Configure SSL and HTTPS in Nginx#
The core tasks to carry out to implement HTTPS and SSL security layers are:
Configure TLS certificates in Nginx to enable secure data exchange through the web server.
EclecticIQ Intelligence Center configures Nginx to read the TLS private key
and certificate files from the
The TLS private key file for EclecticIQ Intelligence Center is
eclecticiq-default.privkey.pem, whereas the certificate
If these files do not exist when EclecticIQ Intelligence Center is installed, the installation procedure generates a localhost self-signed certificate as a temporary workaround.
Do not use self-signed TSL or SSL certificates in a production environment.
They are meant for development and testing.
They are unsuitable for deployment in a live system.
To set your valid TLS private key and certificate files in Nginx:
eclecticiq-default.fullchain.pemfiles, or the self-signed certificate generated during the installation.
cp /path/to/my/key.pem /etc/eclecticiq-nginx/ssl/eclecticiq-default.privkey.pem cp /path/to/my/cert.pem /etc/eclecticiq-nginx/ssl/eclecticiq-default.fullchain.pem
If there is a script that takes care of updating certificates located in a different path:
Create symbolic links (symlinks) to the location where Nginx looks for these credentials:
ln -sf /path/to/my/key.pem /etc/eclecticiq-nginx/ssl/eclecticiq-default.privkey.pem ln -sf /path/to/my/cert.pem /etc/eclecticiq-nginx/ssl/eclecticiq-default.fullchain.pem
Every time the private key or the certificate files change, reload the Nginx service to make the changes effective:
systemctl reload nginx
Nginx supports client certificate verification through the following directives:
To enable TLS client certificate verification:
Create the following file:
Add the following lines to the newly created file:
ssl_client_certificate /etc/nginx/certs/ca.crt; ssl_verify_client on;
The ca.crt file is the public key part of the certificate used to sign the client certificates.
You can obtain this file from a certification authority (CA).
Enforce HTTP Strict Transport Security (HSTS) in Nginx to allow only secure connections through HTTPS and TLS/SSL.
HTTP Strict Transport Security (HSTS) provides an additional security layer by allowing communication only through HTTPS connections.
You can implement it by adding the Strict-Transport-Security HTTP response header to the web server configuration.
To add the the Strict-Transport-Security HTTP response header to the Nginx configuration:
Add the following line to the configuration file:
# max-age=15768000: 6 months # max-age=31536000: 1 year # max-age=63072000: 2 years add_header Strict-Transport-Security "max-age=15768000; includeSubdomains;";
Save the file and exit.
If necessary, enable, start, and then check the Nginx service:
Enable the Nginx service to automatically start at system boot:
systemctl enable nginx
Start the Nginx service:
systemctl start nginx
Verify that Nginx is up and running by checking the service status:
systemctl status nginx