Get the most out of your Centmin Mod LEMP stack
Become a Member

SSL How to enable https for my domain

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by pamamolf, Sep 1, 2015.

  1. pamamolf

    pamamolf Well-Known Member

    2,818
    251
    83
    May 31, 2014
    Ratings:
    +445
    Local Time:
    4:06 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    Hi

    I was just install latest beta 09 centminmod (spdy=n - https=y) and i don't remember what i must edit now to enable https for my domain using the included https self signed certificate that Centminmod Nginx vhost create for me.....
     
    Last edited: Sep 1, 2015
  2. RoldanLT

    RoldanLT Well-Known Member

    3,975
    965
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,329
    Local Time:
    10:06 PM
    1.11
    10.2
  3. eva2000

    eva2000 Administrator Staff Member

    30,897
    6,908
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,403
    Local Time:
    12:06 AM
    Nginx 1.13.x
    MariaDB 5.5
    Centmin Mod .08 stable and higher will creates both http and https nginx vhost files separately as outlined at Nginx Vhost & NSD DNS Setup - CentminMod.com LEMP Nginx web stack for CentOS
    • Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf
    • Nginx SPDY SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
    • Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com
    • Vhost public web root will be at /home/nginx/domains/newdomain.com/public
    • Vhost log directory will be at /home/nginx/domains/newdomain.com/log
    So nothing to do if you want to test using the auto generated self-signed SSL for testing. Just access your domain via https version and it should work though browser will report it as untrusted and you need to accept/exception proceed to view the first time.

    If you want to replace with paid SSL certificate, then need to edit the ssl version Nginx vhost /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf and setup your paid SSL cert paths as outlined at Nginx SPDY SSL Configuration - CentminMod.com LEMP Nginx web stack for CentOS
     
    • Like Like x 1
  4. pamamolf

    pamamolf Well-Known Member

    2,818
    251
    83
    May 31, 2014
    Ratings:
    +445
    Local Time:
    4:06 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    When i use :

    Code:
    https://mydomain.com
    I am getting this:

    Code:
    This webpage is not available
    DNS_PROBE_FINISHED_NXDOMAIN
    Normal http is working fine but not the https....


    This one is for SPDY and not for https2 (are they need exact same steps to work? ) :

    Nginx SPDY SSL Configuration - CentminMod.com LEMP Nginx web stack for CentOS

    Maybe do i have to enable the temp redirect 30 to config file?

    As i didn't edit anything at all as i did a clean install and just create the vhost....
     
    Last edited: Sep 2, 2015
  5. eva2000

    eva2000 Administrator Staff Member

    30,897
    6,908
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,403
    Local Time:
    12:06 AM
    Nginx 1.13.x
    MariaDB 5.5
  6. pamamolf

    pamamolf Well-Known Member

    2,818
    251
    83
    May 31, 2014
    Ratings:
    +445
    Local Time:
    4:06 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    That flush dns did the trick and is working now :)

    As i want to use now only https for the domain how can i forward all http requests to:

    Code:
    https://mydomain.com
    ?
    Thanks
     
    Last edited: Sep 2, 2015
  7. eva2000

    eva2000 Administrator Staff Member

    30,897
    6,908
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,403
    Local Time:
    12:06 AM
    Nginx 1.13.x
    MariaDB 5.5
    in your non ssl vhost conf file /usr/local/nginx/conf/conf.d/newdomain.com.conf replace or place at bottom of the top code with the following

    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    # For SPDY SSL Setup
    # read http://centminmod.com/nginx_configure_https_ssl_spdy.html
    
    # redirect from www to non-www  forced SSL
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
     server {
        server_name newdomain.com www.newdomain.com;
        return 302 https://$server_name$request_uri;
     }
    test in incognito browser that redirect works well before change 302 to 301

    also if you ever need the original vhost structure you can use the generator at Generate Centmin Mod Nginx Vhost - CentminMod.com LEMP Nginx web stack for CentOS
     
    • Like Like x 1
  8. pamamolf

    pamamolf Well-Known Member

    2,818
    251
    83
    May 31, 2014
    Ratings:
    +445
    Local Time:
    4:06 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    Ok one last one :)

    If i want to get a redirect from www to none?

