Nginx and SSL private key security

note: this post assumes nginx is running as www-data

If you want to enable HTTPS on your site, you must have a certificate and its key. Therefore, in order to allow nginx to read the SSL key file, you have to allow www-data to read it, right?

Well, no.

It makes sense for some people to do that, but in reality you don't have to sacrifice security in order to enable HTTPS on your site. So, how do we add HTTPS support without making our setup less secure?

Nginx's processes are laid out like this:

  • 1 nginx master process running as root
  • x nginx workers running as www-data

Nginx's master process reads the SSL key, not the workers. Because of that, we can simply allow only root to read the private key, and it would work perfectly fine. To do that, run these commands as root:

chown root:root certificate.key
chmod 400 certificate.key