Learn about Centmin Mod LEMP Stack today
Register Now

SSL install and setup ssl for my server

Discussion in 'Domains, DNS, Email & SSL Certificates' started by Peih, Mar 31, 2016.

Tags:
  1. Peih

    Peih New Member

    24
    2
    3
    Mar 2, 2016
    Ratings:
    +2
    Local Time:
    2:07 AM
    how can i do it? idk what command i can do to install and setup ssl for my server/my domain
     
  2. eva2000

    eva2000 Administrator Staff Member

    29,033
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,782
    Local Time:
    5:07 PM
    Nginx 1.13.x
    MariaDB 5.5
    1. run centmin.sh menu option 2 to add new nginx vhost and when prompted for self-signed ssl certificate and vhost creation answer yes = y as per Nginx Vhost & NSD DNS Setup - CentminMod.com LEMP Nginx web stack for CentOS
    2. then take a note of output at end of the nginx vhost routine you get paths to your nginx http and https vhost files and web root public path etc.
    3. Then on same page at Nginx Vhost & NSD DNS Setup - CentminMod.com LEMP Nginx web stack for CentOS read and follow instructions and links on switching from self-signed ssl to paid/browser trusted ssl certificate
     
  3. Peih

    Peih New Member

    24
    2
    3
    Mar 2, 2016
    Ratings:
    +2
    Local Time:
    2:07 AM
    im already have a domain/vhost. how can i add ssl to a existent domain/vhost?
     
  4. eva2000

    eva2000 Administrator Staff Member

    29,033
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,782
    Local Time:
    5:07 PM
    Nginx 1.13.x
    MariaDB 5.5
  5. eva2000

    eva2000 Administrator Staff Member

    29,033
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,782
    Local Time:
    5:07 PM
    Nginx 1.13.x
    MariaDB 5.5
  6. Peih

    Peih New Member

    24
    2
    3
    Mar 2, 2016
    Ratings:
    +2
    Local Time:
    2:07 AM
    now there is an issue:
    domain.com redirected you too many times

    im using cloudflare..do i need to stop cloudflare ssl as they set default
     
  7. eva2000

    eva2000 Administrator Staff Member

    29,033
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,782
    Local Time:
    5:07 PM
    Nginx 1.13.x
    MariaDB 5.5
    did you setup http to https rediect on both cloudflare end and on centmin mod nginx vhost end ? you only need to do it on one end not both. I'd undo nginx vhost http to https redirect and just do it from cloudflare end
     
  8. Peih

    Peih New Member

    24
    2
    3
    Mar 2, 2016
    Ratings:
    +2
    Local Time:
    2:07 AM
    i dont know how to set http to https on cloudflare so i think i just only set on nginx vhost.
    here is my nginx vhost:
    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    # For SPDY SSL Setup
    # read http://centminmod.com/nginx_configure_https_ssl_spdy.html
    
    # redirect from www to non-www  forced SSL
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    server {
          listen   80;
          server_name domain.com www.domain.com;
          return 302 https://$server_name$request_uri;
    }
    
    server {
      listen 443 ssl http2;
      server_name domain.com www.domain.com;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/domain.com/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/domain.com/ssl-unified.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.com/domain.com.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      http2_max_field_size 16k;
      http2_max_header_size 32k;
    
      # mozilla recommended
      ssl_ciphers EECDH+CHACHA20:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA:!DES-CBC3-SHA;
      ssl_prefer_server_ciphers   on;
    
      ##add_header Alternate-Protocol  443:npn-spdy/3;
      # HTTP Public Key Pinning Header uncomment only one that applies include or exclude domains.
      # You'd want to include subdomains if you're using SSL wildcard certificates
      # include subdomain
      #add_header Public-Key-Pins 'pin-sha256="uu4E8qVGDJ2q7gw+aN4gH43uPMNYnahanL7IGOATeGU="; pin-sha256="stRi+vyUfgg+PwhIlr0MJatUtZROLN5JdcSoZ/f9JVA="; max-age=86400; includeSubDomains';
      # exclude subdomains
      #add_header Public-Key-Pins 'pin-sha256="uu4E8qVGDJ2q7gw+aN4gH43uPMNYnahanL7IGOATeGU="; pin-sha256="stRi+vyUfgg+PwhIlr0MJatUtZROLN5JdcSoZ/f9JVA="; max-age=86400';
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      ##spdy_headers_comp 5;
      ssl_buffer_size 1400;
      ssl_session_tickets on;
    
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/ssl-trusted.crt; 
    
      # ngx_pagespeed & ngx_pagespeed handler
      include /usr/local/nginx/conf/pagespeed.conf;
      include /usr/local/nginx/conf/pagespeedhandler.conf;
      include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always; 
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/domain.com/log/access.log combined buffer=256k flush=60m;
      error_log /home/nginx/domains/domain.com/log/error.log;
    
      root /home/nginx/domains/domain.com/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      # prevent access to ./directories and files
      location ~ (?:^|/)\. {
       deny all;
      } 
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
    
      # block common exploits, sql injections etc
      #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Enable for vBulletin usage WITHOUT vbSEO installed
      # More example Nginx vhost configurations at
      # http://centminmod.com/nginx_configure.html
      index index.php index.html index.htm;
      try_files $uri $uri/ /index.php?$uri&$args;
    
      }
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
     
    Last edited: Apr 2, 2016
  9. Peih

    Peih New Member

    24
    2
    3
    Mar 2, 2016
    Ratings:
    +2
    Local Time:
    2:07 AM
    should i use domain.com.conf or domain.com.ssl.conf? bcos when i disable domain.com.conf, my domain has issue "redirected you too many times".
     