    for example:
    Code:
    http://mydomain.com
    http://www.mydomain.com
    https://www.mydomain.com
    All the above to redirect to :

    Code:
    https://mydomain.com
    This is what i have there:

    Code:
    #server {
    #            listen   80;
    #            server_name mydomain.com;
    #            return 301 $scheme://www.mydomain.com$request_uri;
    #       }
    
    server {
      server_name mydomain.com www.mydomain.com;
     
    Last edited: Sep 3, 2015
  9. eva2000

    eva2000 Administrator Staff Member

    30,897
    6,908
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,403
    Local Time:
    12:06 AM
    Nginx 1.13.x
    MariaDB 5.5
    change in non-ssl config file

    Code:
    server {
                listen   80;
                server_name mydomain.com www.mydomain.com;
                return 302 https://mydomain.com$request_uri;
            }
    
    so that non-https mydomain.com access redirects to https based https://www.mydomain.com and so that any access via non-www and www mydomain.com redirects to https based https://mydomain.com

    in ssl config file replace with the following - replace 302 temp redirect with 301 permanent redirect after you confirm it works.

    Code:
    server {
      listen 443 ssl spdy;
      server_name mydomain.com www.mydomain.com;
    
       ##  redirect https www to https non-www
          if ($host = 'www.mydomain.com' ) {
             return 302 https://mydomain.com$request_uri;
          }
    
    restart nginx

    Do all tests in incognito/private browser session so 301 permanent redirects are NOT cached in browser
     
    • Like Like x 1
  10. pamamolf

    pamamolf Well-Known Member

    2,818
    251
    83
    May 31, 2014
    Ratings:
    +445
    Local Time:
    4:06 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    Please confirm that you mean to uncomment the code like this and keep both server { ? :

    Code:
    server {
      listen  80;
      server_name mydomain.com www.mydomain.com;
      return 302 https://mydomain.com$request_uri;
      }
    
    server {
      server_name mydomain.com www.mydomain.com;
    or do you mean to do this?

    Code:
    #server {
    # listen  80;
    # server_name mydomain.com www.mydomain.com;
    # return 302 https://mydomain.com$request_uri;
    # }
    
    server {
      listen  80;
      server_name mydomain.com www.mydomain.com;
      return 302 https://mydomain.com$request_uri;
     
    Last edited: Sep 3, 2015
  11. eva2000

    eva2000 Administrator Staff Member

    30,897
    6,908
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,403
    Local Time:
    12:06 AM
    Nginx 1.13.x
    MariaDB 5.5
    the latter
     
  12. pamamolf

    pamamolf Well-Known Member

    2,818
    251
    83
    May 31, 2014
    Ratings:
    +445
    Local Time:
    4:06 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    Ok tested and working great :)

    Now one last step to replace the self signed certificate with a valid comodo one :)

    But i will try it in the next 1-2 days so you can get rest with my questions :)

    Do we have any tutorial for this as we need to replace the tutorial for SPDY with the new https2 ?
     
    Last edited: Sep 3, 2015
  13. pamamolf

    pamamolf Well-Known Member

    2,818
    251
    83
    May 31, 2014
    Ratings:
    +445
    Local Time:
    4:06 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    Ok i just get a comodo ssl trial for 90 days from gogetssl :)

    I use SHA2 256Bit.

    I upload the files here:
    Code:
    /usr/local/nginx/conf/ssl/mydomain.com
    and is working :)

    But i have some questions :

    Nginx is looking for file:

    Code:
    /usr/local/nginx/conf/ssl/mydomain.com/dhparam.pem
    Is this a must? And what if i have a vhost without auto ssl creation and the file is missing? Can i create it? How?

    Also is this line needed for http2 in mydomain.com.ssl.conf?

    Code:
    add_header Alternate-Protocol  443:npn-spdy/3;
    Are those settings the same for spdy and http2 or i must adjust them?

