friendica/friendica
6
0
Fork 1
mirror of https://github.com/friendica/friendica synced 2024-05-14 01:39:39 +02:00
Code Issues Packages Projects Releases 1 Wiki Activity

Updated Running Friendica with SSL (markdown)

MartinFarrent 2012-03-18 16:07:47 -07:00
parent fe2f2435f6
commit 13b8fbbe31
1 changed files with 62 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

66
Running-Friendica-with-SSL.md

@ -99,8 +99,66 @@ Of course, you may optionally be using other places like the ``sites-available``
Just restart Apache when you're done, whichever way you decide to do it.
## Mixing certificates on other servers ##
To run multiple sites using different certificates with a single IP, mechanisms vary from server to server. The section above covers Apache, the most widespread web server and the one Friendica is designed for. Other servers will have different requirements. We hope to provide some notes about this at a later date.
## StartSSL on Nginx ##
First, update to the latest Friendica code. Then follow the above instructions to get your free certificate. But instead of following the Apache installation instructions, do this:
Upload your certificate. It doesn't matter where to, as long as Nginx can find it. Some people use ``/home/randomlettersandnumbers`` to keep it in out of paranoia, but you can put it anywhere, so we'll call it ``/foo/bar``.
You can remove the password if you like. This is probably bad practice, but if you don't, you'll have to enter the password every time you restart nginx. To remove it:
``openssl rsa -in ssl.key-pass -out ssl.key``
Now, grab the helper certificate:
``wget http://www.startssl.com/certs/sub.class1.server.ca.pem``
Now you need to merge the files:
``cat ssl.crt sub.class1.server.ca.pem > ssl.crt``
There is a bug/feature, and this doesn't quite work properly. You now need to edit ssl.crt, so
``nano /foo/bar/ssl.crt``
You'll see two certificates in the same file. Halfway down, you'll see
``-----END CERTIFICATE----------BEGIN CERTIFICATE-----``
This is bad. You need to see
``-----END CERTIFICATE-----``
``-----BEGIN CERTIFICATE-----``
Note there is a single carriage return for -----BEGIN CERTIFICATE----- to start on a new line. There is no empty line.
Now you need to tell Nginx about the certs.
In ``/etc/nginx/sites-available/foo.com.conf`` you need something like:
server {
listen 80;
listen 443 ssl;
listen [::]:80;
listen [::]:443 ipv6only=on ssl;
ssl_certificate /foo/bar/ssl.crt;
ssl_certificate_key /foo/bar/ssl.key;
...
Now, restart nginx:
``/etc/init.d/nginx restart``
And that's it.
For multiple domains, we have it easier than Apache users: Just repeat the above for each certificate, and keep it in it's own {server...} section.