Nginx HTTPS / HTTP/2 & SPDY configuration

My official Centmin Mod Community forums and sslspdy.com ECC 256 bit SSL certificate test site both use https / SSL with Google SPDY (Wikipedia definition & SPDY whitepaper). I'd like to share the base Nginx vhost template I use below (as at July 31th, 2015).

Revised as at September 18th, 2015 - Nginx HTTP/2 notes - switching from Nginx SPDY to HTTP/2.

Backported Nginx HTTP/2 support

Nginx 1.9.5 seems to be the version which officially support Nginx HTTP/2. Even the official Nginx HTTP/2 documentation is already in place. For Centmin Mod Nginx, Nginx HTTP/2 supported routines have been backported from Centmin Mod 1.2.3-eva2000.09 beta to 1.2.3-eva2000.08 stable branch as at September 18th, 2015. So ensure you update Centmin Mod code as outlined on Upgrade page before updating to Nginx 1.9.5 via centmin.sh menu option 4

What is Google SPDY ?

SPDY (pronounced speedy) is similar to HTTP, with particular goals of reducing web page load latency and improving web security. SPDY achieves reduced latency through compression (of both request and response HTTP headers), multiplexing (allows for unlimited concurrent streams over a single TCP connection), and prioritization (client side requests are each assigned a priority). Update: Nginx is replacing SPDY with HTTP/2 module for full details read here.

From SPDY whitepaper some numbers:

  • SPDY sends ~40% fewer packets than HTTP, which means fewer packets affected by loss.
  • SPDY uses fewer TCP connections, which means fewer chances to lose the SYN packet. In many TCP implementations, this delay is disproportionately expensive (up to 3 s).
  • SPDY's more efficient use of TCP usually triggers TCP's fast retransmit instead of using retransmit timers.
We discovered that SPDY's latency savings also increased proportionally with increases in RTTs, up to a 27% speedup at 200 ms. The The reason that SPDY does better as RTT goes up is because SPDY fetches all requests in parallel. If an HTTP client has 4 connections per domain, and 20 resources to fetch, it would take roughly 5 RTs to fetch all 20 items. SPDY fetches all 20 resources in one RT.

Average ms
 Speedup
RTT in ms
 HTTP
 SPDY basic (TCP)
20
 1240
 1087
 12.34%
40
 1571
 1279
 18.59%
60
 1909
 1526
 20.06%
80
 2268
 1727
 23.85%
120
 2927
 2240
 23.47%
160
 3650
 2772
 24.05%
200
 4498
 3293
 26.79%

Centmin Mod Nginx SSL + SPDY

To be able to use Google SPDY you need to use your site with https connections. This means you need to purchase and use a SSL certificate and setup your Nginx vhost configuration file (i.e. /usr/local/nginx/conf/conf.d/yourdomain.com.conf generated when you use menu option #2 to create your Nginx domain name vhost) to operate under Nginx SSL. I use the 1 yr free SSL certificate offered by startssl.com or SSL Wildcard certificates + Google SPDY and followed instructions from following:

StartSSL free certificate

The StartSSL free certificate only works for single domain name + 1 additional hostname (usually domain.com + additional www.domain.com where 'www' is the additional hostname, so you can access https://domain.com and https://www.domain.com via https/SSL). You can not use StartSSL free certificate for other subdomain names. For example if you also want to use it for https://forum.domain.com or https://blog.domain.com where additional subdomains forum or blog are used.

StartSSL identity Verified vs Domain Validated Wildcard SSL certificate

To be able to use SSL for all subdomains, you need what is usually referred to as a domain validated Wildcard SSL certificate. StartSSL refers to them as StartSSL identity Verified SSL certificate which has tighter restrictions in that you need to provide personal documentation to verify who you are.

If you feel uncomfortable providing your personal documents and details to StartSSL, then you need to find the normal domain validated Wildcard SSL certicates.

One of the cheaper SSL certificate providers which still retain some support would be GoGetSSL.com. Their Wildcard SSL certificates page lists both domain and business validated SSL Wildcard certificate options where Comodo EssentialSSL Wildcard is their cheapest option. You can check out the community forum discussion thread regarding various SSL certificates and their respective costs.

If GoGetSSL.com Wildcard SSL certificate seems too costly, there's another brand of called AlphaSSL Wildcard SSL certificates which can range from cost usually US$42 to US$150/yr. SSL2Buy.com and Garrisonhost.com are two AlphaSSL resellers I have come across but not used myself.

