SSL install and setup ssl for my server

Peih · Mar 31, 2016

how can i do it? idk what command i can do to install and setup ssl for my server/my domain

eva2000 · Mar 31, 2016

run centmin.sh menu option 2 to add new nginx vhost and when prompted for self-signed ssl certificate and vhost creation answer yes = y as per Nginx Vhost & NSD DNS Setup - CentminMod.com LEMP Nginx web stack for CentOS

then take a note of output at end of the nginx vhost routine you get paths to your nginx http and https vhost files and web root public path etc.

Then on same page at Nginx Vhost & NSD DNS Setup - CentminMod.com LEMP Nginx web stack for CentOS read and follow instructions and links on switching from self-signed ssl to paid/browser trusted ssl certificate

Peih · Mar 31, 2016

im already have a domain/vhost. how can i add ssl to a existent domain/vhost?

eva2000 · Mar 31, 2016

then start at step 3 for switching self-signed ssl vhost to browser trusted ssl certificate

eva2000 said: ↑

Then on same page at Nginx Vhost & NSD DNS Setup - CentminMod.com LEMP Nginx web stack for CentOS read and follow instructions and links on switching from self-signed ssl to paid/browser trusted ssl certificate
Click to expand...

eva2000 · Mar 31, 2016

If you didn't answer yes to self-signed ssl certificate vhost generation at centmin.sh menu option 2 stage. Then need to follow steps outlined at Nginx - Install self signed certificate after vhost is created?

Peih · Apr 2, 2016

now there is an issue:
domain.com redirected you too many times

im using cloudflare..do i need to stop cloudflare ssl as they set default

eva2000 · Apr 2, 2016

Peih said: ↑

now there is an issue:
domain.com redirected you too many times

im using cloudflare..do i need to stop cloudflare ssl as they set default
Click to expand...

did you setup http to https rediect on both cloudflare end and on centmin mod nginx vhost end ? you only need to do it on one end not both. I'd undo nginx vhost http to https redirect and just do it from cloudflare end

Peih · Apr 2, 2016

i dont know how to set http to https on cloudflare so i think i just only set on nginx vhost.
here is my nginx vhost:

Code:

# Centmin Mod Getting Started Guide
# must read http://centminmod.com/getstarted.html
# For SPDY SSL Setup
# read http://centminmod.com/nginx_configure_https_ssl_spdy.html

# redirect from www to non-www  forced SSL
# uncomment, save file and restart Nginx to enable
# if unsure use return 302 before using return 301
server {
      listen   80;
      server_name domain.com www.domain.com;
      return 302 https://$server_name$request_uri;
}

server {
  listen 443 ssl http2;
  server_name domain.com www.domain.com;

  ssl_dhparam /usr/local/nginx/conf/ssl/domain.com/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/domain.com/ssl-unified.crt;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.com/domain.com.key;
  include /usr/local/nginx/conf/ssl_include.conf;

  http2_max_field_size 16k;
  http2_max_header_size 32k;

  # mozilla recommended
  ssl_ciphers EECDH+CHACHA20:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA:!DES-CBC3-SHA;
  ssl_prefer_server_ciphers   on;

  ##add_header Alternate-Protocol  443:npn-spdy/3;
  # HTTP Public Key Pinning Header uncomment only one that applies include or exclude domains.
  # You'd want to include subdomains if you're using SSL wildcard certificates
  # include subdomain
  #add_header Public-Key-Pins 'pin-sha256="uu4E8qVGDJ2q7gw+aN4gH43uPMNYnahanL7IGOATeGU="; pin-sha256="stRi+vyUfgg+PwhIlr0MJatUtZROLN5JdcSoZ/f9JVA="; max-age=86400; includeSubDomains';
  # exclude subdomains
  #add_header Public-Key-Pins 'pin-sha256="uu4E8qVGDJ2q7gw+aN4gH43uPMNYnahanL7IGOATeGU="; pin-sha256="stRi+vyUfgg+PwhIlr0MJatUtZROLN5JdcSoZ/f9JVA="; max-age=86400';
  #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
  #add_header X-Frame-Options SAMEORIGIN;
  #add_header X-Xss-Protection "1; mode=block" always;
  #add_header X-Content-Type-Options "nosniff" always;
  ##spdy_headers_comp 5;
  ssl_buffer_size 1400;
  ssl_session_tickets on;

