How To Set Up SSL Vhosts Under Nginx + SNI Support (Ubuntu 11.04/Debian Squeeze)

Want to support HowtoForge? Become a subscriber!
 
Submitted by falko (Contact Author) (Forums) on Sun, 2011-09-11 19:26. :: Debian | Ubuntu | Web Server | nginx | Security

How To Set Up SSL Vhosts Under Nginx + SNI Support (Ubuntu 11.04/Debian Squeeze)

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Follow me on Twitter
Last edited 09/06/2011

This article explains how you can set up SSL vhosts under nginx on Ubuntu 11.04 and Debian Squeeze so that you can access the vhost over HTTPS (port 443). SSL is short for Secure Sockets Layer and is a cryptographic protocol that provides security for communications over networks by encrypting segments of network connections at the transport layer end-to-end. In addition to that I will show how to make use of SNI (Server Name Indication) to allow multiple SSL vhosts per IP address.

This document comes without warranty of any kind! I do not issue any guarantee that this will work for you!

 

1 Preliminary Note

I'm assuming that you have a working nginx setup on your Ubuntu 11.04 or Debian Squeeze box, as shown in these tutorials:

I will set up SSL for my vhost www.hostmauritius.com in this tutorial - hostmauritius.com is a domain that I own - replace it with your own domain. I will show how to use a self-signed certificate (this will result in a browser warning when you access https://www.hostmauritius.com) and how to get a certificate from a trusted certificate authority (CA) such as Verisign, Thawte, Comodo, etc. - with a certificate from a trusted CA, your visitors won't see any browser warnings, as is the case with a self-signed certificate. I will use a certificate from CAcert.org - these certificates are free, but are not recognized by all browsers, but it should give you the idea how to install a certificate from a trusted CA.

Traditionally it was not possible to have more than one SSL vhosts per IP address. This has changed with the rise of SNI (Server Name Indication). I will show how to set up a second SSL vhost (www.hostmauritius.net which I own as well) on the same IP address as www.hostmauritius.com with the help of SNI. Please note that currently SNI is not supported by all browsers/operating systems:

Browsers/clients with support for TLS server name indication:

  • Opera 8.0 and later (the TLS 1.1 protocol must be enabled)
  • Internet Explorer 7 or later (under Windows Vista and later only, not under Windows XP)
  • Firefox 2.0 or later
  • Curl 7.18.1 or later (when compiled against an SSL/TLS toolkit with SNI support)
  • Chrome 6.0 or later (on all platforms - releases up to 5.0 only on specific OS versions)
  • Safari 3.0 or later (under OS X 10.5.6 or later and under Windows Vista and later)

To find out if your browser supports SNI, you can go to https://alice.sni.velox.ch/.

I'm running all the steps in this tutorial with root privileges, so make sure you're logged in as root. On Ubuntu, run

sudo su

to become the root user.

 

2 Determine Your Nginx Version

First you should find out about your nginx version because there are slight differences in SSL configuration for version < 0.8.21 and versions >= 0.8.21.

nginx -v

On Ubuntu 11.04, you should have nginx 0.8.54:

root@server1:~# nginx -v
nginx version: nginx/0.8.54
root@server1:~#

On Debian Squeeze, it's nginx 0.7.67:

root@server1:~# nginx -v
nginx version: nginx/0.7.67
root@server1:~#

 

3 Setting Up The Vhost

I will now create the vhost www.hostmauritius.com with the document root /var/www/www.hostmauritius.com/web. First I create that directory:

mkdir -p /var/www/www.hostmauritius.com/web

Create a simple nginx vhost configuration for http (port 80):

vi /etc/nginx/sites-available/www.hostmauritius.com.vhost

server {
        listen   80; ## listen for ipv4
        listen   [::]:80; ## listen for ipv6

        server_name  www.hostmauritius.com hostmauritius.com;
        root /var/www/www.hostmauritius.com/web;

        if ($http_host != "www.hostmauritius.com") {
                 rewrite ^ http://www.hostmauritius.com$request_uri permanent;
        }

        location / {
                index  index.php index.html index.htm;
        }

        location ~ \.php$ {
                fastcgi_pass   127.0.0.1:9000;
                fastcgi_index  index.php;
                fastcgi_param  SCRIPT_FILENAME  /var/www$fastcgi_script_name;
                include         fastcgi_params;
        }

        location ~ /\. {
                deny  all;
        }
}

Enable the vhost and reload nginx:

cd /etc/nginx/sites-enabled/
ln -s /etc/nginx/sites-available/www.hostmauritius.com.vhost www.hostmauritius.com.vhost
/etc/init.d/nginx reload

 

4 Creating A Self-Signed Certificate

Before we set up our SSL vhost, we need an SSL certificate. I will now show you how to create your own self-signed certificate. With this certificate, you will get browser warnings, but this certificate is required to get a trusted certificate from a trusted CA later on.

