Topic: Configure Nginx to use SSL
Topic type:
Instructions for how to configure Nginx to serve your Kete instance through SSL (HTTPS).
Originally contributed by James Stradling - Katipo Communications LTD
Part of the Installation Guide
Configure Nginx to use SSL
You may want to run your Kete instance with SSL enabled. This allows you to request pages from your Kete and receive responses through a cryptographically secure protocol.
If you have private/confidential information in your Kete this is a good idea. Without SSL encryption, however unlikely, someone with access to your network/internet traffic could 'snoop' on the traffic between your computer and the Kete instance.
SSL (signed by a reputable certificate authority) is the same type of 'request snooping' protection offered by online banking and online store sites. Requests through a secure connection have an address (URL) starting with https://, rather than http://.
Requirements
In order to run your Kete instance with Nginx and SSL, you need at least the following:
a) Access to the Nginx configuration and the ability to restart the Nginx server
b) A self-signed or certificate authority (CA) signed SSL certificate (the later is recommended for public facing websites); in PEM format
c) Privileges to compile and install Nginx if your Nginx has not been installed with SSL support
d) An IP address where your site is the only one using HTTPS. The HTTPS protocol doesn't allow sharing an IP address with multiple virtual hosts.
If you want to force Kete to send requests that should be private (i.e. private items and administrative controls) through the secure protocol, you will also need an installed version of Kete trunk, revision r1197 or later, configured in and running through Nginx.
NB: Trunk versions of Kete are not release versions and are more likely to contain bugs. We suggest using a stable branch version (i.e. 1-0-stable) on production websites.
Installing Nginx with SSL support
If your Nginx installation does not have SSL support, you will need to install/reinstall Nginx with SSL support compiled in.
On the Mac, using MacPorts, use the following to do this:
$ sudo port deactivate nginx
$ sudo port install nginx +ssl
If you have manually compiled Nginx, you will need to recompile and reinstall with './configure --with-http_ssl_module'.
Configuration
a) Open your Nginx configuration file (nginx.conf) or v-host specific Nginx configuration file in a text editor
b) Due to a known issue, you need comment out the following lines from the top of your Nginx configuration file (if present):
#server { # listen 443; # server_name your.website.com; # location / { # rewrite ^(.*)$ https://your.website.com$1 last; # } #}
(Note the hashes at the beginning of each line indicate the links are commented out, and that you will need to substitute in the correct domain, etc for your website.)
c) Find your server declaration for listening on port 443. It should start something like this:
server { listen 443;
You may need to specify an IP address if your nginx installation is listening on multiple IPs, like so "listen 1.2.3.4:443;" where 1.2.3.4 is your valid IP address
d) Add to or amend this declaration so it includes the following (note you need to substitute your correct paths, etc. into the file):
ssl on; ssl_certificate /path/to/your/certificate.pem; ssl_certificate_key /path/to/your/secret_key.key;
When you are done, it should look something like this:
server { listen 443; ssl on; ssl_certificate /path/to/your/certificate.pem; ssl_certificate_key /path/to/your/secret_key.key; [.. more configuration ..] }
e) Restart your Nginx server
You should now have SSL support. You can test this by pointing your browser at your Kete instance, i.e. https://your_site/site/
You'll probably want to move on to turn on requiring SSL for certain sensitive areas in Kete as outlined in this topic:
Forcing Kete to use SSL for private requests