Self-Signed SSL: NGINX on MAC (Part 3)
Till now, we have installed Nginx and did a simple configuration to host an html file locally.
In this part we will be configuring Nginx with a self-signed certificate. We will be creating a self signed certificate using openssl and make Nginx use it for serving content over https. Let’s get our hands dirty. Open our pal, Terminal and lets create a couple of folders to store our key and certificate. Fire the following commands:
mkdir -p /usr/local/etc/ssl/private
mkdir -p /usr/local/etc/ssl/certs
Ideally you can create these folders anywhere but it’s a good practice to have them at the above given path. We will now create key and certificate by running the below command:
sudo openssl req \
-x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /usr/local/etc/ssl/private/self-signed.key \
-out /usr/local/etc/ssl/certs/self-signed.crt
Let’s alter our server context from previous tutorial. The updated file is as below.
events {}
http {
server {
# Listen on port 80 which is the default http port
listen 80; # Set a permanent redirection from http to https
return 301 https://localhost:443;
}
}
Add another server context inside http context with configuration and locations relating to SSL
server {
listen 443 ssl; # location of ssl certificate
ssl_certificate /usr/local/etc/ssl/certs/self-signed.crt; # location of ssl key
ssl_certificate_key /usr/local/etc/ssl/private/self-signed.key;
}
Add location context inside the ssl server context
location / {
root /Users/arjav/Desktop/www;
index index.html index.htm;
}
This is the whole configuration file:
events {}http {
# HTTP server
server {
listen 80;
return 301 https://localhost:443;
}
# HTTPS server
server {
listen 443 ssl; ssl_certificate /usr/local/etc/ssl/certs/self-signed.crt;
ssl_certificate_key /usr/local/etc/ssl/private/self-signed.key; location / {
root /Users/arjav/Desktop/www;
index index.html index.htm;
}
}
}
As a last step we will need to add the self-signed certificate to the system keychain. Run the below command in your terminal.
sudo security add-trusted-cert \
-d -r trustRoot \
-k /Library/Keychains/System.keychain /usr/local/etc/ssl/certs/self-signed.crt
Voila! That’s it. In your terminal verify your configuration file by running nginx -t
and if everything looks okay reload your Nginx server by running nginx -s reload
. Visit https://127.0.0.1. You will still see a red flag or "Not secure" sign in your browser saying that your certificate is invalid, but that it's because not signed by a third-part authority. Rest assured the content is served over secure channels.
In the next chapter we will look at some advanced ssl configuration options for better security, caching and optimisation.