Make sure that the package ssl-cert is installed:

apt-get install ssl-cert

You can now create a self-signed certificate for www.hostmauritius.com as follows:

make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/ssl/private/www.hostmauritius.com.crt

You will be asked for the hostname:

Host name: <-- www.hostmauritius.com

This will create the self-signed certificate and the private key in one file, /etc/ssl/private/www.hostmauritius.com.crt:

cat /etc/ssl/private/www.hostmauritius.com.crt

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAsxOSdUsiEcay6M8EpSu5eeC797v/TpDRGnui4uaYd/YpjrPh
PWW01FEIpaCixYb5U2uMuvFOlmZhyfer+7qoJDeueuNW1sDCn/0pkOrdSWgfBuih
FkqXgau6KMDvuShcUkZ2ufMbMohiz+9ahMiqKBAxMeXijR7t9eqfmO3s+WGd65l8
5yoEDz+NNxk4w9SZmpIHu8vt37c7PX7fxZntxer56PvElz01gRj0xZsMYMlaHROQ
+q/d8p1g0CWTOjlgelQXxqEPGVGphYDMFd8gL5bNbCnJoCeF0CYK5w2Bf+Jfppgv
ub8AU8kMPNh/vyRm/7Ximc51dUSGWI/Xp39OcwIDAQABAoIBAA/U8SPRiqeLq5GN
i9mWbgVqavPR+RZXE0WGHLZ2sJAagT4OhSFKdpw2tc7+zqUr86r+XSjB4LLHRmn2
rYvJyse47IIMy0adMBe46A3Z1cqBnAyeUG+KFK7wIbsso4T5HoBfnmt+JK9pA2Ni
w9vtaa21EMRakJbtXxhYr9dzYXoCk3IcaRqQuDfPBTEfGRXocjHPIIUS9hTk+f13
F3P+pXummLREDJTUGTvSIxA8959EKXSwgwXV2VOEQbGgbjDFKTMYJZhq8H1tz8Ld
cYa5zxlbwFxAAeRzxXhycGs1W2rqo8wukhPKLcyYb7HIIZUdX1UDttr9fZAVkXOS
d0JSjrECgYEA3sWHwTHcrM4Cd5B2WJAmwrTxmaX0EIKXtm/4SsJ+6Cfw7YrDQwr1
2ERB21K/cv1DouToYjZm2MFNYbroPU4sWc8LD9E+Uf0YqFLBGVX4dqJeQZ76UZ/W
tVlZnX7uZnDZnxXDj+TDVK9P3h47jsVHvVhSLtJw77G68vNYDUUoIsUCgYEAzcmO
Gca34I3i/n4QFq4Wo3S5KIgJYz8erzMZrEsIOQih7jJbdklazWEZP1d2bMDCZGGz
5kpMxM0IuAp0CwWeIF9oGxv6g3p/St3c7jabjtAqa3WCQznE7q0PXxtXGlb2bbqz
TGW3pVWNDMuk1YbxO4f5DHfoaVQOaYwaaniHX9cCgYAzGKuirIUpPbdjJUd/2NCL
KGWiEGaCwvF5bwVMYIArT737PjC7V/A7wqw4Wip/fYfd/RMwM7ozTWMqX2yVYzDZ
CJxI7H2W4K6fLRwNa6Kp02Q7OPPBdSASSIQ9k7eq14eS7bMFdjs3WV7AW77daHKk
A3YWNz6gO+vdfeNcZ9hk4QKBgQC019CJ9Gk47Fe0ICKRW9HHOVdSOCJP1nNnsbd5
AsMqI9zyD8zyqUojvJXMZVdMASWTw4yt71OBi1GDMqSB3yD0AAPj9vVyv57Hsytp
KBISMftlTfH4k/btbKZahRNJsWyER5Mzqxv1LrZyrS+g+iJal4aUn3ddwKGdvaKl
OGB3JwKBgHePRBaMeMaZdCiCmLAxFD2/kOKs0OCBLVGCUT0QC/fbf4gYbEjsWKug
1Xz4AUj8gaC0udW8im12z06R5p7Mzpxo1I1wgHmYHcJ0Q0P9ntcuxrky5+3ANeLU
EKqOZRmINzLgCGcq6g7cUy1UEMoRNtwulSIaoBiXjteHvUKrUAe1
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIICvDCCAaQCCQDSQb56L0fohTANBgkqhkiG9w0BAQUFADAgMR4wHAYDVQQDExV3
d3cuaG9zdG1hdXJpdGl1cy5jb20wHhcNMTEwOTA2MTA0MzIyWhcNMjEwOTAzMTA0
MzIyWjAgMR4wHAYDVQQDExV3d3cuaG9zdG1hdXJpdGl1cy5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCzE5J1SyIRxrLozwSlK7l54Lv3u/9OkNEa
e6Li5ph39imOs+E9ZbTUUQiloKLFhvlTa4y68U6WZmHJ96v7uqgkN65641bWwMKf
/SmQ6t1JaB8G6KEWSpeBq7oowO+5KFxSRna58xsyiGLP71qEyKooEDEx5eKNHu31
6p+Y7ez5YZ3rmXznKgQPP403GTjD1Jmakge7y+3ftzs9ft/Fme3F6vno+8SXPTWB
GPTFmwxgyVodE5D6r93ynWDQJZM6OWB6VBfGoQ8ZUamFgMwV3yAvls1sKcmgJ4XQ
JgrnDYF/4l+mmC+5vwBTyQw82H+/JGb/teKZznV1RIZYj9enf05zAgMBAAEwDQYJ
KoZIhvcNAQEFBQADggEBAEA+HD4u5MIQJ0q3BoXedfqh7z9yqUdBdVXMNYTdEFwn
ZlLWy+QkitFMU3M6KsBBwtGO1655kkDOguiSFYBKxVxzEIMx6kV6AH26ALzVhBeF
PO6qJnxlTKPojiaolgrlndX9SUH4XD8EBqYuugJ0F1PEcuVDi5yXKwwyuaJw4Uyp
CzTU4sy6uduxVaFea0agBN92sy2gZPFPtvMZYJjy2TW1caUt9WLh0l0cPYvW+hPk
K2T1sGxW5WOhcwrIRqa8HSkyxXOz1NJZNSXi/yVN4iNMY0nTf0gPP4X1Rl4+OcZk
imxe4O9Eu49lEGQ8UipEaGNJ5gD6BECwz5amq64rdqU=
-----END CERTIFICATE-----

