Question

Adding SSL to NGINX

I am not sure how to open port 443 on the server for SSL.

When I run sudo lsof -iTCP -sTCP:LISTEN -P

Here is what i get

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME memcached 1723 memcache 26u IPv4 14967 0t0 TCP *:11211 (LISTEN) beanstalk 1736 beanstalkd 3u IPv4 14417 0t0 TCP *:11300 (LISTEN) sshd 1746 root 3u IPv4 14992 0t0 TCP *:22 (LISTEN) sshd 1746 root 4u IPv6 15001 0t0 TCP *:22 (LISTEN) redis-ser 1773 redis 4u IPv4 14989 0t0 TCP *:6379 (LISTEN) postgres 2051 postgres 6u IPv4 17225 0t0 TCP *:5432 (LISTEN) postgres 2051 postgres 7u IPv6 17226 0t0 TCP *:5432 (LISTEN) mysqld 2078 mysql 27u IPv6 17340 0t0 TCP *:3306 (LISTEN)


Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

Here is my current configuration without SSL

# FORGE CONFIG (DOT NOT REMOVE!)
include forge-conf/mydomain.cm/before/*;

server {
    listen 80;
    listen [::]:80;
    server_name mydomain.cm;
    root /home/forge/mydomain.cm/public;

    # FORGE SSL (DO NOT REMOVE!)
    # ssl_certificate;
    # ssl_certificate_key;

    #ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    #ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    #ssl_prefer_server_ciphers on;
    #ssl_dhparam /etc/nginx/dhparams.pem;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    index index.html index.htm index.php;

    charset utf-8;

    # FORGE CONFIG (DOT NOT REMOVE!)
    include forge-conf/mydomain.cm/server/*;

   location / {
       try_files $uri $uri/ /index.php?$query_string;
}
    
    
    

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    access_log off;
    error_log  /var/log/nginx/mydomain.cm-error.log error;

    error_page 404 /index.php;

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php7.1-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
    }
    
    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

        fastcgi_intercept_errors off;
        fastcgi_buffer_size 16k;
        fastcgi_buffers 4 16k;
        fastcgi_connect_timeout 300;
        fastcgi_send_timeout 300;
        fastcgi_read_timeout 300;
    }
    




location ~ .(mp3)$ {
    valid_referers blocked mydomain.cm www.mydomain.cm;
    if ($invalid_referer) {
        return 403;
    }
}




## Deny certain Referers (case insensitive)
    ## The ~* makes it case insensitive as opposed to just a ~
 if ($http_referer ~* (babes|click|diamond|forsale|girl|jewelry|love|nudit|organic|poker|porn|poweroversoftware|sex|teen|video|webcam|zippo))
    {  return 403;   }
    



location ~ /\.ht {
    deny all;
}



}

# FORGE CONFIG (DOT NOT REMOVE!)
include forge-conf/mydomain.cm/after/*;

I don’t have .pem files. Is that good

here is the keys i have

 ssl_certificate /etc/nginx/ssl/mysite.com/204933/server.crt;
    ssl_certificate_key /etc/nginx/ssl/mysite.com/204933/server.key;

@kyoukhana

Since you’re running Ubuntu, unless you have ufw enabled, you won’t need to physically open the port. The configuration that I posted above is how you’d go about getting NGINX to listen on 443.

You’d need to change domain.com to your actual domain and modify the path to your SSL cert and private key file as well as set up the location blocks to fit with your application.

Beyond that, additional configuration may or may not be needed depending on the type of site that you’re trying to serve.