How to Enable an SSL Certificate in Nginx and Force HTTPS
To enable HTTPS in Nginx with a free WoSign SSL certificate, start by applying for the certificate from:
https://www.wosign.com/products/free_ssl.htm
After the application is approved, you will receive a package similar to aquan.me_sha256_cn.zip. Once extracted, it contains several server-specific archives:
for Apache.zip
for IIS.zip
for Nginx.zip
for Other Server.zip
for Tomcat.zip
For an Nginx deployment, use the files inside for Nginx.zip. That archive includes these two certificate files:
- 1_aquan.me_bundle.crt
- 2_aquan.me.key
Upload both files to a custom directory on your VPS.
Configure Nginx for SSL
Add the following SSL configuration to your Nginx server block. Place it after listen 80;:
#### Add Wosign SSL Start ####
listen 443;
ssl on;
ssl_certificate /usr/local/nginx/ssl/ssl.crt;
ssl_certificate_key /usr/local/nginx/ssl/ssl.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
#### Add Wosign SSL End ####
Make sure the certificate and key paths match the location where you uploaded your files.
After saving the configuration, restart Nginx for the changes to take effect:
/etc/init.d/nginx restart
Once this is done, the site can be accessed over HTTPS, while HTTP will still remain available.
Merge the WoSign Root Certificate
If some browsers show the certificate as untrusted, you can fix that by appending the WoSign root certificate to the existing certificate file:
wget https://www.wosign.com/Root/Bundle_DV_St.crt
cat Bundle_DV_St.crt >> /usr/local/nginx/ssl/ssl.crt
This helps browsers recognize the full trust chain more reliably.
Redirect HTTP to HTTPS
If you want all HTTP traffic to automatically switch to HTTPS, comment out the original listen 80; inside the existing server block, then add a separate server block that listens on port 80 and performs the redirect:
server {
listen 80;
server_name 0x8.net www.0x8.net;
rewrite ^/(.*) https://$server_name/$1 permanent;
}
With this in place, visitors using http:// will be permanently redirected to the secure https:// version of the site.