tinyapps.org / docs / Migrating nginx from HTTP to HTTPS

Procedure

0. Research SSL certificates and authorities. Time required: an hour or two
1. Purchase SSL certificate (DigiCert SSL Plus). Time required: a minute or two
2. Generate command-line for CSR creation using OpenSSL CSR Wizard. Paste result into server's terminal, creating tinyapps_org.key and tinyapps_org.csr in /etc/ssl/. Paste tinyapps_org.csr into form in my DigiCert control panel. Time required: a few minutes
3. Validate organization info with DigiCert. (They asked via email for a photo ID via email or fax; I later found out from phone support that they have a secure web form for submissions. I also later discovered that the cert was issued in my name instead of the corporation's; they verified the corp online with the DCCA and reissued the certificate.) Time required: 30 minutes from time of sending ID (plus another 30 minutes or so to receive the corrected certificate)
4. Receive tinyapps_org.pem file from DigiCert and copy to /etc/ssl/. Time required: 'twas but the work of a moment
5. Update iptables to allow incoming traffic on port 443 by adding
   -A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
   to /etc/iptables.up.rules and reload iptables:
   iptables-restore < /etc/iptables.up.rules
   Time required: a few minutes to dig through my notes and Google
6. Update OpenSSL (Time required: Longer than it should have; with these direction, should only take a few minutes):
   1. # wget https://www.openssl.org/source/openssl-1.0.1j.tar.gz | tar xvf && cd openssl-1.0.1j && ./config && make && make install
   2. The old version had not been replaced:
      # which openssl
      /usr/bin/openssl
      # openssl version
      OpenSSL 0.9.8g 19 Oct 2007
   3. Archive the old version and symlink the new one:
      # mv /usr/bin/openssl /path/to/ancients/openssl_old
      # ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
      # openssl version
      OpenSSL 1.0.1j 15 Oct 2014
7. Update nginx (Time required: Way longer than it should have; with these direction, should only take a few minutes):
   1. # wget http://nginx.org/download/nginx-1.6.2.tar.gz | tar xvf nginx-1.6.2.tar.gz && cd nginx-1.6.2
   2. Checked configure arguments from previous install (nginx -V)
   3. Ran ./configure with previous arguments, adding:
      --with-openssl=/temp/openssl-1.0.1j \
--with-http_ssl_module \
--with-http_secure_link_module \
--with-http_spdy_module
      (I had to explicitly point nginx to the OpenSSL source folder in order to get SSL working)
   4. # make
   5. Backup the current working nginx binary:
      # cp /usr/sbin/nginx /path/to/ancients/nginx_old
   6. # /etc/init.d/nginx stop
   7. # make install
   8. # /etc/init.d/nginx start
8. Configure and test nginx (Time required: Way, way longer than it should have; with this example, it should be much faster):
   1. Below are the relevant bits from the nginx.conf file I ended up with in order to receive the coveted A+ rating from Qualys SSL Labs. To generate the ca-certs.pem file necessary for OCSP stapling, see Creating a .pem File for SSL Certificate Installations.

        server {
          # redirect www to non-www
          server_name www.tinyapps.org;
          return 301 $scheme://tinyapps.org$request_uri;
          }
      
        server {
          # redirect http to https
          listen 80;
          server_name tinyapps.org;
          return 301 https://tinyapps.org$request_uri;
          }
      
        server {
          listen 443 default_server ssl spdy;
          server_name tinyapps.org;
          ssl_certificate     /etc/ssl/tinyapps_org.pem;
          ssl_certificate_key /etc/ssl/tinyapps_org.key;
      
          # DHE parameter generated via: openssl dhparam -out /etc/ssl/dhparam.pem 4096
          ssl_dhparam /etc/ssl/dhparam.pem;
      
          # disable SSLv3 ref: POODLE
          ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
      
          # strong cipher suites only
          ssl_ciphers 'AES256+EECDH:AES256+EDH';
          ssl_prefer_server_ciphers on;
          keepalive_timeout    70;
          ssl_session_cache    shared:SSL:10m;
          ssl_session_timeout  10m;
      
          # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
          add_header Strict-Transport-Security max-age=15768000;
          
          # enable OCSP stapling
          ssl_stapling on;
          ssl_stapling_verify on;
          ssl_trusted_certificate /etc/ssl/ca-certs.pem;

Resources and notes

• Step 0: Research
  • What does HTTPS Everywhere protect me against?
  • Methods to prevent session hijacking
  • Should we force user to HTTPS on website?
  • Let's Encrypt
  • HTTP Strict Transport Security
  • DigiCert SSL Certificate Reviews
  • Top Five SSL Certificate Providers
  • Ask HN: What's the best company to buy SSL certificates from?
  • crt.sh - Certificate Search
• Step 2: CSR
  • What is a CSR (Certificate Signing Request)?
• Step 4: Install cert
  • Nginx SSL Certificate Installation
  • Add HTTPS to NGINX for free and help make the world more secure
• Step 6: Update OpenSSL
  • Reply to "How to patch the Heartbleed bug (CVE-2014-0160) in OpenSSL?" by Quentin Rousseau
  • "To manually compile OpenSSL" instructions by Olaitan Mayowa
  • Upgrade OpenSSL on Ubuntu 12.04
  • Problem Enable TLS 1.1 & 1.2
• Step 7: Update nginx
  • Recompile Nginx with additional modules
  • Reply to "nginx ./configure can't find openssl" by Ian
  • Custom OpenSSL with nginx
• Step 8: Configure and test nginx
  • After making any changes to nginx.conf, test and reload: nginx -t && nginx -s reload
  • Strong SSL Security on nginx
  • Mozilla SSL Configuration Generator
  • NGINX SSL Termination
  • The POODLE attack (CVE-2014-3566) against SSL
  • Correctly configuring secure HTTPS/SSL/TLS in nginx
  • nginx recommended ssl_ciphers for security, compatibility - with PFS
  • HowTo: Nginx Redirect All HTTP Request To HTTPS Rewrite Rules
  • Setting up SSL with nginx (using a NameCheap EssentialSSL wildcard certificate on DigitalOcean)
  • Add HTTPS to NGINX for free and help make the world more secure
  • How To Create an SSL Certificate on Nginx for Ubuntu 14.04
  • Creating a .pem with the Server and Intermediate Certificates
  • Hardening Your Web Server’s SSL Ciphers
  • Security/Server Side TLS
  • Qualys SSL Labs - SSL Server Test
  • Squeezing a Little More out of Your Qualys Score
  • How I Scored an A+ on the Qualys SSL Test
  • OCSP Stapling on nginx
  • DigiCert SSL Installation Diagnostics Tool - SSL Certificate Checker
  • SSL Checker
  • SSL Configuration Checker
  • SPDYCheck.org
  • Nginx resolver vulnerabilities allow cache poisoning attack - "Never configure nginx with the resolver directive pointing to a resolver on the Internet like Google Public DNS, OpenDNS, or your ISP’s resolver. Many nginx users make this exact mistake. Even pointing to a resolver on your internal local network may be a bad idea. Running a resolver on localhost is the only safe option."

created: 2014.12.23, updated: 2015.10.20