Setting Up HTTPS Is Easy
24 Jul 2016From reading various articles on the web, I was led to believe that getting a well-configured HTTPS setup for a site working was hard. So I tried to do it for mine here to find out how hard it actually was. I was surprised that most of it was really easy, and the relatively hard parts weren’t what I thought they would be. I will try to contrast how I perceived the difficulty with the perceived difficulty of various other parts of setting up this server.
Note that this is from the perspective of somebody who’s pretty much a newbie at Linux server administration. I don’t know a ton and I don’t claim to, so I’ll stumble through lots of things that a guru could probably do in a snap.
Let’s Encrypt Certificate
I decided to start by getting a certificate from Let’s Encrypt, since it’s free and supposed to be easy. They have a little helper script/program, currently called certbot-auto. I had some trouble getting this up and running, and have had various troubles keeping it running for renewals and such too. Seems it often needs to be updated, and since it’s in Python, often needs the local Python interpreter or pip or something to be updated. I don’t know, I’m not that into Python right now. But every time I mess with Let’s Encrypt, it seems like I need to fiddle with something on my setup for their script utility.
Anyways, once I got that running, I tried to read up on how to use it, which is also a little hard to find definitive instructions for the current version of. It seems that the setup for Nginx, which I’m currently using, doesn’t support actually activating HTTPS. I suppose that’s understandable considering how complex Nginx configurations can be, but how to go about using the alternate setup, where you’re serving from a directory and you tell the utility to negotiate getting the cert by putting the files to be served in that directory, didn’t exactly seem to be a clearly explained and first-class option. But I managed to figure it out after a while, and ran it, and got my directory in /etc with some certs in it. At least I didn’t have to muck with certificate signing requests and a back-and-forth with my DNS provider.
I’d rate this step as modestly difficult overall.
Nginx Setup
This turned out to be pretty easy actually. Just stick a couple of config lines in my Nginx config to point at where the cert files were, and it just worked. It only took a few minutes more to do a modestly clever setup where a server running on port 80 just sends redirects to the separate HTTPS server, and that server only listens to HTTPS requests.
Optimizing HTTPS Setup
Chrome was now showing a nice friendly padlock saying that my site was secure. But I see articles here and there talking about various attacks on HTTPS based on various encryption algorithms and configuration options. I don’t remember it all off the top of my head, so I tried to find a checker for it. I found this HTTPS Labs tester, and ran it on my site. It gave me a C and listed some errors.
What’s cool about their check is that every issue they list has a bunch of links to pages and blog entries with short descriptions of what’s wrong, why it’s a problem, and with cut-and-paste fixes for all common server setups. I dutifully scrolled to the Nginx part, copied and pasted some config changes into my Nginx config file, and got the rating to an A. Nice, and brain-dead easy too.
Conclusion
At the end of this process, I have a HTTPS setup that’s probably way more secure than the majority of the commercial web. And way more secure than needed - I don’t think there’s much of anything useful or interesting to gain by hacking my teeny little blog and demo-scale projects. I suppose somebody might want to take over the server and make it send spam or something, but all of the HTTPS/TLS vulnerabilities that I’ve read of do things like let an attacker change the page that the user sees and intercept, alter, or fake user requests to the server. It’s still good practice to be secure, though.
I also see that, aside from requirements to support older browsers and third-party sites and the compromises associated with that, this process was pretty easy, and the hardest part was still getting the certificate, despite how easy Let’s Encrypt is supposed to make it. It wasn’t completely painless, but getting the Nginx config right for my server setup was definitely harder - particularly having several different sub-paths handled differently, some being proxied to other servers, some being served directly from the file system, and some serving just the main file for any path, except for the ones that correspond to another file, as required to host the SPA project properly.
Or at least it seemed easy. Let me know if I screwed up something subtle.