top of page
Search

Self-Signed SSL: NGINX on MAC (Part 3)

  • Writer: Arjav Dave
    Arjav Dave
  • Mar 8, 2021
  • 2 min read

Updated: Jul 23, 2022

Till now, we have installed Nginx and did a simple configuration to host an html file locally. In this part we will be configuring Nginx with a self-signed SSL certificate.


We will be creating a self signed certificate using openssl and make Nginx use it for serving content over https. Let’s get our hands dirty. Open our pal, Terminal and lets create a couple of folders to store our key and certificate. Fire the following commands:


mkdir -p /usr/local/etc/ssl/private

mkdir -p /usr/local/etc/ssl/certs


Ideally you can create these folders anywhere but it’s a good practice to have them at the above given path. We will now create key and certificate by running the below command:


sudo openssl req \ -x509 -nodes -days 365 -newkey rsa:2048 \ -keyout /usr/local/etc/ssl/private/self-signed.key \ -out /usr/local/etc/ssl/certs/self-signed.crt


Let’s alter our server context from previous tutorial. The updated file is as below.


events {}


http {

server {

# Listen on port 80 which is the default http port

listen 80;


# Set a permanent redirection from http to https

return 301 https://localhost:443;

}

}


Add another server context inside http context with configuration and locations relating to SSL


server {

listen 443 ssl;

# location of ssl certificate

ssl_certificate /usr/local/etc/ssl/certs/self-signed.crt;

# location of ssl key

ssl_certificate_key /usr/local/etc/ssl/private/self-signed.key;

}


Add location context inside the ssl server context


location / {

root /Users/arjav/Desktop/www;

index index.html index.htm;

}


This is the whole configuration file:


events {

}


http {

# HTTP server

server {

listen 80;

return 301 https://localhost:443;

}

# HTTPS server

server {

listen 443 ssl;

ssl_certificate /usr/local/etc/ssl/certs/self-signed.crt;

ssl_certificate_key /usr/local/etc/ssl/private/self-signed.key;

location / {

root /Users/arjav/Desktop/www;

index index.html index.htm;

}

}

}


As a last step we will need to add the self-signed certificate to the system keychain. Run the below command in your terminal.


sudo security add-trusted-cert \ -d -r trustRoot \ -k /Library/Keychains/System.keychain /usr/local/etc/ssl/certs/self-signed.crt


Voila! That’s it. In your terminal verify your configuration file by running nginx -t and if everything looks okay reload your Nginx server by running nginx -s reload. Visit https://127.0.0.1. You will still see a red flag or “Not secure” sign in your browser saying that your certificate is invalid, but that it’s because not signed by a third-part authority. Rest assured the content is served over secure channels.


In the next chapter we will look at some advanced ssl configuration options for better security, caching and optimisation.

Comments

About  

Dave Ops (pun intended) tries to be a guide for the developers, dev ops engineers and software teams in their journey to make the world a better place. Learn about best practices, tips & tricks, and a lot of exciting stuff (not necessarily related to tech).

  • Facebook
  • Instagram
  • Twitter Basic Black

© 2023 by Dave Ops

Contact
 

Want to learn about a new topic? Having issues with any of your existing work? Or simply want to connect? Drop your details below.

Thanks for submitting!

bottom of page