This is more a note to myself, because I'm always forgetting the easiest way to generate a self signed trusted SSL wild-card certificate for local test domain, like
sample.test. You can use OpenSSL tool to generate it like this:
openssl req -x509 -newkey rsa:2048 -sha256 -days 3650 -nodes -keyout sample.test.key -out sample.test.crt -subj /CN=*.sample.test
You can also add it to your Mac OS Keychain Access with this:
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain sample.test.crt
But in my case was still not trusted, so it didn't work fine in Google Chrome.
The easiest way is to use open-source
mkcert. You can install it with
brew on Mac OS or download the
latest release version for your OS. Just follow the docs to install it and generate a new certificate, which will be also automatically properly registered:
mkcert sample.test "*.sample.test" localhost 127.0.0.1
After renaming the files as sample.test.key and sample.test.crt, copying them in NGINX folder change nginx.conf file (or an included file) to something like this:
upstream sample-test {
server localhost:5001;
server localhost:5002;
}
server {
listen *:80;
server_name www.sample.test sample.test;
add_header Strict-Transport-Security max-age=15768000;
return 301 https://$host$request_uri;
}
server {
listen *:443 ssl;
server_name www.sample.test sample.test;
ssl_certificate sample.test.crt;
ssl_certificate_key sample.test.key;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
access_log /usr/local/etc/nginx/logs/access.log;
location / {
proxy_pass http://sample-test;
}
}
This uses NGINX SSL termination, so traffic from NGIX to application server is not encrypted, and uses NGINX upstream to load balance HTTP traffic to multiple (2) web application instances. All traffic on port 80 (HTTP) is automatically redirected to port 443 (HTTPS), which uses newly generated certificates.