I will now split up that file in two, the private key /etc/ssl/private/www.hostmauritius.com.key and the self-signed certificate /etc/ssl/certs/www.hostmauritius.com.pem:

vi /etc/ssl/private/www.hostmauritius.com.key

This file must contain the part beginning with -----BEGIN RSA PRIVATE KEY----- and ending with -----END RSA PRIVATE KEY-----:

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAsxOSdUsiEcay6M8EpSu5eeC797v/TpDRGnui4uaYd/YpjrPh
PWW01FEIpaCixYb5U2uMuvFOlmZhyfer+7qoJDeueuNW1sDCn/0pkOrdSWgfBuih
FkqXgau6KMDvuShcUkZ2ufMbMohiz+9ahMiqKBAxMeXijR7t9eqfmO3s+WGd65l8
5yoEDz+NNxk4w9SZmpIHu8vt37c7PX7fxZntxer56PvElz01gRj0xZsMYMlaHROQ
+q/d8p1g0CWTOjlgelQXxqEPGVGphYDMFd8gL5bNbCnJoCeF0CYK5w2Bf+Jfppgv
ub8AU8kMPNh/vyRm/7Ximc51dUSGWI/Xp39OcwIDAQABAoIBAA/U8SPRiqeLq5GN
i9mWbgVqavPR+RZXE0WGHLZ2sJAagT4OhSFKdpw2tc7+zqUr86r+XSjB4LLHRmn2
rYvJyse47IIMy0adMBe46A3Z1cqBnAyeUG+KFK7wIbsso4T5HoBfnmt+JK9pA2Ni
w9vtaa21EMRakJbtXxhYr9dzYXoCk3IcaRqQuDfPBTEfGRXocjHPIIUS9hTk+f13
F3P+pXummLREDJTUGTvSIxA8959EKXSwgwXV2VOEQbGgbjDFKTMYJZhq8H1tz8Ld
cYa5zxlbwFxAAeRzxXhycGs1W2rqo8wukhPKLcyYb7HIIZUdX1UDttr9fZAVkXOS
d0JSjrECgYEA3sWHwTHcrM4Cd5B2WJAmwrTxmaX0EIKXtm/4SsJ+6Cfw7YrDQwr1
2ERB21K/cv1DouToYjZm2MFNYbroPU4sWc8LD9E+Uf0YqFLBGVX4dqJeQZ76UZ/W
tVlZnX7uZnDZnxXDj+TDVK9P3h47jsVHvVhSLtJw77G68vNYDUUoIsUCgYEAzcmO
Gca34I3i/n4QFq4Wo3S5KIgJYz8erzMZrEsIOQih7jJbdklazWEZP1d2bMDCZGGz
5kpMxM0IuAp0CwWeIF9oGxv6g3p/St3c7jabjtAqa3WCQznE7q0PXxtXGlb2bbqz
TGW3pVWNDMuk1YbxO4f5DHfoaVQOaYwaaniHX9cCgYAzGKuirIUpPbdjJUd/2NCL
KGWiEGaCwvF5bwVMYIArT737PjC7V/A7wqw4Wip/fYfd/RMwM7ozTWMqX2yVYzDZ
CJxI7H2W4K6fLRwNa6Kp02Q7OPPBdSASSIQ9k7eq14eS7bMFdjs3WV7AW77daHKk
A3YWNz6gO+vdfeNcZ9hk4QKBgQC019CJ9Gk47Fe0ICKRW9HHOVdSOCJP1nNnsbd5
AsMqI9zyD8zyqUojvJXMZVdMASWTw4yt71OBi1GDMqSB3yD0AAPj9vVyv57Hsytp
KBISMftlTfH4k/btbKZahRNJsWyER5Mzqxv1LrZyrS+g+iJal4aUn3ddwKGdvaKl
OGB3JwKBgHePRBaMeMaZdCiCmLAxFD2/kOKs0OCBLVGCUT0QC/fbf4gYbEjsWKug
1Xz4AUj8gaC0udW8im12z06R5p7Mzpxo1I1wgHmYHcJ0Q0P9ntcuxrky5+3ANeLU
EKqOZRmINzLgCGcq6g7cUy1UEMoRNtwulSIaoBiXjteHvUKrUAe1
-----END RSA PRIVATE KEY-----