    Code:
      ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
      ssl_prefer_server_ciphers   on;
      add_header Alternate-Protocol  443:npn-spdy/3;
      # HTTP Public Key Pinning Header uncomment only one that applies include or exclude domains.
      # You'd want to include subdomains if you're using SSL wildcard certificates
      # include subdomain
      #add_header Public-Key-Pins 'pin-sha256="WO9bFFPwpLuAGtOfotF0KpHYpDwuRgQayUm8mOtk7RE="; pin-sha256="ok8rqdmrPf/KkuNtj+If20Qlw5wW4sDAxHr2dLe59NM="; max-age=604800; includeSubDomains';
      # exclude subdomains
      #add_header Public-Key-Pins 'pin-sha256="WO9bFFPwpLuAGtOfotF0KpHYpDwuRgQayUm8mOtk7RE="; pin-sha256="ok8rqdmrPf/KkuNtj+If20Qlw5wW4sDAxHr2dLe59NM="; max-age=604800';
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header  X-Content-Type-Options "nosniff";
      #add_header X-Frame-Options DENY;
      #spdy_headers_comp 5;
      ssl_buffer_size 1400;
      ssl_session_tickets on;
    I am not sure if it is a configuration error or something else but i can't confirm the http2 here:

    Code:
    https://www.h2check.org/
    but is working... :(
     
    Last edited: Sep 3, 2015
  14. eva2000

    eva2000 Administrator Staff Member

    30,897
    6,908
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,403
    Local Time:
    12:06 AM
    Nginx 1.13.x
    MariaDB 5.5
    It's needed only for SSL and is auto created via centmin.sh menu option 2 if you select yes to SSL self signed cert. Not needed for non-https

    needed for both SPDY SSL and HTTP/2 SSL - leave as is. Read Nginx HTTP/2 page at Nginx HTTP/2 protocol to succeed Google SPDY for all details
    read Nginx - First Alpha Patch for Nginx HTTP/2 support | Page 2 | Centmin Mod Community h2check is out of date as it only checks for HTTP/2 draft protocols and not the final h2 protocol
     
    • Like Like x 1
  15. pamamolf

    pamamolf Well-Known Member

    2,818
    251
    83
    May 31, 2014
    Ratings:
    +445
    Local Time:
    4:06 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    Yes but you can do all steps to get https if you have a previous created vhost without https support except this file....
    Or is a solution that i miss if i have already a vhost created without https support to recreate it without any data loss?
     
  16. eva2000

    eva2000 Administrator Staff Member

    30,897
    6,908
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,403
    Local Time:
    12:06 AM
    Nginx 1.13.x
    MariaDB 5.5
    of if you had a prior ssl vhost you can have it with or without dhparam file but it's more secure if you have it

    line 98 of inc/nginx_addvhost.inc has the command to generate dhparam file you have to run that within your ssl directory at /usr/local/nginx/conf/ssl/mydomain.com/
     
    • Like Like x 1
  17. pamamolf

    pamamolf Well-Known Member

    2,818
    251
    83
    May 31, 2014
    Ratings:
    +445
    Local Time:
    4:06 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    Ok great :)

    Which is the easiest way if i have a vhost created without https support to add https support without any data loss as if i try to add a new vhost again with the same domain name i will get some issues if i am not wrong.....
     
  18. eva2000

    eva2000 Administrator Staff Member

    30,897
    6,908
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,403
    Local Time:
    12:06 AM
    Nginx 1.13.x
    MariaDB 5.5
    yeah it will abort if existing domain name already exists

    probably easiest way would be to use a separate test server or VPS with Centmin Mod installed and run centmin.sh menu option 2 to create the same domain name as the one you want to add domain SSL vhost support for and you'll end up with
    • Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf
    • Nginx SPDY SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
    • Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com
    Copy the file and contents of /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf to live server and copy /usr/local/nginx/conf/ssl/newdomain.com contents to live server. You may also need to copy contents and file for /usr/local/nginx/conf/ssl_include.conf to live server if live server doesn't have it
     
    • Informative Informative x 1
  19. eva2000

    eva2000 Administrator Staff Member

    30,897
    6,908
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,403
    Local Time:
    12:06 AM
    Nginx 1.13.x
    MariaDB 5.5
    • Like Like x 1
  20. prometheus

    prometheus Member

    39
    4
    8
    Jan 24, 2015
    Greece
    Ratings:
    +9
    Local Time:
    4:06 PM
    1.9.9
    10.1
    Is there any updated version how to setup ssl with .08?
    Guide display with spdy and nginx show as deprecated