Last active
August 29, 2015 14:13
-
-
Save tangrufus/aa080a69e234da988855 to your computer and use it in GitHub Desktop.
How to add SSL to Nginx WordPress Servers https://www.wphuman.com/add-ssl-nginx-wordpress-servers/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ sudo cat your_domain.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt | |
$ sudo chmod 600 /etc/nginx/ssl |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Country Name (2 letter code) [AU]: GB | |
State or Province Name (full name) [Some-State]: Yorks | |
Locality Name (eg, city) []: York | |
Organization Name (eg, company) [Internet Widgits Pty Ltd]: MyCompany Ltd | |
Organizational Unit Name (eg, section) []: IT | |
Common Name (eg, YOUR name) []: your-domain.com | |
Email Address []: | |
A challenge password []: | |
An optional company name []: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ sudo mkdir /etc/nginx/ssl/ | |
$ sudo cd /etc/nginx/ssl/ | |
$ sudo openssl req -nodes -newkey rsa:2048 -keyout your_domain.key -out your_domain.csr |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server { | |
# Configure the domain that will run WordPress | |
listen 443 ssl spdy; | |
listen [::]:443 ssl spdy; | |
server_name your-domain.com; | |
# WordPress needs to be in the webroot of /src/www/ in this case | |
root /src/www/your-domain.com/htdocs; | |
# Turn on SSL | |
ssl on; | |
ssl_certificate /etc/nginx/ssl/ssl-bundle.crt; | |
ssl_certificate_key /etc/nginx/ssl/your-domain.key; | |
# Protocols | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
ssl_prefer_server_ciphers on; | |
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; | |
ssl_buffer_size 8k; | |
ssl_session_cache builtin:1000 shared:SSL:20m; | |
ssl_session_timeout 20m; | |
# OCSP Stapling | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
resolver 8.8.8.8 8.8.4.4 valid=300s; | |
resolver_timeout 10s; | |
# Headers | |
# This forces every request after this one to be over HTTPS | |
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; | |
# SPDY | |
add_header Alternate-Protocol 443:npn-spdy/3; | |
# pass PHP scripts to Fastcgi listening on Unix socket | |
# Do not process them if inside WP uploads directory | |
# If using Multisite or a custom uploads directory, | |
# please set the */uploads/* directory in the regex below | |
location ~* (^(?!(?:(?!(php|inc)).)*/uploads/).*?(php)) { | |
try_files $uri = 404; | |
fastcgi_split_path_info ^(.+.php)(/.+)$; | |
fastcgi_pass unix:/var/run/php5-fpm.sock; | |
fastcgi_index index.php; | |
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
include fastcgi_params; | |
fastcgi_intercept_errors on; | |
fastcgi_ignore_client_abort off; | |
fastcgi_connect_timeout 60; | |
fastcgi_send_timeout 180; | |
fastcgi_read_timeout 180; | |
fastcgi_buffer_size 128k; | |
fastcgi_buffers 4 256k; | |
fastcgi_busy_buffers_size 256k; | |
fastcgi_temp_file_write_size 256k; | |
} | |
} | |
# Redirect all http queries to non-www https | |
server { | |
listen 80; | |
listen [::]:80; | |
server_name your-domain.com www.your-domain.com; | |
return 301 https://your-domain.com$request_uri; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment