𝓟𝓚

SSL Configuration Guide

Secure your website with SSL/TLS certificates to enable HTTPS, protect user data, and improve SEO rankings.

Let's Encrypt with Certbot

Free, automated, and open certificate authority provided by the Internet Security Research Group (ISRG).

1

Install Certbot

Install Certbot and the Nginx plugin. If you're using Apache, replace 'nginx' with 'apache'.

# For Ubuntu/Debian
sudo apt update
sudo apt install certbot python3-certbot-nginx -y

# For CentOS/RHEL
sudo yum install epel-release
sudo yum install certbot python3-certbot-nginx -y
2

Obtain SSL Certificate

Run Certbot with the Nginx plugin, specifying your domain names. Replace 'yourdomain.com' with your actual domain.

sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com
3

Verify Auto-Renewal

Test the automatic renewal process to ensure it works correctly. Certbot creates a cron job that will renew your certificates before they expire.

sudo certbot renew --dry-run
4

Check Certificate Status

View information about your certificates, including expiration dates.

sudo certbot certificates

Cloudflare SSL

Cloudflare provides free SSL certificates and additional security features through their CDN.

1

Sign up for Cloudflare

Create a Cloudflare account at cloudflare.com and add your domain.

2

Update Nameservers

Update your domain's nameservers to Cloudflare's nameservers at your domain registrar.

3

Enable SSL

In the Cloudflare dashboard, go to the SSL/TLS section and select 'Flexible', 'Full', or 'Full (Strict)' SSL mode.

4

Create Page Rule (Optional)

Create a page rule to always use HTTPS: go to Page Rules, add a rule for http://*yourdomain.com/*, and select 'Always Use HTTPS'.

Nginx SSL Configuration

Configure Nginx to use your SSL certificates and enforce HTTPS.

1

Create Nginx SSL Configuration

Create an Nginx configuration file for your domain with SSL settings. Replace 'yourdomain.com' with your actual domain and adjust the proxy_pass to your application's address.

server {
    listen 80;
    server_name yourdomain.com www.yourdomain.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name yourdomain.com www.yourdomain.com;

    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;

    # SSL configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;

    # OCSP Stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

    # Security headers
    add_header Strict-Transport-Security "max-age=63072000" always;
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-XSS-Protection "1; mode=block";

    # Your site configuration
    location / {
        proxy_pass http://localhost:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}
2

Test Nginx Configuration

Test the Nginx configuration for syntax errors.

sudo nginx -t
3

Reload Nginx

Reload Nginx to apply the new configuration.

sudo systemctl reload nginx

SSL Best Practices

Security Recommendations

  • Use strong SSL/TLS protocols (TLSv1.2 and TLSv1.3)
  • Implement HTTP Strict Transport Security (HSTS)
  • Enable OCSP Stapling to improve performance
  • Use secure cipher suites and disable weak ciphers
  • Implement Content Security Policy (CSP)

Maintenance Tips

  • Set up automatic certificate renewal
  • Monitor certificate expiration dates
  • Regularly test your SSL configuration with tools like SSL Labs
  • Keep your web server and SSL libraries updated
  • Implement monitoring for SSL-related issues

SSL Testing Tools

SSL Labs

Comprehensive SSL server test that analyzes your server's configuration and provides a detailed report.

Visit SSL Labs

SSL Checker

Quick tool to check your SSL certificate installation, expiration date, and chain issues.

Visit SSL Checker

Why No Padlock?

Helps diagnose mixed content issues that prevent the browser from showing the padlock icon.

Visit Why No Padlock

Need Help with SSL Configuration?

SSL configuration can be complex. If you need assistance setting up SSL for your website, I can help.

Contact for SSL HelpWhatsApp Support