{"componentChunkName":"component---src-templates-blog-post-js","path":"/blog/nginx-and-ssl-root-key-security","result":{"data":{"allGhostPost":{"edges":[{"node":{"title":"Nginx and SSL private key security","html":"<blockquote>\n<p>note: this post assumes nginx is running as <strong>www-data</strong></p>\n</blockquote>\n<p>If you want to enable HTTPS on your site, you must have a certificate and its key. Therefore, in order to allow nginx to read the SSL key file, you have to allow <em>www-data</em> to read it, right?</p>\n<p>Well, no.</p>\n<!-- more -->\n<p>It makes sense for some people to do that, but in reality you don't have to sacrifice security in order to enable HTTPS on your site. So, how do we add HTTPS support without making our setup less secure?</p>\n<p>Nginx's processes are laid out like this:</p>\n<ul>\n<li>1 nginx master process running as <em>root</em></li>\n<li>x nginx workers running as <em>www-data</em></li>\n</ul>\n<p>Nginx's master process reads the SSL key, not the workers. Because of that, we can simply allow only <em>root</em> to read the private key, and it would work perfectly fine. To do that, run these commands as root:</p>\n<pre><code class=\"language-bash\">chown root:root certificate.key\nchmod 400 certificate.key\n</code></pre>\n","published_at":"2013-09-02T10:39:00.000+03:00","slug":"nginx-and-ssl-root-key-security","tags":[],"plaintext":"note: this post assumes nginx is running as www-data\n\nIf you want to enable HTTPS on your site, you must have a certificate and its\nkey. Therefore, in order to allow nginx to read the SSL key file, you have to\nallow www-data  to read it, right?\n\nWell, no.\n\nIt makes sense for some people to do that, but in reality you don't have to\nsacrifice security in order to enable HTTPS on your site. So, how do we add\nHTTPS support without making our setup less secure?\n\nNginx's processes are laid out like this:\n\n * 1 nginx master process running as root\n * x nginx workers running as www-data\n\nNginx's master process reads the SSL key, not the workers. Because of that, we\ncan simply allow only root  to read the private key, and it would work perfectly\nfine. To do that, run these commands as root:\n\nchown root:root certificate.key\nchmod 400 certificate.key","meta_description":null}}]}},"pageContext":{"slug":"nginx-and-ssl-root-key-security","prev":"ip-tables-and-dynamic-dns","next":"check-how-many-saltstack-minions-are-connected"}},"staticQueryHashes":["3649515864"]}