I
I
Ilya Oskin2017-02-08 20:24:51
Digital certificates
Ilya Oskin, 2017-02-08 20:24:51

How to set up HTTPS on Nginx?

Hello! I bought a certificate from COMMODО, but I can’t configure https in any way
There are files:
mydomain.crt
mydomain.key
mudomain.ca-bundle

COMODORSADomainValidationSecureServerCA.crt
COMODORSAAddTrustCA.crt

Concatenated:

cat mydomain.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt > mydomain-bundle.crt


Nginx использую в качестве обратного прокси для python gunicorn, подключается он через сокет
Вот конфиг nginx:
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    client_max_body_size 80M;
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

    server {
        listen 80;
        listen [::]:80;
        server_name mydomain www.mydomain;
    
        rewrite ^ https://mydomain$request_uri? permanent;
    }
    
    server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        server_name mydomain www.mydomain;
        keepalive_timeout 70;
    
        root /var/www/example.com/public_html;
        index index.html index.htm;
    
        ssl on;
    
        ssl_certificate /etc/nginx/ssl/mydomain/mydomain.pem;
        ssl_certificate_key /etc/nginx/ssl/mydomain/mydomain.nopass.key;
    
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    
        ssl_prefer_server_ciphers on;
        ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA ECDHE-ECDSA-DES-CBC3-SHA ECDHE-RSA-DES-CBC3-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA DES-CBC3-SHA !DSS !aNULL !eNULL !EXPORT !DES !RC4 !MD5 !PSK !aECDH !EDH-DSS-DES-CBC3-SHA !EDH-RSA-DES-CBC3-SHA !KRB5-DES-CBC3-SHA";
    
        ssl_dhparam /etc/nginx/ssl/mydomain/dhparam.pem;
    
        ssl_stapling on;
        ssl_stapling_verify on;
        resolver 8.8.8.8;
        ssl_trusted_certificate /etc/nginx/ssl/mydomain/COMODORSAAddTrustCA.pem.crt;
    
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 10m;
        ssl_session_tickets off;
    
        add_header Strict-Transport-Security "max-age=15724800";
    
    	location /favicon.ico { access_log off; log_not_found off; }
    	location /static/ {
    	    root /home/user/mydomain;
    	}
    	location / {
    	    proxy_set_header Host $http_host;
    	    proxy_set_header X-Real-IP $remote_addr;
    	    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    	    proxy_set_header X-Forwarded-Proto $scheme;
    	    proxy_pass http://unix:/home/user/mydomain/mydomain.sock;
        }
    }

}


Где я свернул не туда? Пробовал уже по всякому: подсовывал исходный сертификат, который мне прислали, и конвертированный в PEM - ничего не помогает, при попытке зайти на сайт через https браузер просто возвращает отратно на http, nginx никаких ошибок не выдаёт, даже если я совсем удаляю директивы ssl_certificate, ssl_certificate_key

Answer the question

In order to leave comments, you need to log in

1 answer(s)
A
Alexander Chernykh, 2017-02-08
@sashkets

implementation of the comodo certificate . my experience

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question