Nginx with SSL

Setting up SSL with your Boxcar requires a few different steps. You will need to:

1. Generate an SSL key
2. Generate an SSL certificate request (CSR)
3. Obtain an SSL certificate from a Certificate Authority (CA)
4. Prepare the certificate for use
5. Configure Nginx to use the SSL certificate

Generate an SSL key

Log into your Boxcar as root and execute the following command:

openssl genrsa -out boxcar.key 1024

This will create a file called “boxcar.key”. Do not lose this file! Without it your certificate will be useless and you will have to redo the entire process again (including buying a new certificate).

Generate an SSL Certificate Signing Request (CSR)

In order to get a key from a Certificate Authority, you will need to first generate a Certificate Signing Request (CSR). Note that some of the questions during the generation process are somewhat misleading, so we have outlined to process for you below.

Execute the following command to begin generating the certificate request:

openssl req -new -key boxcar.key -out boxcar.csr

You will be asked the following questions. Example answers are given in italics.

• (required) Country Name (2 letter code) [AU]: US
  This is the country where your company is located. For example, if your company is based in the United Kingdom you would use GB here.
• (required) State or Province Name (full name) [Some-State]: Oregon
• (optional) Locality Name (eg, city) []: Portland
• (required) Organization Name (eg, company) [Internet Widgits Pty Ltd]: Planet Argon, LLC
  The name of your company.
• (optional) Organizational Unit Name (eg, section) []: Billing Department
  In a larger company, you might want to specifiy which department uses this key. You can usually just leave this blank.
• (required) Common Name (eg, YOUR name) []: myboxcar.com
  This is the actual domain name that you want your certificate to be for. Check this twice before proceeding. Certificate Authorities don’t give refunds, so if you get this wrong, you’ll have to pay for a new certificate. Do not include the ‘www’ before the domain name. The CA will usually add this for you automatically, but you should not specify it manually.
• (optional) Email Address []: billing@planetargon.com

• Please enter the following 'extra' attributes
  to be sent with your certificate request
  A challenge password []:
  An optional company name []:

  Leave these all blank.

Once you complete this process you will have a file called “boxcar.csr”. This is your Certificate Signing Request that you will need in order to purchase an SSL Certificate. Most Certificate Authorities will just have you paste this CSR into a text field when you sign up. To read the contents of the file just type:

cat boxcar.csr

You will see something similar to the following:

myboxcar.com:~# cat boxcar.csr 
-----BEGIN CERTIFICATE REQUEST-----
MIIB6jCCAVMCAQAwgakxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIEwZPcmVnb24xETAP
BgNVBAcTCFBvcnRsYW5kMRowGAYDVQQKExFQbGFuZXQgQXJnb24sIExMQzEbMBkG
A1UECxMSQmlsbGluZyBEZXBhcnRtZW50MRUwEwYDVQQDEwxteWJveGNhci5jb20x
JjAkBgkqhkiG9w0BCQEWF2JpbGxpbmdAcGxhbmV0YXJnb24uY29tMIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQDCs2MqRIOM10da5Lt3PQsoQhZZocK65d5GwO1j
N+AYLmqJXCVa9KyJa5rB69fzwxCYSk3hzbaD9IwUBg4NgsFqMguK9iNsINMmbZ8T
L5iHfuu3QNZqvoWBXM1XFOCzMzK9XIfmCqoyd1nDINVTNpNU+ECwZnGxpsfTaBCI
xXDJ4QIDAQABoAAwDQYJKoZIhvcNAQEFBQADgYEAvKAqSH2xa5iDI+pIEFGDFMub
BJ1u71PjER2bPmt/uBlNMrq2UdF+ih9LsRB8xEVZ7aFzW1hteDyh27SriPpMZAvA
qmsDNRojy/qItermdlNU/O9+DtYbHpfOtfU6Lr5BU7uXDsBh2Ba5SYxaxwHLg062
Y/7yo0E4TZepoWCt0Ek=
-----END CERTIFICATE REQUEST-----
myboxcar.com:~#

Then just highlight everything in between the two myboxcar.com:~# lines and copy it to your clipboard. On your Boxcar, myboxcar.com will be the name of your domain.

Obtain an SSL certificate from a Certificate Authority (CA)

You will need to select a certificate authority that you would like to use, such as Go Daddy or VeriSign, and purchase an appropriate SSL certificate. When prompted to enter your Certificate Signing Request (CSR) you will paste the key that you copied earlier.

Depending on which CA you go with, they may provide you with one or two different files. The first is your actual certificate (usually called yourdomain.crt). The second is only provided by some Certificate Authorities and is an “intermediate bundle” which contains the chain of trust that verifies your certificate. These files will usually have “intermediate” somewhere in their name. If the CA provides you with two files, you will need to copy both of them to your Boxcar. Otherwise just copy the certificate that is sent back to you.

Prepare the certificate for use

On your Boxcar, find the file(s) you copied over earlier.

• If you just received the one certificate file, you will want to copy it into your ”/etc/ssl/certs” directory. For example: cp myboxcar.com.crt /etc/ssl/certs/boxcar.crt
• If you received two different files, you will need to combine them to create a file that Nginx can use. For the following example we will assume that the two files you received from the CA were named “myboxcar.com” and “gd_intermediate_bundle.crt”. (These are the default names that Go Daddy uses.) To combine these two files into a new file type the following command:
  
  cat myboxcar.com.crt gd_intermediate_bundle.crt > /etc/ssl/certs/boxcar.crt
  
  Note that you will need to replace “myboxcar.com.crt” and “gd_intermediate_bundle.crt” with the appropriate names for your certificate.

You should now have a new file called “boxcar.crt” which you can use in your Nginx setup.

At this point you should copy over the key you generated in Step 1 to a secure location and fix the permissions on it to ensure that it can’t be read by outside parties.

cp boxcar.key /etc/ssl/private/boxcar.key
chmod 600 /etc/ssl/private/boxcar.key

Configure Nginx to use the SSL certificate

Now it’s just a matter of deciding whether to use both HTTP and HTTPS, and then telling Nginx to use your certificate.

• If you’d like to use both HTTPS and HTTP connections to your Boxcar, you will first need to create a copy of your configuration:

  cd /etc/nginx/sites-available
  cp mongrel mongrel-ssl
  cd ../sites-enabled
  ln -s ../sites-available/mongrel-ssl

  and then edit /etc/nginx/sites-enabled/mongrel-ssl. You’ll also want to remove the entire upstream section from the top of the mongrel-ssl config so as to not get a conflict from a duplicate upstream declaration.
   
  
• If you’re only going to be using HTTPS, you can just edit /etc/nginx/sites-enabled/mongrel directly.

Once you’ve opened the file look for a line that reads:

listen 80;

and replace it with:

listen 443;
ssl                  on;
ssl_certificate      /etc/ssl/certs/boxcar.crt;
ssl_certificate_key  /etc/ssl/private/boxcar.key;

ssl_session_timeout  5m;

Now you can just restart Nginx and you’re all set to go!

/etc/init.d/nginx restart

Using ssl_requirement with nginx

If you’re using the ssl_requirement plugin in your rails app you may also have to make an additional change to your nginx config file to prevent infinite redirect chains. Inside the “server” block, find the block labeled “location /” and add the following line:

    proxy_set_header  X-FORWARDED_PROTO https;

This ensures that rails can see the https protocol even through redirects.