Homeseo

Install SSL (HTTPS) for websites running Nginx, Apache and cPanel

Like Tweet Pin it Share Share Email

The SSL (HTTPS) setting for the website will help secure data between the user and the server. Sites that are SSL-enabled will increase the credibility of the visitor. Google also announced that the ranking of the sites will be improved when using HTTPS.

 

Google Chrome has favorited websites that use HTTPS by showing it very clearly to users that this site is Privacy . This certainly creates great trust for the visitor. In contrast, some sites that do not have HTTPS installed have been exposed by Google Chrome as Non-Security . And we can believe that, in the future, all sites that do not have HTTPS installed will most likely be experiencing this situation as well. So if you do not want users to trust your site, you do not need to install HTTPS.

While there are many benefits that SSL will bring to your site, the installation of SSL is also very simple. Most web servers support the installation of SSL certificates. Why not transfer from HTTP to HTTPS?

There are now many SSL providers such as Comodo, DigiCert, etc. There are also vendors that allow you to sign up for free SSL like Let’s Encrypt . And some services offer free SSL certificates such as CloudFlare … My site is using Comodo PositiveSSL, this is quality SSL and the price is right for my site. In this article, I will show you how to install Comodo PositiveSSL for Nginx, Apache, and cPanel in just a few easy steps.

  1. What is SSL?
  2. Create CSR and Private Key
  3. Register SSL
  4. SSL settings
    1. General
    2. Nginx
    3. Apache
    4. cPanel
  5. Transfer HTTP to HTTPS
    • HSTS preload
  6. Epilogue

What is SSL?

SSL (Secure Sockets Layer) is a standard security technology for establishing an encrypted link between a server and a client – usually a web server and a browser, or a server. mail and mail client (for example, Outlook).

SSL allows sensitive information such as credit card numbers, social security numbers, and login information to be transmitted securely. Typically, data sent between browsers and web servers is sent in transparent text – leaving you vulnerable to eavesdropping. If the attacker can block all data sent between the browser and the web server, they can see and use that information.

More specifically, SSL is a security protocol. The protocol describes how the algorithms are used. In this case, the SSL protocol defines the variables of the encoding for both the link and the data to be transmitted.

SSL only ensures data is transferred between server and client. SSL does not help secure your server.

Create CSR and Private Key

To sign an SSL certificate you need to send a Certificate Signing Request ( CSR ) to the SSL certificate provider. A CSR is a block of code with encrypted information about your company and domain.

To create a CSR and Private Key , use the following command:

openssl req -new -newkey rsa: 2048 -nodes -keyout sitecuatui . com .key -out sitecuatui . com .csr

This command uses OpenSSL to create CSR and Private key. You need to replace the sitecuatui . com into your domain name for easy identification.

Output:

Generating a 2048 bit RSA private key
.................................. +++
............................ +++'
-----
Bạn sẽ hỏi về thông tin nhập vào sẽ được đăng nhập
vào chứng nhận của bạn.
Bạn nhập vào nhập vào là một tên là Đúng tên hay một DN.
There are some fields but you can leave some blank
For some fields there will be a default value,
Nếu bạn nhập '.', Trường này sẽ được trái.
-----
Country Name (2 letter code) [AU]: VN
chuỗi quá dài nên cần ít hơn 2 đằng
Country Name (2 letter code) [AU]: VN
State or Province Name (full name) [Some-State]: N / A
Locality Name (eg, city) []: Ho Chi Minh City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg server FQDN or YOUR name) []: sitecuatui . com 
Email Address []: email@sitecuatui.com                                           
Please enter the following 'extra' attributes
để được gửi với chứng nhận của bạn
A challenge password []:
An optional company name []:

In the above results, you see that I have answered the following items:

  • Country Name: VN
  • State or Province Name: N / A
  • Locality Name:  Ho Chi Minh (province or city)
  • Common Name: sitecuatui . com (your domain)
  • Email Address:  email@sitecuatui.com

If you are a company, you can enter company name in  Organization Name .

What is a Common Name? Common Name is the domain that you want to use to register an SSL certificate.

