Home/ Questions/Q 1361

Querify Question Shop: Explore Expert Solutions and Unique Q&A Merchandise Latest Questions

Author
  • 62k
Asked: 2024-11-25T07:28:07+00:00

Self-Signed SSL: NGINX on MAC

  • 62k

Till now, we have installed Nginx and did a simple configuration to host an html file locally.

In this part we will be configuring Nginx with a self-signed certificate. We will be creating a self signed certificate using openssl and make Nginx use it for serving content over https. Let's get our hands dirty. Open our pal, Terminal and lets create a couple of folders to store our key and certificate. Fire the following commands: 

mkdir -p /usr/local/etc/ssl/private mkdir -p /usr/local/etc/ssl/certs
Enter fullscreen mode Exit fullscreen mode

Ideally you can create these folders anywhere but it's a good practice to have them at the above given path. We will now create key and certificate by running the below command: 

sudo openssl req    -x509 -nodes -days 365 -newkey rsa:2048    -keyout /usr/local/etc/ssl/private/self-signed.key    -out /usr/local/etc/ssl/certs/self-signed.crt
Enter fullscreen mode Exit fullscreen mode

Let's alter our server context from previous tutorial. The updated file is as below. 

events {  }   http {     server {         # Listen on port 80 which is the default http port         listen 80;          # Set a permanent redirection from http to https         return 301 https://localhost:443;     } }
Enter fullscreen mode Exit fullscreen mode

Add another server context inside http context with configuration and locations relating to SSL 

 server {        listen       443 ssl;         # location of ssl certificate        ssl_certificate /usr/local/etc/ssl/certs/self-signed.crt;         # location of ssl key        ssl_certificate_key /usr/local/etc/ssl/private/self-signed.key;     }
Enter fullscreen mode Exit fullscreen mode

Add location context inside the ssl server context 

location / {     root   /Users/arjav/Desktop/www;     index  index.html index.htm; }
Enter fullscreen mode Exit fullscreen mode

This is the whole configuration file: 

events {  }  http {     # HTTP server     server {         listen       80;         return 301 https://localhost:443;     }       # HTTPS server     server {        listen       443 ssl;         ssl_certificate /usr/local/etc/ssl/certs/self-signed.crt;        ssl_certificate_key /usr/local/etc/ssl/private/self-signed.key;         location / {            root   /Users/arjav/Desktop/www;            index  index.html index.htm;        }     } }
Enter fullscreen mode Exit fullscreen mode

As a last step we will need to add the self-signed certificate to the system keychain. Run the below command in your terminal. 

sudo security add-trusted-cert    -d -r trustRoot    -k /Library/Keychains/System.keychain /usr/local/etc/ssl/certs/self-signed.crt
Enter fullscreen mode Exit fullscreen mode

Voila! That's it. In your terminal verify your configuration file by running

nginx -t

and if everything looks okay reload your Nginx server by running

nginx -s reload

Visit https://127.0.0.1. You will still see a red flag or “Not secure” sign in your browser saying that your certificate is invalid, but that it's because not signed by a third-part authority. Rest assured the content is served over secure channels.

In the next chapter we will look at some advanced ssl configuration options for better security, caching and optimisation.

computersciencemacossecuritywebdev
Share

Leave an answer

You must login to add an answer.

Need An Account,