After exploring different WordPress-Nginx configurations lets head over to secure your WordPress.
Steps mentioned in this article are similar for all kind of WordPress-Nginx configuration.
Step 1: Create CSR – Certificate Signing Request on Nginx Server
Create a directory to store keys & certifcates for example.com domain. You can use any directory. Following example uses these conventions.
mkdir /var/www/example.com/cert/ cd /var/www/example.com/cert/
Next, create a 2048-bit private key
openssl genrsa -out example.com.key 2048
Finally Create a CSR (Certificate signing request)
openssl req -new -key example.com.key -out example.com.csr -sha256
Running this command will ask you some details. For Common Name (eg, YOUR name) []:
field use example.com
(or *.example.com
if you are setting up a wild-card SSL certificate)
Note: www.example.com and example.com are not same. Use exactly same domain your website is using.
Step 2: Get a SSL Certificate from Thawte
- Buy a SSL certificate from Thawte.com or dh.rtcamp.com. dh.rtcamp.com is our portal and we get to sell Thawte certificate at 67% discounts.
- Paste CSR i.e. content of
example.com.csr
in Thawte or dh.rtcamp.com web-interface. You will need to provide some more details, Try to match them to details in Step #1. - Depending on type of certificate, it may take some time for Thawte to approve your certificate.
- Once certificate is approved, you will get a link via email from Thawte. You can follow link to download certificate from Thawte website.
- On Thawte user portal, go to “View Certificate Information” section which looks like screenshot below.
- You need to download certificate in X.509 format and also “Additional Certificates” >> “Apache Bundle”.
Screenshot:
(click on above screenshot to open larger image)
Step 3: Fix Intermediate Certificate Chain
From Thawte portal you will download 2 files: -_example_com_ee.crt
and -_example_com_apache.crt
.
One is your certificate and other is bundle i.e intermediate certificates. Nginx doesn’t have a special directive to specify path to certificate bundle/chain file. So we need to append bundle into SSL certificate file itself in a way that SSL certificate remains on top.
You can do it simply by running following command:
cat -_example_com_ee.crt -_example_com_apache.crt > example.com.crt
Move this example.com.crt
file to /var/www/example.com/cert/
directory on nginx server.
Step 4: Adjusting Nginx Configuration
Enable SSL for example.com
Make it look like below:
server { listen 443; server_name example.com; ssl on; ssl_certificate /var/www/example.com/cert/example.com.crt; ssl_certificate_key /var/www/example.com/cert/example.com.key; #... other stuff }
Force non SSL site to redirect traffic to SSL
Add following codes if you want to force SSL on your site.
server { listen 80; server_name example.com; return 301 https://example.com$request_uri; }
Turn on SSL session cache for performance
In file /etc/nginx/nginx.conf
, inside http {..}
block add following:
http { ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; #... other stuff }
Also make sure value of worker_processes
directive is greater than 1 (only if your server has multiple cores).
Finally, reload the processes to make the change take effect.
service nginx reload
Step-4: Ask WordPress to use SSL
Add following to you WordPress’s wp-config.php file.
To force SSL for login form:
define('FORCE_SSL_LOGIN', true);
To force SSL for wp-admin section:
define('FORCE_SSL_ADMIN', true);
Step-5: Verifying SSL Installation
Last and most important step is to verify if we have installed SSL certificate properly.
Below are some nice online tools to help you with that:
If you face any issues, feel free to use our free support forum.
Links: WordPress-Nginx Series | Buy Thawte SSL Certificates for upto 67% discount
When I follow your tutorial, I get the following error:
Reloading nginx configuration: nginx: [emerg] PEM_read_bio_X509_AUX(“/var/www/example.com/cert/example.com.crt”) failed (SSL:error:0906D066:PEM routines PEM_read_bio:bad end line)
nginx: configuration file /etc/nginx/nginx.conf test failed
Any idea why this is happening?
Thank you!
Check – http://www.ur-ban.com/blog/2010/12/09/nginx-ssl-pem_read_biobad-end-line/
Never faced this issue before.
I am using ubuntu 12.04 64bit, installed easy engine and wordpress is working great. I am trying to secure just one page for Stripe payments.
https://arcwaveusa.com/signup
I have the ssl cert installed and working (I see the green padlock) but I get a nginx 404 when I go to the page.
Any Ideas how to fix?
You need to copy complete config block in server block for SSL.
Like this: http://pastebin.com/Gedq1bvN
That works great for login and wp-admin but I get a redirect loop on /signup. I looks like there are two 301 redirects. In the 443 server block, would some kind of try_files work?
location ~ /signup/ {
#return 301 https://$server_name$request_uri;
try_files $uri $uri/ /index.html;
}
This worked to stop the redirect loop and secure the page. Thank you!!
Glad to know your issue got fixed. 🙂
Is not `/signup/` is part of WordPress?
/signup/
is just a page I created in WordPress that is hosting my Stripe signup form. I needed it to be secured by ssl.Fine. I recommend using SSL for complete site. Won’t make any difference to performance if you follow – https://rtcamp.com/tutorials/nginx/ssl-pci-compliance-performance/