  • SSL certificates will be used for this domain at no www and www.
  • For Wildcard SSL, SSL certificate also apply to the entire subdomains ( *. Sitecuatui . Com ). For example : shop . sitecuatui . com , forum . sitecuatui . com …

CSR code

Once you have the CSR file and the Private key, you need to get the CSR code sent to the SSL certificate provider. You can get the CSR code in the sitecute file com .csr using the following command:

cat sitecuatui . com .csr

The output is as follows:

----- BEGIN CERTIFICATE REQUEST -----
MIQ2DCCAcACAQAwgZIxCzAJBgNVBAYTAlZOMQwwCgYDVQQIDANOL0ExFDASBgNV
BAcMC0hvIENoaSBNaW5oMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBM
dgQxFzAVBgNVBAMMDnNpdGVjdWF0dWkuY29tMSMwIQYJKoZIhvcNAQkBFhRlbWFp
bEBzaXRlY3VhdHVpLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AMMXUg86m9ev / vxTMK0nIJpPa7h4UavKw / zqvs9QXTZJX / r84C9WzPbMsm97qSwx
j3kW6q + hHDo7ipsfBKAUvp / zCWZBddkE4Cac / Hj4EW3fUKI + 5a7kCUP1zdVGAwKV
FFbXaJa5JffVmmiqaDdAfS9BGkrIyszKp + seEMk7DAnWtwryRI4v4f3XQvVZam
P9FZ3uiY2q4UDvyv / MrwAxgwvTlAySpdT8RoeV / FbioyLj6PSOFSZvtR1M3BZ8AC
4Cuy79JYU / u0X2qdGPbOxHCNAlwsgw2uXwf630LsaDknnaWCTKCWKUxqk89XtWkf
YYyyyyyyyy / YQphhOXWBWRUCAwEAaaAAMA0GCSqGSIb3DQEBCwUAA4IBAQBW + tow
LOQ29EXtTHZTbzHGpguYww9s871M / WdS99FKpvujW6G3BWH2Flmhf6trZUz / Fz1R
.
ix7ErE8xNBInyDD8f9gf / YB / 3d8XMCiXRZvuF + QW2tMOK0Yoe5ZmpLNDRlyxzKsI
j5LtdXK03c4pqOAlqzongQlCcBPs4kslktiWJQ6bPHriuXrfL8NOpwyg + RhwOYGf
O1JXEVZSNrQwDuGps7 / 6pp0iRTN4gySqLr / PRfvev36O5mkVrSGtUhAsdk7ef7cF
kPCH2 / fxzyY3UWrq
----- END CERTIFICATE REQUEST -----

Register SSL

Once you have the CSR code, you need to send it to the SSL certificate provider. Here, I will register for Comodo PositiveSSL at Namecheap .

Once registered, to enable SSL at Namecheap, you need to paste the CSR code into the CSR Enter to continue.

Namecheap will ask you to authenticate your domain by validating your email, TXT file, or CNAME record. The easiest way is to authenticate by email, just click on the link in the email to confirm.

Once registered and activated SSL. Certificates and necessary files will be included in the email.

SSL settings

Once you have received the SSL certificate, you can set up SSL in just a few easy steps. Here, I only teach SSL settings for Nginx, Apache, and cPanel. For other webserver and other environments, please refer here.

There is no difference between installing SSL for CentOS, Ubuntu or any other server. Just you know where to edit the configuration for the webserver.

Previously, Comodo would send 4 files sitecuatui_com.crt, COMODORSADomainValidationSecureServerCA.crt , COMODORSAAddTrustCA.crt and AddTrustExternalCARoot.crt . Now Comodo only send 2 files are sitecuatui_com.crtand sitecuatui_com.ca-bundle.

If the files that you received are COMODORSADomainValidationSecureServerCA.crt, COMODORSAAddTrustCA.crt, and AddTrustExternalCARoot.crt, you need to merge them into sitecuatui_com.ca-bundlethe following command:

cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >> sitecuatui_com.ca-bundle

Replace sitecuatui_com with your domain name or whatever you want. Now we will have 2 files as sitecuatui_com.crtand sitecuatui_com.ca-bundle. Also, do not forget to move these files to an appropriate location.

