img

How to configure HTTPS on NGINX server EC2 AWS

Below is a code block that you can use to configure NGINX for HTTPS


    server {
    # listen to port 80
    listen 80;
    listen [::]:80;

    # respond only from these IP addresss / domain names
    server_name www.oklogical.com oklogical.com;

    # do a permanent redirect with http code 301 to https
    return 301 https://$host$request_uri;

    server {
    # listen to 443
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name www.oklogical.com oklogical.com;

    # provide the ssl certificate path generated by certbot/letsencrypt
    # /etc/letsencrypt/live/speechwithai.com/fullchain.pem;
    # something like this
    # must provide a path where your certiifcates are stored
    ssl_certificate /etc/letsencrypt/live/itsoktobelogical.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/itsoktobelogical.com/privkey.pem;

    #### rest all is default setting, do not change.
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
    ssl_session_tickets off;

    # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
    # ssl_dhparam /path/to/dhparam;

    # intermediate configuration
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers on;

    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;

    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    # ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;

    # replace with the IP address of your resolver
    resolver 127.0.0.53;

    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    # location / means any request that comes to server at speechwithai.com/ should be send to
    location / {
        include proxy_params;
        proxy_pass http://localhost:3000;
    }

    # location /pyAPI means any request that comes to server at speechwithai.com/pyAPI/ should be send to a different application
    # in this case a python Flask RESTFul API
    # this could be speechwithai.com/pyAPI/deleteBook or speechwithai.com//pyAPI/userLogin etc
    # this is just an example and you can delete this if you dont need this
    # as of now it is commented anyway
    location /pyAPI {
        include proxy_params;
        proxy_pass http://unix:/home/ubuntu/API/api.sock;
    }

    # if you want to server static files from any other location, add this to your config
    location /data/res/ {
        autoindex on;
        alias /home/ubuntu/data/res/ ;
    }
}

Share it friends or on social media


Blogs that you might like