dev4web
5/25/2017 - 3:27 PM

How to secure your site with HTTPS? — First published in fullweb.io issue #101

How to secure your site with HTTPS? — First published in fullweb.io issue #101

How to secure your site with HTTPS?

With HTTP everything is visible when traveling on the Internet. By generating an SSL certificate and configuring your webserver you can force browsers to use HTTPS. Here is how to proceed:

# 1. Install letsencrypt
sudo pip install letsencrypt

# 2. Generate a cerficate for your doman
sudo certbot certonly -d mydomain.com

# 3. Configure your nginx config file 
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_session_timeout 10m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

# 4. Reload nginx and you're done
service nginx reload

Redirect HTTP to HTTPS:

server {
  server_name mydomain.com;
  listen 80;
  return 301 https://mydomain.com$request_uri;
}