Configure Nginx Web Server with SSL in a Vagrant Virtual Machine

Before you are able to run any PHP project in your Vagrant VM and display pages in a browser, you need to configure Nginx and set a Virtual Host.

The best way to configure it to to enable SSL and HTTP2, the same way as you should in your live Production Environment.

With SSL you will secure the data transferred to / from the Backend Server and with HTTP2 you will benefit of improved performance and high speed page loading.

Prerequisites:

• Vagrant Virtual Machine with CentOS 7, Nginx, MariaDb, NodeJs and PHP 8
• How to install Symfony Framework using composer in 2 easy steps

Step 1. Go to the directory where you have your VM and turn on your VM

$ cd ~/devzone/cool_vagrant_project
$ vagrant up

Step 2. Ssh into your VM and edit Nginx Web Server file

$ vagrant ssh
$ sudo nano /etc/nginx/nginx.conf

delete all lines in this file and replace them with:

user nginx;
    error_log  /var/log/nginx/error.log crit;
    pid        /var/run/nginx.pid;
    worker_processes  1;
    worker_rlimit_nofile 16384;
events {
    worker_connections  50000;
    multi_accept on;
    use epoll;
}
http {
    ssl_password_file /etc/nginx/certs/pass_file;
    default_type  application/octet-stream;
    include mime.types;
    access_log  off;
    keepalive_timeout 30;
    fastcgi_read_timeout 3600;
    proxy_read_timeout 3600;
    tcp_nodelay on;
    sendfile on;
    expires -1;
    server_tokens off;
    tcp_nopush on;
    types_hash_max_size 2048;
    fastcgi_cache_path /var/cache/nginx levels=1:2 keys_zone=microcache:100m max_size=500m inactive=60m;
    fastcgi_cache_key "$scheme$request_method$host$request_uri";
    gzip  on;
    gzip_disable "msie6";
    gzip_vary on;
    gzip_min_length 1100;
    gzip_buffers 16 8k;
    gzip_http_version 1.1;
    gzip_proxied any;
    gzip_types text/css text/x-component application/x-javascript application/javascript text/javascript text/x-js text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon;
    include /etc/nginx/conf.d/*;
    open_file_cache          max=5000  inactive=20s;
    open_file_cache_valid    30s;
    open_file_cache_min_uses 2;
    open_file_cache_errors   on;
}

save the file.

Step 3. Create a Virtual Host file

$ sudo nano /etc/nginx/conf.d/cool_project.conf

and paste all this:

server {
    listen 80;
    server_name cool.project.vps;
    return 301 https://$server_name$request_uri;
}

server {
    client_max_body_size 20M;
    listen 443 ssl http2;
    server_name cool.project.vps;

    # SSL
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
    ssl_certificate /etc/nginx/certs/nginx-cool-cert.pem;
    ssl_certificate_key /etc/nginx/certs/nginx-cool-key.pem;
    ssl_dhparam /etc/nginx/certs/dhparam.pem;
    ssl_session_cache shared:SSL:40m;
    ssl_session_timeout 4h;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/nginx/certs/lets-encrypt-r3-cross-signed.pem;
    resolver 8.8.8.8 8.8.4.4;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    ssl_session_tickets on;

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    # Symfony public folder
    root   /var/www/cool_project/public;
 

    index index.html index.php;


    location / {
        # try to serve file directly, fallback to index.php
        try_files $uri /index.php$is_args$args;
   }

    # Symfony 5
    location ~ ^/(index|ocp)\.php(/|$) {
        fastcgi_pass   unix:/run/php-fpm/www.sock;###check conf in /etc/php-fpm.d/www.conf if set to use socket or IP -- 127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME   $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        include        fastcgi_params;
        fastcgi_cache microcache;
        fastcgi_cache_valid  3s;
        add_header Cache-Control "no-cache, max-age=300, public";
        add_header X-Powered-By "Powered by Php 8+ / Nginx --- R. Elizondo";
    }

        # caching of files
    location ~ \.(xml)$ {
        add_header Cache-Control "no-cache, public";
        add_header X-Powered-By "Powered by Php 8+ / Nginx --- R. Elizondo";
    }

    location ~ \.(css|htc|js|js2|js3|js4)$ {
        add_header Cache-Control "cache, max-age=604800, public";
        add_header X-Powered-By "css/ js --- Powered by Php 8+ / Nginx --- R. Elizondo";
    }
    location ~ \.(html|htm|rtf|rtx|svg|svgz|txt|xsd|xsl)$ {
        add_header Cache-Control "cache, max-age=604800, public";
        add_header X-Powered-By "Powered by Php 8+ / Nginx --- R. Elizondo";
    }
    location ~ \.(asf|asx|wax|wmv|wmx|avi|bmp|class|divx|doc|docx|eot|exe|gif|gz|gzip|ico|jpg|jpeg|jpe|json|mdb|mid|midi|mov|qt|mp3|m4a|mp4|m4v|mpeg|mpg|mpe|mpp|otf|odb|odc|odf|odg|odp|ods|odt|ogg|pdf|png|pot|pps|ppt|pptx|ra|ram|svg|svgz|swf|tar|tif|tiff|ttf|ttc|wav|wma|wri|xla|xls|xlsx|xlt|xlw|zip)$ {
        add_header Cache-Control "cache, max-age=604800, public";
        add_header X-Powered-By "Powered by Php 8+ / Nginx --- R. Elizondo";
    }
}

Notice: This virtual host configuration is for working with How to install Symfony Framework using composer in 2 easy steps

 There are other virtual host configurations available here.

Step 4. Generate SSL CA private key:

$ sudo mkdir /etc/nginx/certs
$ cd /etc/nginx/certs
$ sudo openssl req -x509 -newkey rsa:4096 -days 3650 -keyout ca-key.pem -out ca-cert.pem

When asked enter a password, then Country 2 letters Code, State, etc.

Its important that as Common Name you use the domain name of the website that will use the Certificate.

Enter a valid email and the last 2 leave them empty:

Step 5. Generate Web server's private key and CSR.

$ sudo openssl req -newkey rsa:4096 -keyout nginx-cool-key.pem -out nginx-cool-req.pem

You will be asked to provide the password you used to create ssl ca pem, then enter again Country 2 letter code and State, and optional email. All others you just hit enter.

 Step 6. Sign Nginx Certificate.

$ sudo openssl x509 -req -in nginx-cool-req.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out nginx-cool-cert.pem

 Step 7. Generate DH Params Cert.

$ sudo openssl dhparam -out /etc/nginx/certs/dhparam.pem 2048

Step 8. Get lets-encrypt cert

$ sudo wget -O /etc/nginx/certs/lets-encrypt-r3-cross-signed.pem   "https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem"

Step 9. Save password file so Nginx can read the key to validate the certificate and be able to serve TLS.

$ sudo nano /etc/nginx/certs/pass_file
# Write down the password you used  when creating the pem.
# Save the file.

Step 10. Make sure you did everything right.

$ sudo nginx -t

 you will be asked for the pass you use for the ssl cert. then if everything went fine you will be seeing something like this:

Step 11. Reload Nginx configuration.

$ sudo systemctl restart nginx

Step 12. Set a virtual domain in your host machine adding the following entry to the hosts file:

92.168.56.10   cool.project.vps

IP is the one you set in the Vagrantfile as private network

In Linux / macOS machines:

$ # Exit from Virtual Machine ssh session
$ exit
$ # Edit host file
$ sudo nano /etc/hosts

 Next Up:

Configure PHP in Virtual Machine to work as LEMP Server