Here’s a step-by-step guide on how to configure SSL/TLS encryption on NGINX:
Step 1: Generate a Certificate Signing Request (CSR)
To enable SSL/TLS encryption, you need to generate a Certificate Signing Request (CSR) and obtain a Digital Certificate from a trusted Certificate Authority (CA). You can use tools like OpenSSL or online CSR generators.
Here’s an example of how to generate a CSR using OpenSSL:
openssl req -new -keyout server.key -nodes -days 365 -subj "/C=US/ST=State/L=Locality/O=Organization/CN=localhost"
This command generates a private key file named server.key
and a CSR file named server.csr
.
Step 2: Obtain a Digital Certificate
Submit your CSR to a trusted CA, such as Let’s Encrypt or GlobalSign. They will verify your domain ownership and issue a digital certificate.
For example, if you’re using Let’s Encrypt, you can use the following command:
certbot certonly --webroot --webroot-path=/var/www/html --email [your_email] --agree-tos --non-interactive --expand --domains -d [your_domain]
Replace [your_email]
with your email address and [your_domain]
with the domain you want to secure.
Step 3: Configure NGINX for SSL/TLS
In your NGINX configuration file (usually nginx.conf
or default.conf
), add the following lines:
http {
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /path/to/cert.crt;
ssl_certificate_key /path/to/private.key;
location / {
proxy_pass http://localhost:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
}
Replace /path/to/cert.crt
and /path/to/private.key
with the actual paths to your certificate and private key files.
Step 4: Enable SSL/TLS
To enable SSL/TLS, add the following line at the end of your NGINX configuration file:
ssl_protocols TLSv1.2 TLSv1.3;
This enables support for both TLSv1.2 and TLSv1.3 protocols.
Step 5: Restart NGINX
After making changes to your NGINX configuration, restart the service using the following command:
sudo service nginx restart
That’s it! Your NGINX server should now be configured for SSL/TLS encryption.
Remember to replace example.com
with your actual domain name and adjust the paths to your certificate and private key files as needed.