SSL How to enable https for my domain

pamamolf · Sep 1, 2015

Hi

I was just install latest beta 09 centminmod (spdy=n - https=y) and i don't remember what i must edit now to enable https for my domain using the included https self signed certificate that Centminmod Nginx vhost create for me.....

rdan · Sep 1, 2015

1 year plus using Centmin still can't do this? ops sorry peace
Follow this guide - Nginx SPDY SSL Configuration - CentminMod.com LEMP Nginx web stack for CentOS

I know there is an easier way command now available.
But me myself still using the old method where you do each command.

eva2000 · Sep 1, 2015

Centmin Mod .08 stable and higher will creates both http and https nginx vhost files separately as outlined at Nginx Vhost & NSD DNS Setup - CentminMod.com LEMP Nginx web stack for CentOS

Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf

Nginx SPDY SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf

Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com

Vhost public web root will be at /home/nginx/domains/newdomain.com/public

Vhost log directory will be at /home/nginx/domains/newdomain.com/log

So nothing to do if you want to test using the auto generated self-signed SSL for testing. Just access your domain via https version and it should work though browser will report it as untrusted and you need to accept/exception proceed to view the first time.

If you want to replace with paid SSL certificate, then need to edit the ssl version Nginx vhost /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf and setup your paid SSL cert paths as outlined at Nginx SPDY SSL Configuration - CentminMod.com LEMP Nginx web stack for CentOS

pamamolf · Sep 2, 2015

When i use :
Code:
https://mydomain.com
I am getting this:
Code:
This webpage is not available
DNS_PROBE_FINISHED_NXDOMAIN
Normal http is working fine but not the https....

This one is for SPDY and not for https2 (are they need exact same steps to work? ) :

Nginx SPDY SSL Configuration - CentminMod.com LEMP Nginx web stack for CentOS

Maybe do i have to enable the temp redirect 30 to config file?

As i didn't edit anything at all as i did a clean install and just create the vhost....

eva2000 · Sep 2, 2015

You might have local pc computer dns issues windows 7 - Unable to access most internet sites error DNS_PROBE_FINISHED_NXDOMAIN - Super User

pamamolf · Sep 2, 2015

That flush dns did the trick and is working now

As i want to use now only https for the domain how can i forward all http requests to:
Code:
https://mydomain.com
?
Thanks

eva2000 · Sep 2, 2015

in your non ssl vhost conf file /usr/local/nginx/conf/conf.d/newdomain.com.conf replace or place at bottom of the top code with the following
Code:
# Centmin Mod Getting Started Guide
# must read http://centminmod.com/getstarted.html
# For SPDY SSL Setup
# read http://centminmod.com/nginx_configure_https_ssl_spdy.html

# redirect from www to non-www  forced SSL
# uncomment, save file and restart Nginx to enable
# if unsure use return 302 before using return 301
 server {
    server_name newdomain.com www.newdomain.com;
    return 302 https://$server_name$request_uri;
 }
test in incognito browser that redirect works well before change 302 to 301

also if you ever need the original vhost structure you can use the generator at Generate Centmin Mod Nginx Vhost - CentminMod.com LEMP Nginx web stack for CentOS

pamamolf · Sep 3, 2015

Ok one last one

If i want to get a redirect from www to none?

for example:
Code:
http://mydomain.com
http://www.mydomain.com
https://www.mydomain.com
All the above to redirect to :
Code:
https://mydomain.com
This is what i have there:
Code:
#server {
#            listen   80;
#            server_name mydomain.com;
#            return 301 $scheme://www.mydomain.com$request_uri;
#       }

server {
  server_name mydomain.com www.mydomain.com;

eva2000 · Sep 3, 2015

change in non-ssl config file
Code:
server {
            listen   80;
            server_name mydomain.com www.mydomain.com;
            return 302 https://mydomain.com$request_uri;
        }
so that non-https mydomain.com access redirects to https based https://www.mydomain.com and so that any access via non-www and www mydomain.com redirects to https based https://mydomain.com

in ssl config file replace with the following - replace 302 temp redirect with 301 permanent redirect after you confirm it works.
Code:
server {
  listen 443 ssl spdy;
  server_name mydomain.com www.mydomain.com;

