How to Configure SSL/TLS Encryption on NGINX

Here’s a step-by-step guide on how to configure SSL/TLS encryption on NGINX:

Step 1: Generate a Certificate Signing Request (CSR)

To enable SSL/TLS encryption, you need to generate a Certificate Signing Request (CSR) and obtain a Digital Certificate from a trusted Certificate Authority (CA). You can use tools like OpenSSL or online CSR generators.

Here’s an example of how to generate a CSR using OpenSSL:

openssl req -new -keyout server.key -nodes -days 365 -subj "/C=US/ST=State/L=Locality/O=Organization/CN=localhost"

This command generates a private key file named server.key and a CSR file named server.csr.

Step 2: Obtain a Digital Certificate

Submit your CSR to a trusted CA, such as Let’s Encrypt or GlobalSign. They will verify your domain ownership and issue a digital certificate.

For example, if you’re using Let’s Encrypt, you can use the following command:

certbot certonly --webroot --webroot-path=/var/www/html --email [your_email] --agree-tos --non-interactive --expand --domains -d [your_domain]

Replace [your_email] with your email address and [your_domain] with the domain you want to secure.

Step 3: Configure NGINX for SSL/TLS

In your NGINX configuration file (usually nginx.conf or default.conf), add the following lines:

http {
    server {
        listen 443 ssl;
        server_name example.com;

        ssl_certificate /path/to/cert.crt;
        ssl_certificate_key /path/to/private.key;

        location / {
            proxy_pass http://localhost:8080;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
        }
    }
}

Replace /path/to/cert.crt and /path/to/private.key with the actual paths to your certificate and private key files.

Step 4: Enable SSL/TLS

To enable SSL/TLS, add the following line at the end of your NGINX configuration file:

ssl_protocols TLSv1.2 TLSv1.3;

This enables support for both TLSv1.2 and TLSv1.3 protocols.

Step 5: Restart NGINX

After making changes to your NGINX configuration, restart the service using the following command:

sudo service nginx restart

That’s it! Your NGINX server should now be configured for SSL/TLS encryption.

Remember to replace example.com with your actual domain name and adjust the paths to your certificate and private key files as needed.