Setup https and http on wordpress nginx

0

[root@serv01 nginx]# cat nginx.conf
# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log;
#error_log  /var/log/nginx/error.log  notice;
#error_log  /var/log/nginx/error.log  info;

pid        /run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

    index   index.php index.html index.htm;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

    server {
        listen       80 default_server;
        server_name  localhost;
        root         /var/www/wordpress;

        #charset koi8-r;

        #access_log  /var/log/nginx/host.access.log  main;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
            try_files $uri $uri/ =404;
        }     

        # redirect server error pages to the static page /40x.html
        #
        error_page  404              /404.html;
        location = /40x.html {
        }

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
        }
        location ~ \.php$ {
            try_files $uri =404;
            fastcgi_pass 127.0.0.1:9000;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            include fastcgi_params;
        }
    }

    server {
        listen 443;
        server_name home.local;
        ssl on;
        ssl_certificate /etc/nginx/ssl/server.crt;
        ssl_certificate_key /etc/nginx/ssl/server.key;
        root /var/www/wordpress;
        index index.php index.htm index.html
    }
}

i am trying to use https for my wordpress, http works fine but when I try to add the httpd server block, nginx will not start, I am guessing its in the wrong spot. Any help would be greatly appreciated.

user3594093

Posted 2015-04-30T08:25:26.213

Reputation: 1

Do you have appropriate certificate and key? – Romeo Ninov – 2015-04-30T08:46:42.877

What error messages does nginx give? (check the log files) Also you might be missing a semicolon at the end of the index line in the https part. – wurtel – 2015-04-30T08:47:12.463

Answers

1

Not sure it's a good thing to answer this probably "dead and buried" question but here we go...

Basic configuration (i.e. meh security)

  1. Generate your private key (>= 2048bit) and your certificate. I assume you have them already, otherwise have a look at letsencrypt.org. Make sure your certificate includes the full certificate chain (usually intermediate/entity certificates). Regarding Diffie-Hellman parameters, you can generate them by running openssl dhparam -out /path/to/dhparam.pem 2048.

  2. Set your SSL settings in accordance to Mozilla SSL config generator (intermediate settings, as of 2016-06-30):

    server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name localhost;
    root /var/www/wordpress;

    ### SSL/TLS SETTINGS ###
    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate /path/to/signed_cert_plus_intermediates;
    ssl_certificate_key /path/to/private_key;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /path/to/dhparam.pem;

    # intermediate configuration. tweak to your needs.
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    ssl_prefer_server_ciphers on;


    ### OCSP Stapling ###
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;

    resolver <IP DNS resolver>;

    include /etc/nginx/default.d/*.conf;

    location / {
        try_files $uri $uri/ =404;
    }

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }
}

Advanced configuration (i.e. come at me, NSA ! (well no, but...))

Take the Basic configuration above and tweak it as follow:

  1. Select (at least) 3072bit when you generate your certificate and your Diffie-Hellman parameters (yes, it will take a while but it's worth it).
  2. Use TLS1.2 only: ssl_protocols TLSv1.2;
  3. Use a safe curve: ssl_ecdh_curve secp384r1;
  4. Use "modern" cipher suites (as of 2016-06-30): ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';

  5. Enforce HTTPS for everyone:

    • Rewrite your "HTTP" server block as follow:

      server {
    listen 80;
    listen [::]:80;
    server_name mySuperServer;
    return 301 https://$server_name$request_uri;
}

    • Use a HSTS header to force your visitor's navigator to use HTTPS exclusively: add_header Strict-Transport-Security 'max-age=31536000; includeSubdomains; preload';

  6. You server can also protect your website (to some extend) by setting up those headers:

    add_header X-Frame-Options DENY;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header Content-Security-Policy "default-src 'none';
  7. General best practice here: Never use root to modify your files. Use sudo instead.

Bonus

  1. If your server is running nginx > 1.9.5, you can use HTTP/2 by adding http2 in your listen directive.
  2. Your server got an IPv6 address (and supports HTTP/2) ? Good ! Add listen [::]:443 ssl http2; below the first listen directive.
  3. Do you plan to use your server for several domains ? You should set the access_log and error_log for each server block then.
  4. Copy/pasting is rarely arousing... You can move the ### SSL/TLS SETTINGS ### block in a text file and include it in your configuration. Same for your CGI call to PHP.
  5. You can speed up the communications between nginx and your PHP interpreter a bit by using a UNIX socket instead of listening to you loopback interface: fastcgi_pass unix:/var/run/php5-fpm.sock;.

As a result, your server block should look something like this:

#HTTP server
server {
    listen 80;
    listen [::]:80;
    server_name mySuperServer;
    return 301 https://$server_name$request_uri;
}

# HTTPS server
server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2;
    server_name mySuperServer;

    index index.php index.html index.htm;
    root /path/to/your/files/mySuperServer;

    access_log /var/log/nginx/mySuperServer/access.log;
    error_log /var/log/nginx/mySuperServer/error.log;

    ### SSL/TLS SETTINGS ###
    ssl on;
    ssl_certificate /path/to/your/cert.pem;
    ssl_certificate_key /path/to/your/privkey.pem;
    ssl_dhparam /path/to/your/dh_parameters.pem;

    include securityrules.inc;

    include fastcgi.inc;
}

Content of securityrules.inc:

ssl_protocols TLSv1.2;
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;

###  HTTP HEADERS ###
add_header Strict-Transport-Security 'max-age=31536000; includeSubdomains; preload';
add_header X-Frame-Options DENY;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header Content-Security-Policy "default-src 'none';

Content of fastcgi.inc:

location ~ \.php$ {
    include                 fastcgi_params;
    fastcgi_keep_conn       on;
    fastcgi_pass            unix:/var/run/php5-fpm.sock;
    fastcgi_index           index.php;
    fastcgi_param           SCRIPT_FILENAME $document_root$fastcgi_script_name;
}

Florent_ATo

Posted 2015-04-30T08:25:26.213

Reputation: 171

I'll add more links once I got the necessary amount of reputation... – Florent_ATo – 2016-06-30T17:29:24.780

Asked: 2015-04-30T08:25:26.213

Viewed: 158 times

Active: 2016-06-30T17:33:16.440