  10. eva2000

    eva2000 Administrator Staff Member

    29,033
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,782
    Local Time:
    5:07 PM
    Nginx 1.13.x
    MariaDB 5.5
    depends on how you setup cloudflare and your nginx vhost

    if cloudflare's origin ip site is http based you'd need a working server port 80 context then cloudflare can do it's own http to https redirect from

    but if you do not have cloudflare setup for http to https redirection, you can just use domain.com.ssl.conf and follow instructions for http to https redirect and setup of port 80 server context within domain.com.ssl.conf at Nginx Vhost & NSD DNS Setup - CentminMod.com LEMP Nginx web stack for CentOS

    post contents of your domain.com.ssl.conf file
     
  11. Peih

    Peih New Member

    24
    2
    3
    Mar 2, 2016
    Ratings:
    +2
    Local Time:
    2:07 AM
    on cloudflare:
    i turned on SSL Full, HSTS OFF, always use https OFF (as default) on page rules.
    And on my domain.com.ssl.conf:
    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    # For SPDY SSL Setup
    # read http://centminmod.com/nginx_configure_https_ssl_spdy.html
    
    # redirect from www to non-www  forced SSL
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    server {
          listen   80;
          server_name domain.com www.domain.com;
          return 302 https://$server_name$request_uri;
    }
    
    server {
      listen 443 ssl http2;
      server_name domain.com www.domain.com;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/domain.com/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/domain.com/ssl-unified.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.com/domain.com.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      http2_max_field_size 16k;
      http2_max_header_size 32k;
    
      # mozilla recommended
      ssl_ciphers EECDH+CHACHA20:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA:!DES-CBC3-SHA;
      ssl_prefer_server_ciphers   on;
    
      ##add_header Alternate-Protocol  443:npn-spdy/3;
      # HTTP Public Key Pinning Header uncomment only one that applies include or exclude domains.
      # You'd want to include subdomains if you're using SSL wildcard certificates
      # include subdomain
      #add_header Public-Key-Pins 'pin-sha256="uu4E8qVGDJ2q7gw+aN4gH43uPMNYnahanL7IGOATeGU="; pin-sha256="stRi+vyUfgg+PwhIlr0MJatUtZROLN5JdcSoZ/f9JVA="; max-age=86400; includeSubDomains';
      # exclude subdomains
      #add_header Public-Key-Pins 'pin-sha256="uu4E8qVGDJ2q7gw+aN4gH43uPMNYnahanL7IGOATeGU="; pin-sha256="stRi+vyUfgg+PwhIlr0MJatUtZROLN5JdcSoZ/f9JVA="; max-age=86400';
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      ##spdy_headers_comp 5;
      ssl_buffer_size 1400;
      ssl_session_tickets on;
    
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/ssl-trusted.crt; 
    
      # ngx_pagespeed & ngx_pagespeed handler
      include /usr/local/nginx/conf/pagespeed.conf;
      include /usr/local/nginx/conf/pagespeedhandler.conf;
      include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always; 
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/domain.com/log/access.log combined buffer=256k flush=60m;
      error_log /home/nginx/domains/domain.com/log/error.log;
    
      root /home/nginx/domains/domain.com/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      # prevent access to ./directories and files
      location ~ (?:^|/)\. {
       deny all;
      } 
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
    
      # block common exploits, sql injections etc
      #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Enable for vBulletin usage WITHOUT vbSEO installed
      # More example Nginx vhost configurations at
      # http://centminmod.com/nginx_configure.html
      index index.php index.html index.htm;
      try_files $uri $uri/ /index.php?$uri&$args;
    
      }
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
     
  12. eva2000

    eva2000 Administrator Staff Member

    29,033
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,782
    Local Time:
    5:07 PM
    Nginx 1.13.x
    MariaDB 5.5
    if www domain.com is main site then you need
    Code (Text):
    server {
          listen   80;
          server_name domain.com www.domain.com;
          return 302 https://www.domain.com$request_uri;
    }
    
    server {
      listen 443 ssl http2;
      server_name www.domain.com;
     
  13. Peih

    Peih New Member

    24
    2
    3
    Mar 2, 2016
    Ratings:
    +2
    Local Time:
    2:07 AM
    i just use domain.com and i wanna force to change www to non-www.
     
  14. eva2000

    eva2000 Administrator Staff Member

    29,033
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,782
    Local Time:
    5:07 PM
    Nginx 1.13.x
    MariaDB 5.5
    then it's the opposite
    Code (Text):
    server {
          listen   80;
          server_name domain.com www.domain.com;
          return 302 https://domain.com$request_uri;
    }
    
    server {
      listen 443 ssl http2;
      server_name domain.com;