   ##  redirect https www to https non-www
      if ($host = 'www.mydomain.com' ) {
         return 302 https://mydomain.com$request_uri;
      }
restart nginx

Do all tests in incognito/private browser session so 301 permanent redirects are NOT cached in browser

pamamolf · Sep 3, 2015

Please confirm that you mean to uncomment the code like this and keep both server { ? :

Code:

server {
  listen  80;
  server_name mydomain.com www.mydomain.com;
  return 302 https://mydomain.com$request_uri;
  }

server {
  server_name mydomain.com www.mydomain.com;

or do you mean to do this?

Code:

#server {
# listen  80;
# server_name mydomain.com www.mydomain.com;
# return 302 https://mydomain.com$request_uri;
# }

server {
  listen  80;
  server_name mydomain.com www.mydomain.com;
  return 302 https://mydomain.com$request_uri;

eva2000 · Sep 3, 2015

the latter

pamamolf · Sep 3, 2015

Ok tested and working great

Now one last step to replace the self signed certificate with a valid comodo one

But i will try it in the next 1-2 days so you can get rest with my questions

Do we have any tutorial for this as we need to replace the tutorial for SPDY with the new https2 ?

pamamolf · Sep 3, 2015

Ok i just get a comodo ssl trial for 90 days from gogetssl

I use SHA2 256Bit.

I upload the files here:

Code:

/usr/local/nginx/conf/ssl/mydomain.com

and is working

But i have some questions :

Nginx is looking for file:

Code:

/usr/local/nginx/conf/ssl/mydomain.com/dhparam.pem

Is this a must? And what if i have a vhost without auto ssl creation and the file is missing? Can i create it? How?

Also is this line needed for http2 in mydomain.com.ssl.conf?

Code:

add_header Alternate-Protocol  443:npn-spdy/3;

Are those settings the same for spdy and http2 or i must adjust them?

Code:

  ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
  ssl_prefer_server_ciphers   on;
  add_header Alternate-Protocol  443:npn-spdy/3;
  # HTTP Public Key Pinning Header uncomment only one that applies include or exclude domains.
  # You'd want to include subdomains if you're using SSL wildcard certificates
  # include subdomain
  #add_header Public-Key-Pins 'pin-sha256="WO9bFFPwpLuAGtOfotF0KpHYpDwuRgQayUm8mOtk7RE="; pin-sha256="ok8rqdmrPf/KkuNtj+If20Qlw5wW4sDAxHr2dLe59NM="; max-age=604800; includeSubDomains';
  # exclude subdomains
  #add_header Public-Key-Pins 'pin-sha256="WO9bFFPwpLuAGtOfotF0KpHYpDwuRgQayUm8mOtk7RE="; pin-sha256="ok8rqdmrPf/KkuNtj+If20Qlw5wW4sDAxHr2dLe59NM="; max-age=604800';
  #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
  #add_header  X-Content-Type-Options "nosniff";
  #add_header X-Frame-Options DENY;
  #spdy_headers_comp 5;
  ssl_buffer_size 1400;
  ssl_session_tickets on;

I am not sure if it is a configuration error or something else but i can't confirm the http2 here:

Code:

https://www.h2check.org/

but is working...

eva2000 · Sep 3, 2015

pamamolf said: ↑

/usr/local/nginx/conf/ssl/mydomain.com/dhparam.pem
Click to expand...

It's needed only for SSL and is auto created via centmin.sh menu option 2 if you select yes to SSL self signed cert. Not needed for non-https

pamamolf said: ↑

add_header Alternate-Protocol 443:npn-spdy/3;
Click to expand...

needed for both SPDY SSL and HTTP/2 SSL - leave as is. Read Nginx HTTP/2 page at Nginx HTTP/2 protocol to succeed Google SPDY for all details

pamamolf said: ↑

but is working
Click to expand...

read Nginx - First Alpha Patch for Nginx HTTP/2 support | Page 2 | Centmin Mod Community h2check is out of date as it only checks for HTTP/2 draft protocols and not the final h2 protocol

pamamolf · Sep 3, 2015

It's needed only for SSL and is auto created via centmin.sh menu option 2 if you select yes to SSL self signed cert. Not needed for non-https
Click to expand...

