Configure HTTPS Nginx

Configure HTTPS Nginx

by John Vincent


Posted on March 01, 2017



This is part of a series of discussions regarding Deploying to a Digital Ocean Droplet. For more details, please see Overview of johnvincent.io website

Configure Nginx for SSL

Stop Nginx:

sudo systemctl stop nginx

Now configure each domain and subdomain

Configure johnvincent.io

sudo vi /etc/nginx/sites-available/https/johnvincent.io
server {
    listen 80;
    listen [::]:80;
    server_name johnvincent.io www.johnvincent.io;
    return 301 https://www.johnvincent.io$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    include snippets/ssl-johnvincent.io.conf;
    include snippets/ssl-params.conf;

    server_name johnvincent.io;
    return 301 https://www.johnvincent.io$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    include snippets/ssl-johnvincent.io.conf;
    include snippets/ssl-params.conf;
    include h5bp/basic.conf;

    root /var/www/johnvincent.io/html;

    index index.html;

    server_name www.johnvincent.io;

    location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        try_files $uri $uri/ =404;
    }   
    location ~ /.well-known {
         allow all;
    }    
    location = /analytics.js {
        proxy_pass https://www.google-analytics.com;
        expires 31536000s;
        proxy_set_header Pragma "public";
        proxy_set_header Cache-Control "max-age=31536000, public";
    }   
    location = /feed.xml {
        types        { } 
        default_type "application/rss+xml";
    }   
    location /junk {
        try_files $uri =503;
    }
}

Configure test.com

sudo vi /etc/nginx/sites-available/https/test.com
server {
    listen 80;
    listen [::]:80;
    server_name test.johnvincent.io www.test.johnvincent.io;
    return 301 https://www.test.johnvincent.io$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    include snippets/ssl-test-johnvincent.io.conf;
    include snippets/ssl-params.conf;

    server_name test.johnvincent.io;
    return 301 https://www.test.johnvincent.io$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    include snippets/ssl-test-johnvincent.io.conf;
    include snippets/ssl-params.conf;
    include h5bp/basic.conf;

    root /var/www/test.com/html;

    index index.html;

    server_name www.test.johnvincent.io;

    location / {
        try_files $uri $uri/ =404;
    }
    location ~ /.well-known {
         allow all;
    }
}

Configure Ghost

sudo vi /etc/nginx/sites-available/https/ghost
server {
    listen 80;
    listen [::]:80;
    server_name ghost.johnvincent.io www.ghost.johnvincent.io;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    include snippets/ssl-ghost-johnvincent.io.conf;
    include snippets/ssl-params.conf;
#
# this will break ghost.
#       include h5bp/basic.conf;
#
    location / {
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   Host      $http_host;
        proxy_pass         http://127.0.0.1:2368;
    }
}

Configure linkedin

sudo vi /etc/nginx/sites-available/https/linkedin
server {
    listen 80;
    listen [::]:80;
    server_name linkedin.johnvincent.io www.linkedin.johnvincent.io;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    include snippets/ssl-linkedin-johnvincent.io.conf;
    include snippets/ssl-params.conf;

    server_name linkedin.johnvincent.io www.linkedin.johnvincent.io;
    return 301 https://www.linkedin.com/in/johnvincentio/;
}

Enable Server Blocks

Use symlinks as files in /etc/nginx/sites-enabled will be run by the server.

cd /etc/nginx/sites-enabled/
sudo rm *
sudo ln -s /etc/nginx/sites-available/https/johnvincent.io /etc/nginx/sites-enabled/johnvincent.io

sudo ln -s /etc/nginx/sites-available/https/test.com /etc/nginx/sites-enabled/test.com

sudo ln -s /etc/nginx/sites-available/https/ghost /etc/nginx/sites-enabled/ghost

sudo ln -s /etc/nginx/sites-available/https/linkedin /etc/nginx/sites-enabled/linkedin

Restart Server

sudo nginx -t
sudo systemctl restart nginx

Test from browser, now using port 443:

They all should be working.

https://www.johnvincent.io
https://johnvincent.io

https://www.test.johnvincent.io
https://test.johnvincent.io

https://www.ghost.johnvincent.io
https://ghost.johnvincent.io

https://www.linkedin.johnvincent.io
https://linkedin.johnvincent.io

Test SSL Certificates

Ensure all scores are A+

https://www.ssllabs.com/ssltest/analyze.html?d=johnvincent.io
https://www.ssllabs.com/ssltest/analyze.html?d=test.johnvincent.io
https://www.ssllabs.com/ssltest/analyze.html?d=ghost.johnvincent.io
https://www.ssllabs.com/ssltest/analyze.html?d=linkedin.johnvincent.io