Configure SSL and HTTPS in Nginx#

The core tasks to carry out to implement HTTPS and SSL security layers are:

Configure SSL certificates in Nginx#

Configure TLS certificates in Nginx to enable secure data exchange through the web server.

About TLS certificates#

EclecticIQ Intelligence Center configures Nginx to read the TLS private key and certificate files from the /etc/eclecticiq-nginx/ssl directory.

The TLS private key file for EclecticIQ Intelligence Center is eclecticiq-default.privkey.pem, whereas the certificate file is eclecticiq-default.fullchain.pem.

If these files do not exist when EclecticIQ Intelligence Center is installed, the installation procedure generates a localhost self-signed certificate as a temporary workaround.

Warning

Do not use self-signed TSL or SSL certificates in a production environment.

They are meant for development and testing.

They are unsuitable for deployment in a live system.

Set private key and certificate in Nginx#

To set your valid TLS private key and certificate files in Nginx:

  • Overwrite the eclecticiq-default.privkey.pem and the eclecticiq-default.fullchain.pem files, or the self-signed certificate generated during the installation.

    For example:

    cp /path/to/my/key.pem /etc/eclecticiq-nginx/ssl/eclecticiq-default.privkey.pem
cp /path/to/my/cert.pem /etc/eclecticiq-nginx/ssl/eclecticiq-default.fullchain.pem

Alternatively:

If there is a script that takes care of updating certificates located in a different path:

  • Create symbolic links (symlinks) to the location where Nginx looks for these credentials:

    ln -sf /path/to/my/key.pem /etc/eclecticiq-nginx/ssl/eclecticiq-default.privkey.pem
ln -sf /path/to/my/cert.pem /etc/eclecticiq-nginx/ssl/eclecticiq-default.fullchain.pem

Note

Every time the private key or the certificate files change, reload the Nginx service to make the changes effective:

systemctl reload nginx

Enable client certificate verification#

Nginx supports client certificate verification through the following directives:

To enable TLS client certificate verification:

  1. Create the following file:

    vi /etc/eclecticiq-nginx/locations.conf.d/enable-client-cert-verification.conf

  2. Add the following lines to the newly created file:

    ssl_client_certificate /etc/nginx/certs/ca.crt;
ssl_verify_client on;

    The ca.crt file is the public key part of the certificate used to sign the client certificates.

    You can obtain this file from a certification authority (CA).

Enable HTTP Strict Transport Security (HSTS)#

Enforce HTTP Strict Transport Security (HSTS) in Nginx to allow only secure connections through HTTPS and TLS/SSL.

About HSTS#

HTTP Strict Transport Security (HSTS) provides an additional security layer by allowing communication only through HTTPS connections.

You can implement it by adding the Strict-Transport-Security HTTP response header to the web server configuration.

Set Strict-Transport-Security in Nginx#

To add the the Strict-Transport-Security HTTP response header to the Nginx configuration:

  1. Open /etc/eclecticiq-nginx/sites.conf.d/eclecticiq-default.conf:

    vi /etc/eclecticiq-nginx/sites.conf.d/eclecticiq-default.conf

  2. Add the following line to the configuration file:

    # max-age=15768000: 6 months
# max-age=31536000: 1 year
# max-age=63072000: 2 years
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains;";

  3. Save the file and exit.

Enable the service#

If necessary, enable, start, and then check the Nginx service:

  • Enable the Nginx service to automatically start at system boot:

    systemctl enable nginx

  • Start the Nginx service:

    systemctl start nginx

  • Verify that Nginx is up and running by checking the service status:

    systemctl status nginx