Monday, January 20, 2014

Nginx + Wordpress + SSL configuration

Sometimes you need to harden your wordpress blog with ssl. It's pretty simple.



1. Create your self-signed ssl certificate (as in previous blog post):

$ sudo mkdir /etc/myssl_cert
$ cd /etc/myssl_cert
$ openssl genrsa 1024 > wordpress.key
$ sudo chmod 400 wordpress.key
$ openssl req -new -x509 -nodes -sha1 -days 1780 -key wordpress.key > wordpress.crt
$ openssl x509 -noout -fingerprint -text < wordpress.crt > wordpress.info


2. Configure nginx to support ssl connection:

/etc/nginx/sites-available/wordpress:

...

# HTTPS server
#
server {
        listen 443;
        server_name your.domain.com;

        root /var/www;
        index index.php index.html index.htm;

        ssl on;
        ssl_certificate /etc/myssl_cert/wordpress.crt;
        ssl_certificate_key /etc/myssl_cert/wordpress.key;

        ssl_session_timeout 5m;

        ssl_protocols SSLv3 TLSv1;
        ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
        ssl_prefer_server_ciphers on;



        location / {
                return 301 http://$host$request_uri;
        }

        location ~ /wp-(admin|login|includes|content) {
                try_files $uri $uri/ \1/index.php?args;

                location ~ \.php$ {
                        fastcgi_split_path_info ^(.+\.php)(/.+)$;
                        fastcgi_pass unix:/var/run/php5-fpm.sock;
                        fastcgi_index index.php;
                        include fastcgi_params;
                }


        }

}


Notes: this configuration only enable ssl for admin interface (wp-admin, wp-login, wp-includes, wp-content).


3. Restart nginx:

$ sudo service nginx restart