Domain validated means they will verify domain name ownership and send the SSL certificate to @yourdomain.com email address of your intended https://yourdomain.com SSL site. Usually a common email address is at [email protected], so make sure email username webmaster works on your intended SSL based yourdomain.com domain name.

If you have not yet setup @yourdomain.com with email on your Centmin Mod based server, then check out how to setup free @yourdomain.com email accouns via Outlook Live Domains from Microsoft.

OpenSSL CSR

With some SSL providers you will need to provide them with a OpenSSL generated CSR file. There 2 are methods of generating the CSR code files and private keys:

  1. Method 1: You can do either via SSH telnet command like using openssl tool Example here. Or use a Digicert.com CSR wizard here which generates a openssl command you need to copy and paste into your Centmin Mod based server's SSH telnet window. For method 1 read further below for exact details OR
  2. Method 2: You can use a 100% online only CSR code and private key generator at https://www.gogetssl.com/online-csr-generator/. For method 2 read further below for exact details

Method 1 explained:

I would run this command from directory you will custom create at /usr/local/nginx/conf/ssl/domaincom/ where domaincom is your domain name minus any full stops.

For example:

Log into SSH telnet for your Centmin Mod based server as root user and create directory at /usr/local/nginx/conf/ssl/domaincom/

  mkdir -p /usr/local/nginx/conf/ssl/domaincom/

change to that directory

  cd /usr/local/nginx/conf/ssl/domaincom/

Then type and run the OpenSSL CSR generated command that is outputted from the CSR wizard here - DO NOT use the exact command below, that is only an example for illustrations purpses !:

Updated: after the CSR Wizard generates it's output add -sha256 to the line right before -nodes. This is required to ensure the CSR code and private key use SHA-2 signature hash algorithms like SHA256.

  openssl req -new -newkey rsa:2048 -sha256 -nodes -out yourdomain_com.csr -keyout yourdomain_com.key -subj "/C=US/ST=Rhode Island/L=East Greenwich/O=Fidelity Test/CN=yourdomain.com"

You'll end up with two files generated in the created directory at /usr/local/nginx/conf/ssl/domaincom/. One for your private key named yourdomain_com.key (I renamed it to just ssl.key for below example at /usr/local/nginx/conf/ssl/domaincom/ssl.key) and a CSR file yourdomain_com.csr. I would save these files and back them up locally on your computer.

For Common Name enter your intended domain name without 'www' i.e. yourdomain.com. If it's a Wildcard SSL, use *.yourdomain.com. The generated OpenSSL CSR file will need to be provided to your SSL certificate provider.

You can check your generated CSR codes validity by pasting your *.csr file contents into the Online CSR Decoder. A more advanced CSR decoder can also report the Signature Hash Algorithm used as well.

Creating your own self signed SSL certificate

Now that you have your CSR file (yourdomain_com.csr) and private key (yourdomain_com.key) for your domain generated via Method 1 instructions, you may want to generate your own self signed SSL certificate instead of using a paid SSL certificate (e.g. for usage with Cloudflare's free Universal SSL certificates and Full SSL option). To create the self signed SSL certificate (yourdomain_com.crt) you would run this command in the same directory you have your CSR file and private key you generated above i.e. /usr/local/nginx/conf/ssl/domaincom/.

  openssl x509 -req -days 36500 -in yourdomain_com.csr -signkey yourdomain_com.key -out yourdomain_com.crt

Then you can skip to the self signed SSL certificate Nginx Vhost setup if you are not using a paid SSL certificate.

Method 2 explained:

You can use a 100% online only CSR code and private key generator at https://www.gogetssl.com/online-csr-generator/. When you enter the email address on the online generator, you will be emailed your domain's *.csr file and private key which you need rename respectively to yourdomain_com.key (for private key) and yourdomain_com.csr (for CSR file) and then upload to /usr/local/nginx/conf/ssl/domaincom/ and then follow the Setting Up Nginx SSL guide below.

Setting up Nginx SSL

After you purchase or obtain yourdomain.com's SSL certificate, your SSL provider will provide you with:

  1. Your domain's SSL certificate usually saved as yourdomain.crt. Upload file to /usr/local/nginx/conf/ssl/domaincom/
  2. The provider's intermediate (i.e. intermediate.crt) and root certificates (root.pem format). The actual name and extension would vary from SSL provider. Upload files to /usr/local/nginx/conf/ssl/domaincom/

If instead you opted to use your own self signed SSL certificate created above, you will have the following files to work with located at /usr/local/nginx/conf/ssl/domaincom/:

  • self signed SSL certificate (yourdomain_com.crt)
  • CSR file (yourdomain_com.csr)
  • private key (yourdomain_com.key)

I would save these files and back them up locally on your computer.

dhparam

For DHE key-exchange, generate a dhparam.pem file at /usr/local/nginx/conf/ssl/domaincom/dhparam.pem with higher strength 2048 bit or 4096 bit key-exchange instead of using Nginx's OpenSSL Ephemeral Diffie-Hellman (DHE) default key of 1024 bit to at least match SSL 2048 bit certificates.

To generate dhparam file you can either use one of the 2 below commands (not both). Both can take quite a long time to generate depending on your server's processing power. The 4096 bit can take between 15-60 minutes to generate.

  cd /usr/local/nginx/conf/ssl/domaincom
  openssl dhparam -out dhparam.pem 2048
or 
  cd /usr/local/nginx/conf/ssl/domaincom
  openssl dhparam -out dhparam.pem 4096
Within Nginx vhost you'd add this line. 
  ssl_dhparam /usr/local/nginx/conf/ssl/domaincom/dhparam.pem;

ssl-unified.crt

Only for paid SSL certificates (NOT self signed SSL certificates), would you next you need to create the /usr/local/nginx/conf/ssl/domaincom/ssl-unified.crt file that Nginx SSL Vhost below will use. This unified.crt is created from concatentation of your domain's SSL certificate yourdomain.crt, the providers intermediate and root certificates in this particular order. In SSH telnet within /usr/local/nginx/conf/ssl/domaincom/ directory, type the following commands:

  cd /usr/local/nginx/conf/ssl/domaincom/

  cat yourdomain.crt intermediate.crt root.pem > ssl-unified.crt

For /usr/local/nginx/conf/ssl/domaincom/ssl-trusted.crt

  cat intermediate.crt root.pem > ssl-trusted.crt

If your SSL provider only provides something like yourdomain_com.crt and yourdomain_com.ca-bundle, then concat them this way:

For ssl-unified.crt

  cat yourdomain_com.crt yourdomain_com.ca-bundle > ssl-unified.crt

For ssl-trusted.crt

  cat yourdomain_com.ca-bundle > ssl-trusted.crt

You'll end up with ssl-unified.crt file at /usr/local/nginx/conf/ssl/domaincom/ssl-unified.crt and ssl-trusted.crt at /usr/local/nginx/conf/ssl/domaincom/ssl-trusted.crt

Examples

You can see a Comodo/GGSSL Wildcard SSL certificate example setup for my sslspdy.com site on the Centmin Mod Community forums. Or Comodo/GGSSL Wildcard SSL certificate example setup for my centminmod.com here and here. The specific names of the files may differ to your SSL certificate, but they serve as examples.

For below example, I placed the startssl SSL certificates in new directories created at /usr/local/nginx/conf/ssl/domaincom/ although you can place them anywhere really. If you want to enable Google Nginx PageSpeed ngx_pagespeed module support, follow guide here.

You will need to totally restructure your domain’s Nginx vhost file which you created via menu option 2 to following format:

Note: for Nginx 1.5.10 and higher you can use 443:npn-spdy/3 instead of 443:npn-spdy/2

Update: October 15th, 2014. In light of Google published POODLE SSLv3 attack vulnerability exploit, removed SSLv3 from ssl_protocols configuration for Nginx vhost and switched to Mozilla's recommended Intermediate compatibility cipher suite settings.

change from

        ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;

        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!kEDH:!EDH:!CAMELLIA;

to (revised Dec 15th, 2014)

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

        ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;

Full Nginx vhost format updated as at March 4th, 2015. I've changed the return 301 permanent http to https redirect to temporarily redirect return 302 for starters. A 301 permanent http to https redirect is permanently cached in a visitors browser and can only be cleared by each vistor clearing their browser's cache, history etc and then rebooting their systems. A big inconvenience if you ever decide HTTPS and SSL are not what you need or if you find your Google Adsense revenue dramatically drop when switching to HTTPS / SSL and want to switch back to normal HTTP and remove HTTPS/SSL. Only after long term use of 302 temp redirect that you feel HTTPS/SSL is what you need, then should you change return 302 to return 301.

