I took the following steps to enable HTTPS on stage.100.ucla.edu via SSL certificate installation. Use this guide as a reference for doing the same on the production server
Step 1: Place 100_ucla_edu_cert.cer and 100_ucla_edu_interm.cer on the production server (via SFTP, SCP, etc.) in any location
Step 2: Generate the chained certificate. Note the order here: the intermediate needs to come second!
$ cat 100_ucla_edu_cert.cer 100_ucla_edu_interm.cer >> certbundle.pemNote: you will need to modify certbundle.pem to include a line-break between the append
----- END CERTIFICATE ---------- BEGIN CERTIFICATE -----
needs to be
----- END CERTIFICATE -----
----- BEGIN CERTIFICATE -----
Step 3: Move certbundle.pem and the associated private key file used to generate the CSR to /etc/ssl/
$ sudo mv certbundle.pem /etc/ssl && sudo mv PRIVATE_KEY_FILE /etc/sslStep 4: Using vim, modify /etc/nginx/nginx.conf to point to the above files. See the /etc/nginx/nginx.conf file for reference - the production version will be nearly identical. At a high-level, you will need to add an additional server section for 443 just above the port 80 section:
...
server {
listen 443;
ssl on;
ssl_certificate /etc/ssl/certbundle.pem;
ssl_certificate_key /etc/ssl/PRIVATE_KEY_FILE;
server_name _;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
proxy_pass http://127.0.0.1:3000;
}
error_page 404 /404.html;
location = /404.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
...
Step 5: Redirect all HTTP to HTTPS. Note this line in /etc/nginx/nginx.conf in the port 80 server section:
# redirect all http to https
#
return 301 https://$host$request_uri;
Step 6: In vim command-mode, save your changes to /etc/nginx/nginx.conf using the sudo-tee trick:
:w !sudo tee %
Select (L) Load when prompted, and hit Enter. Then, quit vim and return to the terminal
Step 7: Restart nginx
$ sudo /etc/init.d/nginx restartA successful configuration could show
Stopping nginx: [ OK ]
Starting nginx: [ OK ]