99

Install SSL support on nginx

I have an ubuntu instance on AWS which is running nginx with passenger. This has been running just fine but when I tried to add SSL I figured out that the server did not support it. The solution is to recompile nginx with appropriate options (i.e. passenger and SSL). This may sound too much but it actually relatively straightforward.

Here is what you have to do (perhaps create a new directory and do the downloading there):

Get the lates nginx. Perhaps the version that I have here is no longer the latest. You should go at the nginx site and find out.

wget http://sysoev.ru/nginx/nginx-0.8.54.tar.gz

You must uncompress the file you just downloaded.

tar -zxvf nginx-0.8.54.tar.gz

Now since you might want passenger updated you should also get the latest passenger.

sudo gem install passenger

If you run:

passenger-config --root

You will see what is your version before and after the update.

In my case there were a few libraries missing from the system which I had to install before going ahead with recompiling nginx. Perhaps your systems has them already installed.

sudo apt-get install libpcre3 libpcre3-dev
sudo apt-get install libssl-dev
sudo apt-get install libgcrypt11-dev
sudo apt-get install libcurl4-openssl-dev

You are almost there. Before doing the installation you must tell make how to build nginx. So go the directory where you uncompressed the nginx-0.8.54.tar.gz file and run:

./configure --with-http_ssl_module  --add-module=/usr/lib/ruby/gems/1.8/gems/passenger-3.0.2/ext/nginx

Finally run:

sudo make install clean

And you should have now a new nginx executable at /usr/local/nginx/sbin/ . There is information on how to upgrade nginx without interrupting the server (i.e. no downtime). In my case this was not an issue. In any case I did all of my experimentation on an instance which was an exact copy of my actual instance. It hardly costs anything at all to run another instance on Amazon for a few hours and it does save you from potential trouble!

Make sure that /etc/init.d/nginx is actually pointing at the correct executable. My previous installation of nginx was not in /usr/local/ (don't ask me why) and hence I had to make sure that all the relevant scripts knew where nginx was now living.

It is time to test the server. Before going ahead you need to make sure that the server can accept traffic on port 443 (you need this for SSL to work). On AWS this is straightforward. Go the security groups menu of the EC2 console and add at the bottom of your current security group the 443 port.

Next step is to fiddle with the configuration of nginx. Add a virtual host with ssl like:

server {
    server_name mysecuresubdomain.mydomain.com;
    listen 443;
    ssl on;
    ssl_certificate /usr/local/nginx/server.crt;
    ssl_certificate_key /usr/local/nginx/server.key;

    location / {
        root /var/www/mysecuresubdomain.mydomain.com/public;
    }
}

The certificates could be super - duper expensive or you can just make your own with openssl.



comments powered by Disqus