melaus | Encrypting nginx Websites!

Encrypting nginx Websites!

2016-09-17

Google has recently annoucned that they are planning to mark any unsecured websites (ones not using a strong encryption such as TLS, i.e. websites not beginning with https://) as 'Not secure'. Following the trend of encryption, one of the tasks on my to-do list is to secure this website. Not that I am providing any service that requires logins or processing sensitive information, it is just a good practise to embrace a high security standard.

Website encryption protects against various attacks that may allow unauthorised access to your communications with a website. For instance, online banking systems embrace encryption to ensure that no one can see your login and other sensitive information. Also, it lets you see whether you are actually visiting the intended website by inspecting its digital certificate. A digital certificate acts as a verified "virtual signature". For my case, Let's Encrypt signed my website so that you know you are visiting www.melaus.xyz, rather than some other website that pretends to be it.

Here is some pointers as to how I did it/ how you could do it for your self-hosted website:

DigitalOcean, where I am hosting this website from, provides a very helpful, in-depth guide.
They provide many guides that applies to any back-end using Linux. (I fully recommend DigitalOcean if you want your little server that is always available to you wherever you are.)
I ran into some trouble after I secured my website. Only the default nginx index page is shown. My website was gone completely. Turns out, I should be setting the root that stores my website in the port 443 block instead of the port 80 server block. (This took me an hour to fix...)

Here is my configuration file that worked in the end:

##### FILE: /etc/nginx/sites-available/<DOMAIN_NAME> #####

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    server_name melaus.xyz www.melaus.xyz;
    return 301 https://$server_name$request_uri;
    }


server {
    # SSL configuration

    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;

    root YOUR_ROOT;
    index index.html index.htm index.htm index.nginx-debian.html;

	include snippets/ssl-<DOMAIN.COM>.conf;
    include snippets/ssl-params.conf;
}

One of the steps in the guide is to evaluate how secure I have made my website. https://www.ssllabs.com/ssltest/analyze.html?d=example.com enables you to check the security of virtually any website (example.com being the address of the required website). I am glad that my website has an A+ rating.

My website obtains an A+ rating