Update: Nginx is replacing SPDY with HTTP/2 module for full details read here. So starting with Nginx 1.9.3+ patched Centmin Mod Nginx or Nginx >1.9.5+, you need to change listen directive from spdy with http2 parameter

from

listen 443 ssl spdy;

to

listen 443 ssl http2;


server {
  server_name domain.com www.domain.com;
  return 302 https://$server_name$request_uri;

}

# https SSL SPDY vhost
server {
        listen 443 ssl http2;
            server_name domain.com;

        ssl_dhparam /usr/local/nginx/conf/ssl/domaincom/dhparam.pem;
        ssl_certificate      /usr/local/nginx/conf/ssl/domaincom/ssl-unified.crt;
        ssl_certificate_key  /usr/local/nginx/conf/ssl/domaincom/ssl.key;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_session_cache      shared:SSL:10m;
        ssl_session_timeout  10m;
        ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
        ssl_prefer_server_ciphers   on;
        #add_header Alternate-Protocol  443:npn-spdy/3;
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
        #add_header  X-Content-Type-Options "nosniff";
        #add_header X-Frame-Options DENY;
        # nginx 1.5.9+ or higher 
        # http://nginx.org/en/docs/http/ngx_http_spdy_module.html#spdy_headers_comp
        # http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size
        # spdy_headers_comp 0;
        # ssl_buffer_size 4k;

        # enable ocsp stapling
        resolver 8.8.8.8;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /usr/local/nginx/conf/ssl/domaincom/ssl-trusted.crt;

  # limit_conn limit_per_ip 16;
  # ssi  on;

  access_log /home/nginx/domains/domain.com/log/access.log combined buffer=32k;
  error_log /home/nginx/domains/domain.com/log/error.log;

  root /home/nginx/domains/domain.com/public;

# ngx_pagespeed & ngx_pagespeed handler
#include /usr/local/nginx/conf/pagespeed.conf;
#include /usr/local/nginx/conf/pagespeedhandler.conf;
#include /usr/local/nginx/conf/pagespeedstatslog.conf;

     ## redirect https://www to https://non-www
     ## uncomment if needed
     # if ($host = 'www.domain.com' ) {
     #   return 302 https://$server_name$request_uri;
     # }

  location / {

# block common exploits, sql injections etc
# include /usr/local/nginx/conf/block.conf;

  # Enables directory listings when index file not found
  #autoindex  on;

  }

  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/drop.conf;
  include /usr/local/nginx/conf/errorpage.conf;
}

Nginx SPDY SSL Vhost for self signed SSL certificates

If you opted to create your own self signed SSL certificate instead of using a paid SSL certificate, you will have a slightly different Nginx vhost format as there is no ssl-unified.crt file nor can you use any of the OCSP stapling file options or ssl_trusted_certificate option (need to comment those out). In it's place you just use the self signed SSL certificate you generated, yourdomain_com.crt.

Below is example of Nginx vhost for SPDY SSL/3.1 with self signed SSL certificate:

If your intention is to use it with Cloudflare's Universal SSL with Full SSL option, you may want to disable the forced http to https redirect until your Cloudflare Full SSL is activated and working.

The redirect is the first 4 lines of your Nginx vhost which you can comment out and disable with hash in front #:

#  server {
#  server_name domain.com www.domain.com;
#   return 302 https://$server_name$request_uri;
#}

Update: Nginx is replacing SPDY with HTTP/2 module for full details read here. So starting with Nginx 1.9.3+ patched Centmin Mod Nginx or Nginx >1.9.5+, you need to change listen directive from spdy with http2 parameter

from

listen 443 ssl spdy;

to

listen 443 ssl http2;

Full Nginx vhost with self signed SSL certificate:

server {
  server_name domain.com www.domain.com;
   return 302 https://$server_name$request_uri;
}

server {
  listen 443 ssl http2;
  server_name domain.com www.domain.com;

        ssl_dhparam /usr/local/nginx/conf/ssl/domaincom/dhparam.pem;
        ssl_certificate      /usr/local/nginx/conf/ssl/domaincom/yourdomain_com.crt;
        ssl_certificate_key  /usr/local/nginx/conf/ssl/domaincom/yourdomain_com.key;
        ssl_session_cache      shared:SSL:10m;
        ssl_session_timeout  10m;
 
        ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
        # mozilla recommended
        ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
 
        ssl_prefer_server_ciphers   on;
        #add_header Alternate-Protocol  443:npn-spdy/3;
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
        #add_header  X-Content-Type-Options "nosniff";
        #add_header X-Frame-Options DENY;
        spdy_headers_comp 5;
        ssl_buffer_size 1369;
        ssl_session_tickets on;
 
        # enable ocsp stapling
        #resolver 8.8.8.8 8.8.4.4 valid=10m;
        #resolver_timeout 10s;
        #ssl_stapling on;
        #ssl_stapling_verify on;
        #ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/domain.com-trusted.crt;

# ngx_pagespeed & ngx_pagespeed handler
#include /usr/local/nginx/conf/pagespeed.conf;
#include /usr/local/nginx/conf/pagespeedhandler.conf;
#include /usr/local/nginx/conf/pagespeedstatslog.conf;

  # limit_conn limit_per_ip 16;
  # ssi  on;

  access_log /home/nginx/domains/domain.com/log/access.log combined buffer=32k;
  error_log /home/nginx/domains/domain.com/log/error.log;

  root /home/nginx/domains/domain.com/public;

     ## redirect https://www to https://non-www
     ## uncomment if needed
     # if ($host = 'www.domain.com' ) {
     #   return 302 https://$server_name$request_uri;
     # }

  location / {

# block common exploits, sql injections etc
#include /usr/local/nginx/conf/block.conf;

  # Enables directory listings when index file not found
  #autoindex  on;

  # Shows file listing times as local time
  #autoindex_localtime on;

  # Enable for vBulletin usage WITHOUT vbSEO installed
  #try_files    $uri $uri/ /index.php;

  }

  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/drop.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
}

For versions below Centmin Mod v1.2.3-eva2000.03+, the included /usr/local/nginx/conf/php.conf you need to make one change for PHP over SSL/https. It's best to create a separate php.conf for this. In SSH telnet type:

  cp -a /usr/local/nginx/conf/php.conf /usr/local/nginx/conf/phpssl.conf

For versions below Centmin Mod v1.2.3-eva2000.03+, in your SSL vhost /usr/local/nginx/conf/conf.d/yourdomain.com.conf comment out existing php.conf line and add the new phpssl.conf

  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/phpssl.conf;
  #include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/drop.conf;
  include /usr/local/nginx/conf/errorpage.conf;

For versions below Centmin Mod v1.2.3-eva2000.03+, edit /usr/local/nginx/conf/phpssl.conf and change this line by uncommenting (remove front hash #):

from

  #fastcgi_param HTTPS on;

to 

  fastcgi_param HTTPS on;

For Nginx vhosts created from Centmin Mod v1.2.3-eva2000.04+ and higher no changes to /usr/local/nginx/conf/php.conf file are needed as this variable is automatically mapped as such you will find this line: 

  fastcgi_param HTTPS $server_https;

and within /usr/local/nginx/conf/nginx.conf you will find under http { the following include file calling /usr/local/nginx/conf/fastcgi_param_https_map.conf:

  http {

include /usr/local/nginx/conf/fastcgi_param_https_map.conf;

The /usr/local/nginx/conf/fastcgi_param_https_map.conf file contains the following code:

map $scheme $server_https {
        default off;
        https on;
}

If you're using older Centmin Mod v1.2.3-eva2000.03 versions, and do not want to create a separate phpssl.conf, you can manually create the file at /usr/local/nginx/conf/fastcgi_param_https_map.conf and add the above outlined mapping under include line under http { to /usr/local/nginx/conf/nginx.conf.

  http {

include /usr/local/nginx/conf/fastcgi_param_https_map.conf;

within /usr/local/nginx/conf/fastcgi_param_https_map.conf file add:

map $scheme $server_https {
        default off;
        https on;
}

Restart Nginx and php-fpm services

service nginx restart
service php-fpm restart

or via command shortcut

nprestart

SPDY check

Test your https:// SSL based domain for SPDY via the following:

SSL check

Then test your https:// SSL based domain via these SSL test sites:

Can also do a OCSP Stapling quick test within SSH telnet command, type the following where domain.com is the https://domain.com SSL domain you setup:

  openssl s_client -connect domain.com:443 -tls1 -tlsextdebug -status

look for output:

  OCSP response: 
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)?

Troubleshooting

If you have problems with your web application under SSL, please consult with that authors of that web application i.e. wordpress, vBulletin, Xenforo, IPBoard, drupal etc.