I have a staging rails app running with passenger on nginx. I want to secure the connections with SSL. I have read a lot of resources online but I have yet to make it run on SSL.
So far, my server block on nginx.conf is:
server {
listen 80;
listen 443 default deferred;
server_name example.com;
root /home/deploy/app/public;
passenger_enabled on;
passenger_set_cgi_param HTTP_X_FORWARDED_PROTO https;
ssl on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:RSA+3DES:!ADH:!AECDH:!MD5;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /etc/ssl/server.crt;
ssl_certificate_key /etc/ssl/server.key;
}
The site is running but not on HTTPS.
I've just made the decission to go with SSL myself and found an article on the DigitalOcean site on how to do this. It might be the listen 443 default deferred;
, which according to that article should be ssl
not deferred
.
Here's the nginx block they use;
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
listen 443 ssl;
root /usr/share/nginx/html;
index index.html index.htm;
server_name your_domain.com;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
location / {
try_files $uri $uri/ =404;
}
}
UPDATE:
I now have my own site running on SSL. Along with the above I just told Rails to force SSL. In your production environment config;
# ./config/environments/production.rb
config.force_ssl = true
Optionally, you can add these setting in the nginx.conf
;
http {
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
keepalive_timeout 70;
}
UPDATE: 2015-09
Since I wrote this answer I've added a few of extra things to my nginx
config, which I believe everyone should also include. Add the following to your server
block;
server {
ssl_prefer_server_ciphers On;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
add_header X-Frame-Options DENY;
}
The first three lines (ssl_prefer_server_ciphers
, ssl_protocols
, ssl_ciphers
) are the most import as they make sure you have a good strong SSL settings.
The X-Frame-Options
prevents your site from being included via the <iframe>
tags. I expect most people will benefit from including this setting.