Konfigurasi OpenSSL Nginx di CentOS7


Konfigurasi OpenSSL Nginx di CentOS7 - HTTPS sudah menjadi standard security pada world wide web (www). HTTPS menggunakan transport layer SSL (Socker Secure Layer) atau TLS (Transport Layer Security) dengan melakukan enkripsi data antara web server dengan browser.

Baca Juga:
Install Nginx Source di CentOS7
Konfigurasi WebDav Nginx di CentOS7 

Masih melanjutkan artikel yang sebelumnya, Kali ini www.dimasrio.com akan membahas bagimana mengaktifkan module ssl pada nginx

Enable SSL di Nginx

Disini kita akan install openssl via source.
wget https://www.openssl.org/source/openssl-1.0.2n.tar.gz
Extract archive dan compile source openssl.
tar -zxvf openssl-10.2n.tar.gz
cd openssl-10.2n
./config --prefix=/opt/openssl
make
make install
Buat ssl cert dan key ssl, sebagai contoh saya akan membuat ssl untuk domain dimzrio.com.
mkdir /opt/nginx/ssl
/opt/openssl/bin/openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /opt/nginx/ssl/nginx.key -out /opt/nginx/ssl/nginx.crt
Output:
-----
Country Name (2 letter code) [AU]:ID
State or Province Name (full name) [Some-State]:DKI Jakarta
Locality Name (eg, city) []:Cipinang
Organization Name (eg, company) [Internet Widgits Pty Ltd]:dimzrio tutorials
Organizational Unit Name (eg, section) []:dimzrio
Common Name (e.g. server FQDN or YOUR name) []:dimzrio.com
Email Address []:nginx@dimzrio.com
Selanjutnya recompile nginx dengan mengaktifkan module ssl.
./configure --prefix=/opt/nginx --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --user=nginx --group=nginx --with-threads --with-file-aio --with-http_sub_module --with-http_geoip_module --with-http_dav_module --with-stream --with-http_v2_module --with-stream_ssl_module --with-http_ssl_module --with-openssl=/root/source/openssl-1.0.2n

make
make install
Setelah module ssl terinstall.
/opt/nginx/sbin/nginx -V
Output:
...
built with OpenSSL 1.0.2n 7 Dec 2017
TLS SNI support enabled
...

Setting SSL pada Nginx

Setup nginx.conf seperti di bawah ini.
nano /opt/nginx/conf/nginx.conf
Content:
user nginx;
worker_processes 1;

events {
worker_connections 1024;
}

http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

sendfile on;
tcp_nopush on;
keepalive_timeout 65;

include vhosts/*.conf;
}
Buat vhosts untuk dimzrio.com.
mkdir /opt/nginx/conf/vhosts
nano /opt/nginx/conf/vhosts/dimzrio-com.conf
Content:
server {
listen 80;
listen 443 ssl http2;
access_log /var/log/nginx/dimzrio-access.log main;
error_log /var/log/nginx/dimzrio-error.log;
server_name dimzrio.com;

# SSL Config #
if ($scheme = http) {
return 301 https://$server_name$request_uri;
}

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /opt/nginx/ssl/nginx.crt;
ssl_certificate_key /opt/nginx/ssl/nginx.key;
ssl_session_timeout 5m;
ssl_session_cache shared:TLS:10m;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
ssl_prefer_server_ciphers on;

location / {
index index.html;
root /opt/nginx/html;
}
}
Jalankan service nginx.
/opt/nginx/sbin/nginx -c /opt/nginx/conf/nginx.conf
Selanjutnya test dengan browser https://dimzrio.com.
Jika sudah dapat di akses, maka ssl sudah aktif.

Demikian tutorial nginx mengenai enable ssl di nginx dengan openssl. Semoga bermanfaat bagi kita semua dan selamat mencoba..!!!


EmoticonEmoticon