Your Web Server on Nginx. Part 1: Setting Up SSL to an ‘A+’ Level

This article opens a series of materials on configuring a modern web server on your own VDS. In this first part, we will look at the frontend setup suitable for any backend technology you choose (PHP, Python, Ruby on Rails, etc).

The unofficial requirements for websites on the Internet are constantly changing. While a regular HTTP virtual hosting server was once sufficient, more websites are transitioning to HTTPS. This shift is supported by internet giants like Google, which has started ranking HTTPS websites higher.

Additionally, it is becoming good practice to make websites accessible via the IPv6 protocol. The more websites that support it, the faster providers will implement IPv6 en masse.

In this article, we aim to install and configure Nginx to work over both IPv4 and IPv6, with SSL support. As a bonus, we will include support for the experimental SPDY protocol.

Historically, Apache dominated the web server market, but its versatility comes with high resource consumption. Currently, many new web resources adopt a two-tier architecture:

• Frontend: A lightweight web server (usually Nginx) that accepts connections on ports 80/443, processes requests, filters, handles encryption, and serves static files.
• Backend: An application responsible for logic, typically not directly accessible from the internet.

This architecture is easier to implement than a bare Apache setup, offering advantages like scalability, performance, and reduced delivery time for static content.

Prerequisites

If you’ve ordered a new SSD VDS or dedicated server, chose CentOS 6.x/7.x, and performed basic configurations (changed SSH ports, updated OpenSSL, etc.), you’re ready to install Nginx.

First, stop Apache if it’s installed by default:

service httpd stop
chkconfig httpd off

Now, let’s set up Nginx from the official repository to receive updates directly. Create the file /etc/yum.repos.d/nginx.repo:

[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1

Run the following commands to install Nginx:

wget http://nginx.org/keys/nginx_signing.key
rpm –import nginx_signing.key
yum install nginx
chkconfig nginx on

Now, configure Nginx, typically found in /etc/nginx/nginx.conf, with individual site configurations in /etc/nginx/conf.d/.

SSL Configuration

To check the SSL certificate installation and server settings for HTTPS, use ssllabs.com/ssltest. The following nginx.conf settings aim for an ‘A+’ rating:

user nginx;
worker_processes auto;

error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

events {
    worker_connections 1024;
    use epoll;
}

http {
    ssl_session_timeout 5m;
    ssl_session_cache shared:SSL:2m;
    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA";
    ssl_prefer_server_ciphers on;

    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_buffer_size 8k;
    ssl_trusted_certificate /etc/pki/tls/certs/ca-bundle.crt;

    resolver 8.8.8.8;
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"';
    sendfile on;
    client_max_body_size 10m;
    keepalive_timeout 65;
    server_tokens off;
    ssi off;
    autoindex off;
    tcp_nopush on;
    expires max;
    gzip on;
    gzip_min_length 10240;
    gzip_proxied expired no-cache no-store private auth;
    gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml;
    gzip_disable "msie6";

    include /etc/nginx/conf.d/*.conf;
}

Site Configuration

Assuming your domain is example.org, the server block for HTTPS support would look like:

server {
    listen 80 default;
    listen [::]:80 default ipv6only=on;
    listen 443 ssl spdy;
    listen [::]:443 ssl spdy ipv6only=on;

    server_name example.org www.example.org;
    access_log /var/log/nginx/example.access.log main;
    charset utf-8;

    ssl_certificate /etc/pki/tls/certs/example.org.bundle.crt;
    ssl_certificate_key /etc/pki/tls/private/example.org.key;

    add_header Strict-Transport-Security 'max-age=15552000';

    if ($ssl_protocol = "") {
        rewrite ^ https://$server_name$request_uri permanent;
    }

    location / {
        root /home/www/www;
        try_files $uri @backend;
    }

    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        root /usr/share/nginx/html;
    }

    location ~ \.php$ {
        proxy_buffering off;
        proxy_pass http://127.0.0.1:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-for $remote_addr;
    }
    location @backend {
        proxy_buffering off;
        proxy_pass http://127.0.0.1:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-for $remote_addr;
    }

    location ~ /\.ht { deny all; }
    location ~ /\.git { deny all; }
    location ~ /\.svn { deny all; }
}

Ensure SPDY is enabled if your Nginx version supports it by checking with:

nginx -V

Finally, start Nginx:

service nginx start

Test your setup by accessing http://example.org, expecting a redirect to https://example.org. Use the SSL Labs service to verify your SSL installation and ipv6-test.com to ensure IPv6 availability.

Good luck with your installations!