Change apache ssl configuration to nginx config

Posted on

Change apache ssl configuration to nginx config – Problems with loading a website are often blamed on the Internet connection, but even the most perfectly set up network cannot help if there is no service to reply at your destination. One of the most popular HTTP servers used for this task is Apache2. Much of Apache’s popularity can be attributed to its easy installation and use, but never the less it is possible to run into problems with even the easiest of the software. If you’ve encountered an issue loading your web page, follow these simple troubleshooting methods outlined in this guide to attempt to get your web server back up and working again. Below are some tips in manage your apache2 server when you find problem about apache-2.2, nginx, security, ssl, migration.

I want to ask your help to change my apache ssl config to nginx style. Actually i have tried it a googled but

SSLEngine on
SSLCertificateKeyFile /etc/apache2/ssl/key/netlime_tk.key
SSLCertificateFile /etc/apache2/ssl/crt/www_netlime_tk.crt
SSLCertificateChainFile /etc/apache2/ssl/crt/www_netlime_tk.cer
SSLCACertificateFile /etc/apache2/ssl/crt/www_netlime_tk.cer
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!SSLv2:!SSLv3

Actually i have done this but in ssl_protools are missing the exclude of versions, also everytime i have done “connected” chain with certificates, the ssl testing websites reported that these are wrong so i dont really want to join certificates together.

ssl_protocols TLSv1 TLSv1.1;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!SSLv2:!SSLv3;
ssl_certificate /etc/nginx/ssl/crt/www_netlime_tk.crt;
ssl_certificate_key /etc/nginx/ssl/key/netlime_tk.key;
#ssl_certificate_chain /etc/nginx/ssl/crt/www_netlime_tk.cer;
#ssl_ca_certificate /etc/nginx/ssl/crt/www_netlime_tk.cer;

Thank you :-* if you can give some technical explanation witch will teach me something then please do it.

Edit

Thank for all for help and time the final config for “Grade A” on ssllabs is

# SSL Configuration
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /etc/nginx/ssl/crt/www_netlime_tk.crt.bundle;
ssl_certificate_key /etc/nginx/ssl/key/netlime_tk.key;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384.....very long string'
ssl_prefer_server_ciphers on;
ssl_dhparam /root/dhparams.pem;

    server_name  yourhostname;    #rename your hostname
    ssl_certificate /usr/local/nginx/cert/server.crt;
    ssl_certificate_key /usr/local/nginx/cert/server.key;
    ssl_buffer_size 4K;
    ssl_session_timeout 10m; ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
    add_header Strict-Transport-Security "max-age=31536000";

    location ~ ^(?<script_name>.+?.php)(?<path_info>/.*)?$ {
            try_files $script_name = 404;
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_param PATH_INFO $path_info;
            fastcgi_param SCRIPT_FILENAME document_root$fastcgi_script_name;
            include fastcgi_params;
            fastcgi_param HTTPS on;         #for https
    }

The solution was:

  1. To create a join together *.crt and *.cer files using cat command (thanks to user Gmck)
  2. Specify only protocols that are allowed in my case TLS v1 v1.1 and v1.2 (thanks to user Froggiz)
  3. Add more specific ciphers (thanks to ssllabs website)
  4. add dhparams for more secure connection (thanks to ssllabs website)

Final SSL config

# SSL Configuration
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /etc/nginx/ssl/crt/www_netlime_tk.crt.bundle;
ssl_certificate_key /etc/nginx/ssl/key/netlime_tk.key;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDH.....very long string (google for full string)';
ssl_prefer_server_ciphers on;
ssl_dhparam /root/dhparams.pem;

Leave a Reply

Your email address will not be published.