General

To get the best configuration for your case, I recommend you use the Mozilla SSL Configuration Generator. It supports SSL configuration for many types of web servers, versions of OpenSSL and many other configurations.

Some general concepts:

  • Modern ( Intermediate ) and Old (Old): This configuration will determine which version of the operating system and browser will be supported.
  • Server Version : The version of the web server, as the version of Nginx, Apache, Lighttpd, HAProxy and AWS ELB …
  • OpenSSL Version : version of OpenSSL. If you are using LibreSSL, you should probably choose the latest version.
  • HSTS Enabled : The browser will automatically switch your site to HTTPS for a specified time, default is 6 months.

 

Nginx

Here is the SSL configuration for Nginx.

server {
    listen 443 ssl http2;
    listen [:]: 443 ssl http2;

    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate / path / to / signed_cert_plus_intermediates;
    ssl_certificate_key / path / to / private_key;
    ssl_session_timeout 1d;
    ssl_session_cache shared: SSL: 50m;
    ssl_session_tickets off;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /path/to/dhparam.pem;

    # intermediate configuration. tweak to your needs.
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers' ECDHE-ECDSA-CHACHA20-POLY1305: ECDHE-RSA-CHACHA20-POLY1305: ECDHE-ECDSA-AES128-GCM-SHA256: ECDHE-RSA-AES128-GCM- DHE-RSA-AES128-GCM-SHA256: DHE-RSA-AES256-GCM-SHA384: ECDHE-RSA-AES128-SHA256: ECDHE-ECDSA-AES128- ECDHE-RSA-AES256-SHA: ECDHE-RSA-AES256-SHA: ECDHE-RSA-AES258-SHA254: DHE-RSA-AES256-SHA: DHE-RSA-AES256-SHA: ECDHE-RSA-DES-CBC3-SHA: EDH-RSA- DES-CBC3-SHA: DSS '; AES258-SHA256: AES128-GCM-SHA256: AES128-SHA256: AES258-SHA256:
    ssl_prefer_server_ciphers on;

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age = 15768000;

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    # xác thực yêu cầu OCSP của mật khẩu dùng Root CA và Intermediate certs
    ssl_trusted_certificate / path / to / root_CA_cert_plus_intermediates;

    resolver <IP DNS resolver>;

    ....
}

Some values ​​need to be changed to fit your situation:

  • ssl_certificate : path to the certificate file. For Nginx, you need to merge 2 files sitecuatui_com.crtand sitecuatui_com.ca-bundle make a single file. You can use the following command:
    cat sitecuatui_com.crt sitecuatui_com.ca-bundle >> sitecuatui_com_new.crt
  • ssl_certificate_key : The path to the Private key, which is the file   that you created in the first step.sitecuatui.com.key
  • ssl_dhparam : specifies a file with the DH parameters for the DHE encryption. Use the following command:
    openssl dhparam -out /path/to/dhparam.pem 2048

    /path/to/dhparam.pem is the path where you want to save the file.

  • ssl_trusted_certificate : path to the file where this file was merged by Root CA and Intermediate Certificates . For Comodo, you can download this file using the following command:
    wget  https : // gist . githubusercontent . com / sergejmueller / 4b53e4c810f61aca391a / raw / f175a094122b91fdda8523a90ca6dc057d70b9f1 / comodo . pem
  • resolver : DNS. For example: resolver 8.8.4.4 8.8.8.8;

Apache

Here is the SSL configuration for Apache. You need to open Apache’s Virtual Host configuration file to add and edit.

