setup ssl nginx on centos7

Setup nginx on centos7

sudo yum install epel-release
sudo yum install nginx
sudo systemctl start nginx
sudo systemctl enable nginx
systemctl status nginx

make sure nginx service is up and running

curl http://localhost

should return welcome centos html text

add firewall rule(if firewall is on)

sudo firewall-cmd — permanent — zone=public — add-service=http
sudo firewall-cmd — permanent — zone=public — add-service=https
sudo firewall-cmd — reload

add 80 443 as allow port in ip table

sudo iptables -I INPUT -p tcp -m tcp — dport 80 -j ACCEPT
sudo iptables -I INPUT -p tcp -m tcp — dport 443 -j ACCEPT

open browser

http://192.168.115.135/

should see welcome page

Configure a self-signed ssl to test

sudo mkdir /etc/ssl/private
sudo chmod 700 /etc/ssl/private
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt

answer each questions

Country Name (2 letter code) [XX]:jp
State or Province Name (full name) []:japan
Locality Name (eg, city) [Default City]:tokyo
Organization Name (eg, company) [Default Company Ltd]:test
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server’s hostname) []:192.168.115.135
Email Address []:test@admin.com

generate dhparam (will take few minutes)

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

configure ssl in nginx

sudo vi /etc/nginx/conf.d/ssl.conf
server {
listen 443 http2 ssl;
listen [::]:443 http2 ssl;
server_name 192.168.115.135;
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
########################################################################
# from https://cipherli.st/ #
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html #
########################################################################
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers “EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH”;
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the “preload” directive if you understand the implications.
#add_header Strict-Transport-Security “max-age=63072000; includeSubdomains; preload”;
add_header Strict-Transport-Security “max-age=63072000; includeSubdomains”;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
##################################
# END https://cipherli.st/ BLOCK #
##################################
root /usr/share/nginx/html;
location / {
}
error_page 404 /404.html;
location = /404.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}

run test

nginx -t

should see warning message (because cert is self signed)

nginx: [warn] “ssl_stapling” ignored, issuer certificate not found for certificate “/etc/ssl/certs/nginx-selfsigned.crt”
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Restart service

sudo systemctl restart nginx

both http and https url should work