  # enable ocsp stapling
  resolver 8.8.8.8 8.8.4.4 valid=10m;
  resolver_timeout 10s;
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/ssl-trusted.crt; 

  # ngx_pagespeed & ngx_pagespeed handler
  include /usr/local/nginx/conf/pagespeed.conf;
  include /usr/local/nginx/conf/pagespeedhandler.conf;
  include /usr/local/nginx/conf/pagespeedstatslog.conf;

  #add_header X-Xss-Protection "1; mode=block" always;
  #add_header X-Xss-Protection "1; mode=block" always;
  #add_header X-Content-Type-Options "nosniff" always; 

  # limit_conn limit_per_ip 16;
  # ssi  on;

  access_log /home/nginx/domains/domain.com/log/access.log combined buffer=256k flush=60m;
  error_log /home/nginx/domains/domain.com/log/error.log;

  root /home/nginx/domains/domain.com/public;
  # uncomment cloudflare.conf include if using cloudflare for
  # server and/or vhost site
  include /usr/local/nginx/conf/cloudflare.conf;
  include /usr/local/nginx/conf/503include-main.conf;

  # prevent access to ./directories and files
  location ~ (?:^|/)\. {
   deny all;
  } 

  location / {
  include /usr/local/nginx/conf/503include-only.conf;

  # block common exploits, sql injections etc
  #include /usr/local/nginx/conf/block.conf;

  # Enables directory listings when index file not found
  #autoindex  on;

  # Shows file listing times as local time
  #autoindex_localtime on;

  # Enable for vBulletin usage WITHOUT vbSEO installed
  # More example Nginx vhost configurations at
  # http://centminmod.com/nginx_configure.html
  index index.php index.html index.htm;
  try_files $uri $uri/ /index.php?$uri&$args;

  }

  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/drop.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}

Peih · Apr 4, 2016

should i use domain.com.conf or domain.com.ssl.conf? bcos when i disable domain.com.conf, my domain has issue "redirected you too many times".

eva2000 · Apr 4, 2016

Peih said: ↑

should i use domain.com.conf or domain.com.ssl.conf? bcos when i disable domain.com.conf, my domain has issue "redirected you too many times".
Click to expand...

depends on how you setup cloudflare and your nginx vhost

if cloudflare's origin ip site is http based you'd need a working server port 80 context then cloudflare can do it's own http to https redirect from

but if you do not have cloudflare setup for http to https redirection, you can just use domain.com.ssl.conf and follow instructions for http to https redirect and setup of port 80 server context within domain.com.ssl.conf at Nginx Vhost & NSD DNS Setup - CentminMod.com LEMP Nginx web stack for CentOS

post contents of your domain.com.ssl.conf file

Peih · Apr 4, 2016

on cloudflare:
i turned on SSL Full, HSTS OFF, always use https OFF (as default) on page rules.
And on my domain.com.ssl.conf:

Code:

# Centmin Mod Getting Started Guide
# must read http://centminmod.com/getstarted.html
# For SPDY SSL Setup
# read http://centminmod.com/nginx_configure_https_ssl_spdy.html

# redirect from www to non-www  forced SSL
# uncomment, save file and restart Nginx to enable
# if unsure use return 302 before using return 301
server {
      listen   80;
      server_name domain.com www.domain.com;
      return 302 https://$server_name$request_uri;
}

server {
  listen 443 ssl http2;
  server_name domain.com www.domain.com;

  ssl_dhparam /usr/local/nginx/conf/ssl/domain.com/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/domain.com/ssl-unified.crt;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.com/domain.com.key;
  include /usr/local/nginx/conf/ssl_include.conf;

  http2_max_field_size 16k;
  http2_max_header_size 32k;

  # mozilla recommended
  ssl_ciphers EECDH+CHACHA20:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA:!DES-CBC3-SHA;
  ssl_prefer_server_ciphers   on;

