Using SSL with Nginx and Node

Published in

Code Wave

5 min readJan 25, 2016

If you are just about to make a website that takes any sensitive information from the user. You should probably install a SSL Certificate on your server.

I recently made my root domain and all subdomains and HTTPS chat.q-app.io. Although these are just profolio apps. My chat application does require login hence the SSL.

I advocate that if you are starting a project get SSL first and then start working on the project. Turning a http website to completely https after you are finished with your project can be a huge nightmare….just ask the guys over at StackOverflow.

We’re not ignoring the request for enhanced security and privacy while using our network, it’s just not as simple as many people seem to think it is at first glance — not when you’re dealing with our domain variety. We’ll be working on it over the next 6–8 weeks. — Nick Craver Software Developer and Systems Administrator for Stack Exchange

The Blog post was written in 2013… hmmm seem like enough time to transition to https?

**me go to Stackoverflow **

Yup, still no https, but to their credit they did route all logins through https which is the most important part.

Now that we have the motivation to switch to https let's go through what the process look like.

1 ) Buy a certificate (many kinds, many prices)

I bought PositiveSSL Wildcard Certificate from Namecheap. This was the cheapest most legitimate SSL cert I could find. But, if you are doing payments then you should not skimp out on the cert because for a more expensive one you get a green URL bar and maybe more encryption magic as well. (the price hikes are mostly for reputation/adherence to procedures).

After watching Whitfield Diffie and Moxie Marlinspike on Youtube talk about SSL I concluded that Comodo == bad, but I still bought my cert from comodo because it was the cheapest…

Cheap Certificate ~$90–$100/year

Expensive $300–$500 /year

2) Create a CSR (Certificate Signing Request) — done on your server

CSR tutorial for all kinds of servers

The tutorial here does a pretty good job of covering most of the servers of there. I did this over SSH and just Copy pasted the CRS after I was done.

3) Send CSR to the Certificate Authority(CA)

You should have you CSR from the previous tutorial and it looks something like. Irrelevant fact: CSR is 64bit encoded so it is copy paste safe…

4 ) Prove to CA that you are the actual owner of server (few options)

For me I got 2 options (upload a file to a certain route for my server) Or create a CNAME entry. I suggest you do a CNAME verification, because with the text file you have to upload one for each subdomain which could get tedious after a while.

My Zone file looks like this.

Once you update your Zone files and the CA confirms you own the website. You will get an email with the signed Certificate. You can also download it from Namecheap after CA verifies your CSR.

5 ) Get your signed certificate & format it

Your certificate is public information and will be sent as the first thing when someone hits your servers. You now have to format it and install it on your server.

The main command is

cat www_yourdomain_com.crt www_yourdomain_com.ca-bundle > ssl-bundle.crt

Copy Paste this cert somewhere on you server where you can find it.

Certificate Installation: NGINX

Combining the certificates into one file can be accomplished in many ways. Note: Please be aware that the file names…

6 ) Get the cert on your server and configure it with the Reverse Proxy

Here what my configuration looks like. Fiddle around until you get one to fit your projects. Not everything has to go through SSL. SSL breaks down at Nginx and does http internally to wherever your server is running.

server {
# redirect all port 80 to 443 ssl listen 80;
server_name *.q-apps.io q-apps.io;
return 301 https://$host$request_uri$is_args$args;
}#chat.q-apps.io
server {
listen 443 ssl;
server_name chat.q-apps.io;location /socket.io {
  proxy_pass http://localhost:8XXNOTSHOWS;
  proxy_http_version 1.1;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection ‘upgrade’;
  proxy_set_header Host $host;
  proxy_cache_bypass $http_upgrade;
}location / {
  proxy_pass http://localhost:8XXNOTSHOWS;
  proxy_http_version 1.1;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection ‘upgrade’;
  proxy_set_header Host $host;
  proxy_cache_bypass $http_upgrade;
}}# end#compiler.q-apps.io
server {
listen 443 ssl;
server_name compiler.q-apps.io;location / {
  proxy_pass http://localhost:8XXNOTSHOWS;
  proxy_http_version 1.1;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection ‘upgrade’;
  proxy_set_header Host $host;
  proxy_cache_bypass $http_upgrade;
}}# end#q-apps.io
server {
listen 443 ssl;
server_name q-apps.io www.q-apps.io;location / {
  proxy_pass http://localhost:8XXNOTSHOWS;
  proxy_http_version 1.1;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection ‘upgrade’;
  proxy_set_header Host $host;
  proxy_cache_bypass $http_upgrade;
}}# end

Configuring HTTPS servers

To configure an HTTPS server, the ssl parameter must be enabled on listening sockets in the server block, and the…

nginx.org

7 ) Test your SSL > SSLChecker

SSL Checker Main page

This is Photoshop's version of Lorem Ipsum. Proin gravida nibh vel velit auctor aliquet. Aenean sollicitudin, lorem…

www.sslchecker.com

If you get a C, D or F change your nginx setting to make sure you atleast have a B. I don’t really know what the grades mean, but if you are taking payment make sure your SSL implementation is not open to known threats.

8 ) Done!

Now your website is secure from traffic snooping as long as the user is on a trusted connection, but more importantly.

Padlock!!