Yodi Aditya

Setup SSL Certification RapidSSL on EC2

Here are quickstep to generate SSL Certification

1
2
openssl genrsa -out www.domain.com.key 2048
openssl req -new -key www.domain.com.key -out www.domain.com.csr
1
2
3
4
5
6
7
8
9
10
11
12
Country Name (2 letter code) [AU]:ID
State or Province Name (full name) [Some-State]:Jakarta
Locality Name (eg, city) []:Jakarta
Organization Name (eg, company) [Internet Widgits Pty Ltd]:PT POLATIC INFORMATIKA INDONESIA
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:www.polatic.com
Email Address []:cs@polatic.com

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:PT POLATIC INFORMATIKA INDONESIA

Make sure check all value by :

1
openssl req -in www.domain.com.csr -noout -text

Option on “Common Name (e.g. server FQDN or YOUR name)” will used as your domain name certification. Make sure to choose “www” or non-www wisely.

Then we buy the certification.

Next step, we receive the certification from RapidSSL and download the intermediate from their website.
Merge together into :

1
cat www.domain.com.ssl www.domain.com.intermediate > www.domain.com.crt

Then in NGINX

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
server {
    server_name polatic.com;
    return 301 https://www.polatic.com$request_uri;
}

server { #Redirect https, non-www to https, www
    listen 443 ssl;
    server_name polatic.com;

    ssl_certificate      /etc/ssl/polatic.com.crt;
    ssl_certificate_key  /etc/ssl/polatic.com.key;
    return 301 https://www.polatic.com$request_uri;
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name www.polatic.com;
    ssl on;
    root    /var/polatic;

    ssl_certificate      /etc/ssl/polatic.com.crt;
    ssl_certificate_key  /etc/ssl/polatic.com.key;

    client_body_timeout  460;
    client_header_timeout 460;
    send_timeout 460;
    client_max_body_size 10m;
    keepalive_timeout       300 300;

    access_log  /var/log/nginx/access.log;
    index  index.php index.html index.htm;

    location = /favicon.ico {
            log_not_found off;
            access_log off;
    }

    location = /robots.txt {
            allow all;
            log_not_found off;
            access_log off;
    }

    location / {
            # This is cool because no php is touched for static content
            try_files $uri $uri/ /index.php?$args;
    }


    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    location ~ .php$ {
            fastcgi_send_timeout 3800;
            fastcgi_read_timeout 3800;
            fastcgi_connect_timeout 2800;
            fastcgi_pass unix:/var/run/php5-fpm.sock;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
            include fastcgi_params;
    }

    location ~* .(js|css|png|jpg|jpeg|gif|ico)$ {
            expires max;
            log_not_found off;
    }

    # deny access to .htaccess files, if Apache document root
    # concurs with nginx one
    #
    location ~ /.ht {
            deny  all;
    }

}

yodi

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.