  ##add_header Alternate-Protocol  443:npn-spdy/3;
  # HTTP Public Key Pinning Header uncomment only one that applies include or exclude domains.
  # You'd want to include subdomains if you're using SSL wildcard certificates
  # include subdomain
  #add_header Public-Key-Pins 'pin-sha256="uu4E8qVGDJ2q7gw+aN4gH43uPMNYnahanL7IGOATeGU="; pin-sha256="stRi+vyUfgg+PwhIlr0MJatUtZROLN5JdcSoZ/f9JVA="; max-age=86400; includeSubDomains';
  # exclude subdomains
  #add_header Public-Key-Pins 'pin-sha256="uu4E8qVGDJ2q7gw+aN4gH43uPMNYnahanL7IGOATeGU="; pin-sha256="stRi+vyUfgg+PwhIlr0MJatUtZROLN5JdcSoZ/f9JVA="; max-age=86400';
  #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
  #add_header X-Frame-Options SAMEORIGIN;
  #add_header X-Xss-Protection "1; mode=block" always;
  #add_header X-Content-Type-Options "nosniff" always;
  ##spdy_headers_comp 5;
  ssl_buffer_size 1400;
  ssl_session_tickets on;

  # enable ocsp stapling
  resolver 8.8.8.8 8.8.4.4 valid=10m;
  resolver_timeout 10s;
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/ssl-trusted.crt; 

  # ngx_pagespeed & ngx_pagespeed handler
  include /usr/local/nginx/conf/pagespeed.conf;
  include /usr/local/nginx/conf/pagespeedhandler.conf;
  include /usr/local/nginx/conf/pagespeedstatslog.conf;

  #add_header X-Xss-Protection "1; mode=block" always;
  #add_header X-Xss-Protection "1; mode=block" always;
  #add_header X-Content-Type-Options "nosniff" always; 

  # limit_conn limit_per_ip 16;
  # ssi  on;

  access_log /home/nginx/domains/domain.com/log/access.log combined buffer=256k flush=60m;
  error_log /home/nginx/domains/domain.com/log/error.log;

  root /home/nginx/domains/domain.com/public;
  # uncomment cloudflare.conf include if using cloudflare for
  # server and/or vhost site
  include /usr/local/nginx/conf/cloudflare.conf;
  include /usr/local/nginx/conf/503include-main.conf;

  # prevent access to ./directories and files
  location ~ (?:^|/)\. {
   deny all;
  } 

  location / {
  include /usr/local/nginx/conf/503include-only.conf;

  # block common exploits, sql injections etc
  #include /usr/local/nginx/conf/block.conf;

  # Enables directory listings when index file not found
  #autoindex  on;

  # Shows file listing times as local time
  #autoindex_localtime on;

  # Enable for vBulletin usage WITHOUT vbSEO installed
  # More example Nginx vhost configurations at
  # http://centminmod.com/nginx_configure.html
  index index.php index.html index.htm;
  try_files $uri $uri/ /index.php?$uri&$args;

  }

  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/drop.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}

eva2000 · Apr 4, 2016

if www domain.com is main site then you need

Code (Text):

server {
      listen   80;
      server_name domain.com www.domain.com;
      return 302 https://www.domain.com$request_uri;
}

server {
  listen 443 ssl http2;
  server_name www.domain.com;

Peih · Apr 4, 2016

i just use domain.com and i wanna force to change www to non-www.

eva2000 · Apr 4, 2016

then it's the opposite

Code (Text):

server {
      listen   80;
      server_name domain.com www.domain.com;
      return 302 https://domain.com$request_uri;
}

server {
  listen 443 ssl http2;
  server_name domain.com;

Log in / Register

Forums

Welcome to Centmin Mod Community

SSL install and setup ssl for my server

Peih New Member

eva2000 Administrator Staff Member

Peih New Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Peih New Member

eva2000 Administrator Staff Member

Peih New Member

Peih New Member

eva2000 Administrator Staff Member

Peih New Member

eva2000 Administrator Staff Member

Peih New Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Welcome to Centmin Mod Community

SSL install and setup ssl for my server

Peih New Member

eva2000 Administrator Staff Member

Peih New Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Peih New Member

eva2000 Administrator Staff Member

Peih New Member

Peih New Member

eva2000 Administrator Staff Member

Peih New Member

eva2000 Administrator Staff Member

Peih New Member

eva2000 Administrator Staff Member

.