Configure nginx with SSL and SPDY on Ubuntu 12.04 Precise

As an experiment, last night I decided to configure nginx with SSL and SPDY. Finding information on how to getting it working with Ubuntu 12.04 wasn’t that easy, so I decided to write the process down.

I will assume here that you already have a certificate. If you don’t, you can get them from many vendors. I got my SSL certificate from StartSSL. If you also want one, you can register here.

Add the repository

First, you need to have version 1.4 or higher of nginx. You can get that on Ubuntu 12.04 by installing the nginx/stable ppa:

sudo add-apt-repository ppa:nginx/stable

Install nginx

Then, you will have to update apt and install nginx. If you already have install nginx, you’ll have to do a dist-upgrade.

So, when nginx is not yet installed:

sudo apt-get update
sudo apt-get install nginx

If nginx is already installed:

sudo apt-get update
sudo apt-get dist-upgrade

Install certificates

Now that the right version of nginx is installed, you first need to install your certificate.

Put your private certificate into /etc/ssl/private/, and chmod it to 400:

sudo chmod 400 /etc/ssl/private/jacobkiers.net.key

Then, put your public certificate into /etc/ssl/certs/. In many cases, you have to establish a certificate chain. That means that your web server sends multiple certificates to the browser. Please check the documentation of the CA where you got your certificate.

You can do that as follows:

sudo sh -c 'cat /path/to/ca/certificate >> /etc/ssl/certs/your-certificate'

Update site configuration

Good, we’re almost done. The last thing you need to do is updating the nginx site configuration. You just have to tell nginx that you want SSL and SPDY, and where it can find the certificates.

Put the this in the server block of your domain:

server {
    listen 443 ssl spdy;

    ssl_certificate /etc/ssl/certs/jacobkiers.net.crt;
    ssl_certificate_key /etc/ssl/private/jacobkiers.net.key;

    server_name jacobkiers.net;

    ####
    # All
    # other
    # configuration
    ####
}

And that’s it!

Let’s check the configuration:

sudo /etc/init.d/nginx configtest

and when nginx indicates that everything is OK, restart it:

sudo service nginx stop
sudo service nginx start

Your website should now be serving SSL over SPDY!

Bonus: Serving Only SSL

As I want to only serve my domain over SSL and only use the top-level domain, I had to add a little more configuration: two extra server blocks.

server {
    # Rewrite non-https domains.
    listen 80;

    server_name jacobkiers.net www.jacobkiers.net;
    return 301 https://jacobkiers.net$request_uri;
}

server {
    # Rewrite https://www.jacobkiers.net/
    # to      https://jacobkiers.net/
    listen 443 ssl spdy;

    ssl_certificate /etc/ssl/certs/jacobkiers.net.crt;
    ssl_certificate_key /etc/ssl/private/jacobkiers.net.key;

    server_name www.jacobkiers.net;
    return 301 https://jacobkiers.net$request_uri;
}