The key must be readable and writable by root only:

chmod 600 /etc/ssl/private/www.hostmauritius.com.key

vi /etc/ssl/certs/www.hostmauritius.com.pem

This file must contain the part beginning with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----:

-----BEGIN CERTIFICATE-----
MIICvDCCAaQCCQDSQb56L0fohTANBgkqhkiG9w0BAQUFADAgMR4wHAYDVQQDExV3
d3cuaG9zdG1hdXJpdGl1cy5jb20wHhcNMTEwOTA2MTA0MzIyWhcNMjEwOTAzMTA0
MzIyWjAgMR4wHAYDVQQDExV3d3cuaG9zdG1hdXJpdGl1cy5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCzE5J1SyIRxrLozwSlK7l54Lv3u/9OkNEa
e6Li5ph39imOs+E9ZbTUUQiloKLFhvlTa4y68U6WZmHJ96v7uqgkN65641bWwMKf
/SmQ6t1JaB8G6KEWSpeBq7oowO+5KFxSRna58xsyiGLP71qEyKooEDEx5eKNHu31
6p+Y7ez5YZ3rmXznKgQPP403GTjD1Jmakge7y+3ftzs9ft/Fme3F6vno+8SXPTWB
GPTFmwxgyVodE5D6r93ynWDQJZM6OWB6VBfGoQ8ZUamFgMwV3yAvls1sKcmgJ4XQ
JgrnDYF/4l+mmC+5vwBTyQw82H+/JGb/teKZznV1RIZYj9enf05zAgMBAAEwDQYJ
KoZIhvcNAQEFBQADggEBAEA+HD4u5MIQJ0q3BoXedfqh7z9yqUdBdVXMNYTdEFwn
ZlLWy+QkitFMU3M6KsBBwtGO1655kkDOguiSFYBKxVxzEIMx6kV6AH26ALzVhBeF
PO6qJnxlTKPojiaolgrlndX9SUH4XD8EBqYuugJ0F1PEcuVDi5yXKwwyuaJw4Uyp
CzTU4sy6uduxVaFea0agBN92sy2gZPFPtvMZYJjy2TW1caUt9WLh0l0cPYvW+hPk
K2T1sGxW5WOhcwrIRqa8HSkyxXOz1NJZNSXi/yVN4iNMY0nTf0gPP4X1Rl4+OcZk
imxe4O9Eu49lEGQ8UipEaGNJ5gD6BECwz5amq64rdqU=
-----END CERTIFICATE-----

Now we can delete the /etc/ssl/private/www.hostmauritius.com.crt file:

rm -f /etc/ssl/private/www.hostmauritius.com.crt


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.