Nginx – Insecure after setting up SSL/HTTPS on the nginx server

httpsnginxssl

I'm trying to set up HTTPS/SSL on my site test.example.com.

I edited my file at /etc/nginx/sites-enabled/my_site so that the top section of the server {} block is this.

server {
    listen 443;
    ssl on;
    ssl_certificate /etc/ssl/cert_chain.crt;
    ssl_certificate_key /etc/ssl/example.key;
    server_name test.example.com;
    error_log /var/log/nginx/debug.log debug;

    ... Rest of code ...
}

I ran nginx restart. But if I go to https://test.testexample.com in Chromium, my browser warns that my connection to the site is insecure.

Chromium error:

Your connection is not private
Attackers might be trying to steal your information from test.example.com (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_COMMON_NAME_INVALID

This server could not prove that it is test.example.com; its security certificate is from example.com. This may be caused by a misconfiguration or an attacker intercepting your connection.

My certificate was issued by Comodo. I'm following Namecheap's guide on integrating SSL into my site. Step 3: https://www.namecheap.com/support/knowledgebase/article.aspx/9419/0/nginx

Best Answer

NET::ERR_CERT_COMMON_NAME_INVALID ...
This server could not prove that it is test.example.com; its security certificate is from example.com. This may be caused by a misconfiguration or an attacker intercepting your connection.

The certificate returned by the server does not match the name in the URL. Based on this description you've ordered a certificate for example.com but try to access the site as test.example.com which is not the domain the certificate was issued for.

This problem might be due to a wrong understanding of how the comparison of the domain in the URL against the certificate works. In general:

A certificate is only valid for the domains explicitly mentioned in the subject alternative names section of the certificate (Chrome ignores CN). This means example.com does not match test.example.com.
If you have a wildcard there can only be one *, it must be the leftmost label and it matches only a single part of the domain, i.e. a certificate for *.example.com will match www.example.com and test.example.com but not www.test.example.com.

Correct way in new versions of nginx

Turn out my first answer to this question was correct at certain time, but it turned into another pitfall - to stay up to date please check Taxing rewrite pitfalls

I have been corrected by many SE users, so the credit goes to them, but more importantly, here is the correct code:

server {
       listen         80;
       server_name    my.domain.com;
       return         301 https://$server_name$request_uri;
}

server {
       listen         443 ssl;
       server_name    my.domain.com;
       # add Strict-Transport-Security to prevent man in the middle attacks
       add_header Strict-Transport-Security "max-age=31536000" always; 

       [....]
}

Nginx/Apache: set HSTS only if X-Forwarded-Proto is https

You could have multiple server blocks. So just add new server block for domains that need HSTS.

server {
    listen xx.xx.xxx.xxx:443 ssl default_server;

    # all ssl stuff
    # and other directives
}

server {
    listen xx.xx.xxx.xxx:443 ssl;
    server_name example.com other.example.com;

    # all ssl stuff
    # and other directives with HSTS enabled
}

Here first block will handle all https connections except example.com and other.example.com.

And you don't need ssl on directive if you have ssl flag in listen.

EDIT

There is another solution with only one server block:

map $scheme:$host $hsts_header {
    default "";
    https:example.com "max-age=31536000";
    https:other.example.com "max-age=31536000";
}

server {
    server_tokens off;

    listen xx.xx.xxx.xxx:80;
    listen xx.xx.xxx.xxx:443 ssl;

    ssl_certificate /etc/ssl/foo.crt;
    ssl_certificate_key /etc/ssl/private/foo.key;

    ssl_session_timeout 10m;

    # ... other ssl stuff

    location / {
        proxy_pass http://127.0.0.1:81;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header Host $host;
        add_header X-XSS-Protection "1; mode=block";
        add_header Strict-Transport-Security $hsts_header;
    }
}

We use map to define HSTS header value and use the fact, than nginx will not add header with empty value.

Best Answer

Related Solutions

NGINX Redirect – How to Rewrite All HTTP Requests to HTTPS While Maintaining Sub-Domain

Correct way in new versions of nginx

Nginx/Apache: set HSTS only if X-Forwarded-Proto is https

Related Topic