Yes but you can do all steps to get https if you have a previous created vhost without https support except this file....
Or is a solution that i miss if i have already a vhost created without https support to recreate it without any data loss?

eva2000 · Sep 3, 2015

pamamolf said: ↑

Yes but you can do all steps to get https if you have a previous created vhost without https support except this file....
Or is a solution that i miss if i have already a vhost created without https support to recreate it without any data loss?
Click to expand...

of if you had a prior ssl vhost you can have it with or without dhparam file but it's more secure if you have it

line 98 of inc/nginx_addvhost.inc has the command to generate dhparam file you have to run that within your ssl directory at /usr/local/nginx/conf/ssl/mydomain.com/

pamamolf · Sep 3, 2015

Ok great

Which is the easiest way if i have a vhost created without https support to add https support without any data loss as if i try to add a new vhost again with the same domain name i will get some issues if i am not wrong.....

eva2000 · Sep 3, 2015

pamamolf said: ↑

Ok great

Which is the easiest way if i have a vhost created without https support to add https support without any data loss as if i try to add a new vhost again with the same domain name i will get some issues if i am not wrong.....
Click to expand...

yeah it will abort if existing domain name already exists

probably easiest way would be to use a separate test server or VPS with Centmin Mod installed and run centmin.sh menu option 2 to create the same domain name as the one you want to add domain SSL vhost support for and you'll end up with

Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf

Nginx SPDY SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf

Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com

Copy the file and contents of /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf to live server and copy /usr/local/nginx/conf/ssl/newdomain.com contents to live server. You may also need to copy contents and file for /usr/local/nginx/conf/ssl_include.conf to live server if live server doesn't have it

eva2000 · Sep 3, 2015

Actually I updated the vhost generator at Generate Centmin Mod Nginx Vhost - CentminMod.com LEMP Nginx web stack for CentOS if you select the SSL self signed check box and generate the ssl vhost, it will have listed manual commands you can run to create just the SSL files as well

prometheus · Oct 21, 2015

Is there any updated version how to setup ssl with .08?
Guide display with spdy and nginx show as deprecated

Log in / Register

Forums

Discover Centmin Mod today

SSL How to enable https for my domain

pamamolf Premium Member Premium Member

rdan Well-Known Member

eva2000 Administrator Staff Member

pamamolf Premium Member Premium Member

eva2000 Administrator Staff Member

pamamolf Premium Member Premium Member

eva2000 Administrator Staff Member

pamamolf Premium Member Premium Member

eva2000 Administrator Staff Member

pamamolf Premium Member Premium Member

eva2000 Administrator Staff Member

pamamolf Premium Member Premium Member

pamamolf Premium Member Premium Member

eva2000 Administrator Staff Member

pamamolf Premium Member Premium Member

eva2000 Administrator Staff Member

pamamolf Premium Member Premium Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

prometheus Member

.

Log in / Register

Useful Searches

Discover Centmin Mod today

SSL How to enable https for my domain

pamamolf Premium Member Premium Member

rdan Well-Known Member

eva2000 Administrator Staff Member

pamamolf Premium Member Premium Member

eva2000 Administrator Staff Member

pamamolf Premium Member Premium Member

eva2000 Administrator Staff Member

pamamolf Premium Member Premium Member

eva2000 Administrator Staff Member

pamamolf Premium Member Premium Member

eva2000 Administrator Staff Member

pamamolf Premium Member Premium Member

pamamolf Premium Member Premium Member

eva2000 Administrator Staff Member

pamamolf Premium Member Premium Member

eva2000 Administrator Staff Member

pamamolf Premium Member Premium Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

prometheus Member

.