Next Spaceship

Driving into future…

Upgrade Http Site to Https (for Free)

| Comments

Even though the serieze of HeartBleeding bugs makes HTTPS (SSL) look vulnerable, I still believe after bugs fixed, HTTPS is more secure than HTTP. Actually we can archieve this in a few simple steps with technologies like OpenSSL, free certificate provider, nginx configuration.

Register an account at StartSSL

StartSSL is one of websites providing free digital certificates for websites and is my favourate one after experiencing several providers. Though the UI and UX are not so good, the function is good, and that’s enough for free :-D

Open https://www.startssl.com, click Control Panel and Sign-up an account. Input some information to prove that you are a human being. Wait for some time, and you will receive an email that account get registered successfully.

Back up p12 file

This is critical important. Back up a p12 file for the account in StartSSL. For Mac user, you need to export this via Key Chain.

Email Address Validation

Return to StartSSL’s control panel, and authenticate into it. Choose Validation Wizard tab. In the select box, choose Email Address Validation and complete this.

Domain Name Validation

The same to the previous step except choose Domain Name Validation in the select box.

Generate a CSR with OpenSSL

1
2
openssl genrsa -out ~/DOMAIN.key 2048
openssl req -new -sha256 -key ~/DOMAIN.key -out ~/DOMAIN.csr

Retrieve certificate with CSR

Open StartSSL, and find Certificate Wizard. In Certifiate Target select box, choose Web Server SSL/TLS Certifiate. Skip the following step, because you have already generated a CSR. Submit the CSR, and download the certificate. Download intermediate and ca files as well.

Concate DOMAIN certificate, intermediate certificate and ca certificate.

1
2
sudo cat DOMAIN.crt intermediate.pem ca.pem > /etc/ssl/DOMAIN.crt
sudo mv ~/DOMAIN.key /ect/ssl/DOMAIN.key

Configure nginx

1
2
sudo chmod 600 /etc/ssl/DOMAIN.*
sudo chown www-data:www-data /etc/ssl/DOMAIN.*

www-data is the user for nginx workers. If it’s nginx, just replace to that.

Edit nginx configuration file.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
server {
    listen 80;
    server_name DOMAIN;

    location / {
        rewrite ^ https://$server_name$request_uri? permanent;
    }
}

server { 
    listen 443; 
    server_name DOMAIN; 

    ssl on; 
    ssl_certificate /etc/ssl/DOMAIN.crt; 
    ssl_certificate_key /etc/ssl/DOMAIN.key; 

    ssl_stapling on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 5m;

    ssl_prefer_server_ciphers on;
    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK';
    add_header Strict-Transport-Security "max-age=31536000;";

    if ($http_user_agent ~ "MSIE" ) {
        return 303 https://browser-update.org/update.html;
    }

    location / { 
        proxy_pass http://localhost:3800; 
        proxy_http_version 1.1; 
        proxy_set_header Upgrade $http_upgrade; # allow websockets 
        proxy_set_header Connection $connection_upgrade; 
        proxy_set_header X-Forwarded-For $remote_addr; # preserve client IP 
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
    } 
}

Here the location / is an example to use nginx as a reverse proxy. Substitude that with what you need.

Restart or reload nginx

1
2
sudo /etc/init.d/nginx configtest
sudo /etc/init.d/nginx restart

or if the configuration file already exists, just reload instead of restart

1
sudo /etc/init.d/nginx reload

Open browser to test

Check and resolve errors.

Comments