify Nginx config file

The next step is to modify the Nginx config file to create an HTTPS server block and reference SSL certificate files within the new server block. To maintain a canonical form of the URL, all noncanonical representations of the URL will redirect to the canonical URL format. Our canonical URL will be https://www.example.com. Noncanonical URL forms such as https://example.com, http://www.example.com, and http://example.com will be redirected to https://www.example.com. All the above URLs are served by the webserver running on port 3000.

2.1 Create a new server block

The below server block adds the https support. It accepts https://www.example.com and forwards to the web server running on port 3000.

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    #Placeholder to include the ssl certificate and key
    ssl_certificate_key /etc/nginx/certs/ssl_certificate.key;
    location / {
		proxy_pass http://127.0.0.1:3000/;
    }
}

2.2 Add SSL certificate to the new server block

To use SSL, the server should have the SSL certificate installed. We completed this step in step 1. Ensure the paths to *.crt and *.key match to the location you saved them on.

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name www.example.com;
    ssl_certificate /etc/nginx/certs/ssl_certificate.crt;
    ssl_certificate_key /etc/nginx/certs/ssl_certificate.key;
    location / {
		proxy_pass http://127.0.0.1:3000/;
    }
}

Step 3: Redirect all URLs to https://www

As I mentioned above, let's redirect all the noncanonical URLs to canonical format, which is https://www.example.com.

Redirects all non ssl to https://www.example.com

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    return 301 https://$host$request_uri;
}

Redirects https://example.com to https://www.example.com

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name example.com;
    ssl_certificate /etc/nginx/certs/ssl_certificate.crt;
    ssl_certificate_key /etc/nginx/certs/ssl_certificate.key;
    return 301 https://www.example.com$request_uri;
}

After all the changes, the complete Nginx config file will look like below.

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    return 301 https://$host$request_uri;
}
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name example.com;
    ssl_certificate /etc/nginx/certs/ssl_certificate.crt;
    ssl_certificate_key /etc/nginx/certs/ssl_certificate.key;
    return 301 https://www.example.com$request_uri;
}
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name www.example.com;
    ssl_certificate /etc/nginx/certs/ssl_certificate.crt;
    ssl_certificate_key /etc/nginx/certs/ssl_certificate.key;
    location / {
		proxy_pass http://127.0.0.1:3000/;
    }
}

Step 4: Restart Nginx

Now we have completed all the required changes to accommodate SSL. Finally, restart your Nginx server to make changes into effect.
sudo systemctl restart nginx

Lance
By: Lance
Lance is a software engineer with over 15 years of experience in full-stack software development.
Read more...

Leave a comment

No Comments