NGINX ssl certificate configuration: using https with NGINX

Configuring SSL with NGINX takes only several minutes. All you need to do is to save your SSL certificate and key files on the server and modify the NGINX conf file to refer to them.

Prepare the SSL certificate files

When you purchase an SSL certificate, you must download the files that make up your SSL certificate. That usually includes two files. In this tutorial, we will use two files, *.cer (or *.crt) and *.key, to set up HTTPS with the NGINX server. I will name the two files as ssl_certificate.crt and ssl_certificate.key.

Step 1: Save SSL certificate files on the server

Download both ssl_certificate.crt and ssl_certificate.key files to the server where NGINX is installed. In this example, my NGINX installation is on /etc/nginx, and I save SSL files on to /etc/nginx/cert directory. Therefore, the absolute paths for my SSL files are /etc/nginx/certs/ssl_certificate.crt and /etc/nginx/certs/ssl_certificate.key respectively.

Step 2: Modify the Nginx config file

The next step is to modify the Nginx config file to create an HTTPS server block and reference SSL certificate files within the new server block. To maintain a canonical form of the URL, all noncanonical representations of the URL will redirect to the canonical URL format. Our canonical URL will be https://www.example.com. Noncanonical URL forms such as https://example.com, http://www.example.com, and http://example.com will be redirected to https://www.example.com. All the above URLs are served by the web server running on port 3000.

2.1 Create a new server block

The below server block adds HTTPS support. It accepts https://www.example.com and forwards it to the web server on port 3000.

server {
   listen 443 ssl http2;
   listen [::]:443 ssl http2;
   #Placeholder to include the ssl certificate and key
   ssl_certificate_key /etc/nginx/certs/ssl_certificate.key;
   location / {
      proxy_pass http://127.0.0.1:3000/;
   }
}

2.2 Add SSL certificate to the new server block

The server should have the SSL certificate installed to use SSL. We completed this step in step 1. Ensure the paths to *.crt and *.key match the location you saved them on the disk.

server {
   listen 443 ssl http2;
   listen [::]:443 ssl http2;
   server_name www.example.com;
   ssl_certificate /etc/nginx/certs/ssl_certificate.crt;
   ssl_certificate_key /etc/nginx/certs/ssl_certificate.key;
   location / {
      proxy_pass http://127.0.0.1:3000/;
   }
}

Step 3: Redirect all URLs to https://www

As I mentioned above, I redirect all the noncanonical URLs to the canonical format, which is https://www.example.com.

Redirects all non-ssl to https://www.example.com.

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    return 301 https://$host$request_uri;
}

Redirects https://example.com to https://www.example.com.

server {
   listen 443 ssl http2;
   listen [::]:443 ssl http2;
   server_name example.com;
   ssl_certificate /etc/nginx/certs/ssl_certificate.crt;
   ssl_certificate_key /etc/nginx/certs/ssl_certificate.key;
   return 301 https://www.example.com$request_uri;
}

After all the changes, the complete Nginx config file will look below.

server {
   listen 80 default_server;
   listen [::]:80 default_server;
   return 301 https://$host$request_uri;
}
server {
   listen 443 ssl http2;
   listen [::]:443 ssl http2;
   server_name example.com;
   ssl_certificate /etc/nginx/certs/ssl_certificate.crt;
   ssl_certificate_key /etc/nginx/certs/ssl_certificate.key;
   return 301 https://www.example.com$request_uri;
}
server {
   listen 443 ssl http2;
   listen [::]:443 ssl http2;
   server_name www.example.com;
   ssl_certificate /etc/nginx/certs/ssl_certificate.crt;
   ssl_certificate_key /etc/nginx/certs/ssl_certificate.key;
   location / {
      proxy_pass http://127.0.0.1:3000/;
   }
}

Step 4: Restart Nginx

Now we have completed all the required changes to accommodate SSL. Finally, restart your Nginx server to make changes into effect.
sudo systemctl restart nginx