<VirtualHost *: 443>
    ...
    SSLEngine on
    SSLCertificateFile / path / to / signed_certificate_followed_by_intermediate_certs
    SSLCertificateKeyFile / path / to / private / key

    # Uncomment the following directive when using client certificate authentication
    #SSLCACertificateFile / path / to / ca_certs_for_client_authentication


    # HSTS (mod_headers is required) (15768000 seconds = 6 months)
    Header always set Strict-Transport-Security "max-age = 15768000"
    ...
</ VirtualHost>

# intermediate configuration, tweak to your needs
SSLProtocol all -SSLv3
ECDHE-ECDSA-AES128-GCM-SHA256: ECDHE-ECDSA-AES258-GCM-SHA384: ECDHE-RSA-ECDHE-ECDSA-CHACHA20-POLY1305 DHE-RSA-AES128-GCM-SHA256: ECDHE-ECDSA-AES128-SHA256: ECDHE-RSA-AES128-SHA256: ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES256-SHA: ECDHE-RSA-AES256-SHA: ECDHE-RSA-AES256-SHA: DHE-RSA-AES128-SHA256: DHE EHH-RSA-DES-CBC3-SHA: EDH-RSA-DES-CBC3-SHA: AES128-GCM-SHA256: AES128-GCM-SHA254: AES128-SHA256: AES256-SHA256: AES128-SHA: AES256-SHA: DES-CBC3-SHA: DSS
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off

# Stacking OCSP, only in httpd 2.3.3 và later
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb: / var / run / ocsp (128000)

Some values ​​need to be changed to fit your situation:

  • SSLCertificateFile : path to the certificate file, here it is  sitecuatui_com.crt.
  • SSLCertificateKeyFile : The path to the Private key, here is the file   that you created in the first step.sitecuatui.com.key
  • SSLCACertificateFile : Uncheck # in advance to enable this feature. This is the path to the file sitecuatui_com.ca-bundle.

cPanel

Installing SSL for cPanel is very simple with just a few steps:

  1. Sign in to cPanel.
  2. Access  SSL / TLS Manager  or SSL / TLS . Select  Manage SSL Sites  in the next section.
  3. Under Domain , select the domain you want to install SSL.
  4. Use Notepad ++ to open the corresponding files and enter the following text:

    • Certificate: (CRT) :  sitecuatui_com.crt
    • Private Key (KEY) :  .sitecuatui.com.key
    • Certificate Authority Bundle: (CABUNDLE) : sitecuatui_com.ca-bundle
  5. Click  Install Certificate to install SSL.
  6. An SSL certificate has been successfully installed if you receive an SSL Host Successfully Installed message.

Transfer HTTP to HTTPS

For sites to always use HTTPS, you need to configure your web server to automatically switch from HTTP to HTTPS. This can be done by simply below.

For Nginx , open nginx.confto add or revise as follows:

server {
	listen 80 default_server;
	listen [:]: 80 default_server;
	server_name _;
	return 301 https : // $ host $ request _ uri ;
}

The above code will be applied to all web pages that are on the server. If you only want to apply to one or more sites you want, use the following code:

server {
	listen 80;
	listen [:]: 80;
	server_name domain1 . com  www . domain1 . com  domain2 . com  www . domain2 . com ;
	return 301 https : // $ host $ request _ uri ;
}

For Apache , open the file .htaccessand add the following code:

RewriteEngine On
RewriteCond% {HTTPS}! = On
RewriteRule ^ /? (. *) Https : //% { SERVER _ NAME } / $ 1 [R, L]

To install HTTPS for WordPress, you need to edit the URL from http to https. Also, do not forget to add the HTTPS site to Google Search Console.

HSTS preload

What is HSTS?  HSTS (HTTP Strict Transport Security) is a web security policy mechanism that helps protect websites against attacking protocol downgrades and hijacking cookies. It allows web servers to declare that the web browser (or other user agent compliance) should only interact with it using secure HTTPS connections, and never through non-HTTP protocols. safe.

What is HSTS preload? HSTS preload is a list of sites that only use HTTPS by Chrome. Most browsers can also get this list based on Chrome. When you submit your domain name to this list, the browser will force the site to access HTTPS.

Submit your domain to the HSTS preload list here .

Epilogue

SSL settings for web sites have many benefits such as security, increased rankings, gaining user trust. Although SSL brings many benefits, it can also cause slower site speeds. Please test and test it for your case. But for me, SSL makes my site nice.

Once SSL is successfully installed, you can test it at the SSL Server Test

Comments (0)

Leave a Reply