Hacker News new | past | comments | ask | show | jobs | submit login

Let me walk you through it:

    $ openssl genrsa -out $server.key 2048
    $ openssl req -new -sha256 -key $server.key -out $server.csr
Get the CSR to a CA and get the cert in your email inbox. Compose the cert into a chain (the most painful part of the process).

Put the cert and the key in /etc/ssl/certs/example.com.crt and respectively /etc/ssl/private/example.com.key;

In your nginx config add the following:

    server {
    
    listen 443 ssl spdy;
    server_name www.example.com
    
    ssl on;
    ssl_session_timeout 5m;
    ssl_session_cache shared:SSL:5m;
    
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;
    
    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=15768000;
    
    resolver 8.8.8.8;
    
    ssl_certificate /etc/ssl/certs/example.com.crt;
    ssl_certificate_key /etc/ssl/private/example.com.key;
    
    #...
    }
Restart nginx. If you want to only do HTTPS, and have HTTP redirect to HTTPS:

    server {
        listen 80 default_server;
        server_name _;
        rewrite ^ https://www.example.com$request_uri permanent;
    }
It took 3 minutes to write this comment. Getting a new cert up and running will take you $5 and 15 minutes if you follow these instructions. Free if you use startssl.com. Cheapest wildcard I found was https://www.ssls.com/ when they ran a sale: $42. Current cheapest Google turned up was https://cheapsslsecurity.com/sslproducts/wildcardssl.html for $60. Personally, I prefer wildcard certs whenever possible, free certs from startssl.com.



Why should we pay more? Same product available at cheaper price $60 for 1 year as well alphassl wildcard at $42. https://www.ssl2buy.com/cheap-wildcard-ssl-certificates-ads


Sure, it's easy if you know the steps. But it's still additional effort.

All web servers just do HTTP by default.


Setting up passwords is additional effort. Just leave them blank. To me that doesn't seem like an excuse to subject your users to what HTTP entails, and to subject yourself to the liability it implies.


It's not an excuse, but it is the reason why.

That, and shared hosts.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: