PHP -version
php
open ssl
GnuWin32 – OPEN SSL
http://getgnuwin32.sourceforge.net/
Nginx: Creating Your CSR with OpenSSL
https://www.digicert.com/csr-ssl-installation/nginx-openssl.htm
https://www.digicert.com/easy-csr/openssl.htm
web path
C:\Bitnami\nginxstack-1.14.0-0\nginx\html
certificate files
C:\Bitnami\nginxstack-1.14.0-0\nginx\conf
server_io.crt
server_io.key
server {
listen 443 ssl;
server_name localhost;
#ssl_certificate server.crt;
#ssl_certificate_key server.key;
ssl_certificate “C:/Bitnami/nginxstack-1.14.0-0/nginx/conf/server_io.crt”;
ssl_certificate_key “C:/Bitnami/nginxstack-1.14.0-0/nginx/conf/server_io.key”;
# http://nginx.org/en/docs/windows.html#known_issues
#ssl_session_cache shared:SSL:1m;
#ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
include “C:/Bitnami/nginxstack-1.14.0-0/nginx/conf/bitnami/phpfastcgi.conf”;
include “C:/Bitnami/nginxstack-1.14.0-0/nginx/conf/bitnami/bitnami-apps-prefix.conf”;
}
Setting Up HTTPS for localhost
Websites need an SSL certificate to work on HTTPS. Usually it is signed & issued by CAs(Certificate Authorities). We will generate a self-signed certificate for our local testing.
STEP 1: Generate Self-signed SSL Certificate
Openssl can generate a self-signed SSL certificate & private key pair with the following command (generated files will be in the current directory).
|
1 2 |
<span class="nv">$ </span>openssl req <span class="nt">-x509</span> <span class="nt">-sha256</span> <span class="nt">-nodes</span> <span class="nt">-newkey</span> rsa:2048 <span class="nt">-days</span> 365 <span class="nt">-keyout</span> localhost.key <span class="nt">-out</span> localhost.crt |
This command will ask for the following info:
- Country Name
- State or Province Name
- Locality Name
- Organization Name
- Organizational Unit Name
- Common Name*
- Email Address
Common Name value should be the domain name of your website. here it is
local.website.devIf you have multiple sub domains, use a wildcard*.website.dev
The generated certificate will be in x509 container format with SHA256 signature algorithm, 2048bit RSA authentication key and is valid for 365 days.
[OPTIONAL]: If you want to view the contents of encoded certificate, do this:
|
1 2 |
<span class="nv">$ </span>openssl x509 <span class="nt">-text</span> <span class="nt">-noout</span> <span class="nt">-in</span> localhost.crt |
STEP 2: Trust authority of the certificate
When browsers get the certificat from server, the authenticity is verified by checking with existing CAs. Browser has a list of trusted CAs by default, if the certificate issuer is not there, then browser will be showing a security warning ‘untrusted connection’.
Our generated certificate is self signed, so browser will give security warning. In order to bypass that, we will manually verify the trust of certificate.
In OSX, you can do that in Keychain access as shown below: (or, open keychain access ui and add cerificate there).
|
1 2 |
<span class="nv">$ </span><span class="nb">sudo </span>security add-trusted-cert <span class="nt">-d</span> <span class="nt">-r</span> trustRoot <span class="nt">-k</span> /Library/Keychains/System.keychain /path/to/file/localhost.crt |
Note: this will work only on chrome & safari, because those browsers check keychain access to get list of CAs. Firefox stores its own list of trusted CAs in the browser, so firefox will still throw the security error.
STEP 3: Configure & Reload nginx
Here is a sample nginx configuration you can make use of. Save its as nginx_custom.conf
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
<span class="k">events</span> <span class="p">{}</span> <span class="k">http</span> <span class="p">{</span> <span class="kn">upstream</span> <span class="s">backend</span> <span class="p">{</span> <span class="kn">server</span> <span class="nf">127.0.0.1</span><span class="p">:</span><span class="mi">8000</span><span class="p">;</span> <span class="p">}</span> <span class="kn">server</span> <span class="p">{</span> <span class="kn">server_name</span> <span class="s">local.website.dev</span><span class="p">;</span> <span class="kn">rewrite</span> <span class="s">^(.*)</span> <span class="s">https://local.website.dev</span><span class="nv">$1</span> <span class="s">permanent</span><span class="p">;</span> <span class="p">}</span> <span class="kn">server</span> <span class="p">{</span> <span class="kn">listen</span> <span class="mi">443</span><span class="p">;</span> <span class="kn">ssl</span> <span class="no">on</span><span class="p">;</span> <span class="kn">ssl_certificate</span> <span class="n">/path/to/file/localhost.crt</span><span class="p">;</span> <span class="kn">ssl_certificate_key</span> <span class="n">/path/to/file/localhost.key</span><span class="p">;</span> <span class="kn">ssl_ciphers</span> <span class="s">HIGH:!aNULL:!MD5</span><span class="p">;</span> <span class="kn">server_name</span> <span class="s">local.website.dev</span><span class="p">;</span> <span class="kn">location</span> <span class="n">/</span> <span class="p">{</span> <span class="kn">proxy_pass</span> <span class="s">http://backend</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> |
Start/Reload nginx
|
1 2 3 4 5 6 |
<span class="c"># START nginx</span> <span class="nv">$ </span><span class="nb">sudo </span>nginx <span class="nt">-c</span> /path/to/file/nginx_custom.conf <span class="c"># RELOAD nginx</span> <span class="nv">$ </span><span class="nb">sudo </span>nginx <span class="nt">-c</span> /path/to/file/nginx_custom.conf <span class="nt">-s</span> reload |
Final step
Access https://local.website.dev, you can see that little green padlock icon in the address bar. Yes, your local website is on HTTPS now!
