Home TLS


Learning Outcomes

  • explain why encryption is required
  • describe how encryption over the web works
  • explain how the TLS handshake works
  • describe the role of certificates and certificate authorities
  • describe the differences between DV, OV, and EV certificates
  • get a certificate for a domain
  • deploy a certificate for a web server



Video walk through of this lab.

The web preview domain in Google Cloud Shell is already TLS enabled. Nothing to do here!

Setting up TLS for NGINX Running on a VM

Stop your lab1 VM.

Edit the lab1 VM to allow HTTP and HTTPS traffic.

Start the lab1 VM. If the external IP address has changed, update the “A” record for “myapp.4949NN.xyz”.

Back in your Cloud Shell terminal, connect to the new VM as follows:

gcloud compute ssh lab1 --zone YOUR_ZONE_HERE

Install and run NGINX:

sudo apt install nginx

If you browse to http://myapp.4949NN.xyz you should see the default NGINX page. To convince yourself that this is truly your own VM, create a custom index.html page as follows (use your own name or initials):

sudo sh -c 'echo "<h1>This is BK'\''s page.</h1>" > /var/www/html/index.html'

Refresh the web page in your browser and confirm that the changes have been made.

Install Certbot which is the application we will use to provision the TLS certificate:

sudo apt install certbot python-certbot-nginx

Now we can provision a TLS certificate for the new domain name:

sudo certbot --nginx

When asked for an email address, use your “@mylangara.ca” email address.

Agree to the Terms of Service.

Share your email address (or not) as you see fit.

When asked for the domain name, enter “myapp.4949NN.xyz” but substitude “NN” with your own digits.

It will take a small amount of time to provision the TLS certificate. After that you will be asked whether or not you want to configure NGINX to redirect HTTP traffic to HTTPS. I would normally enable this, so choose option “2”.

Refresh the page in your browser. You should be redirected to the HTTPS page.

Proxy a Node.js Application Through NGINX

Instead of NGINX serving a static page, we want to proxy requests to our Node.js app.

Change to NGINX sites configuration directory:

cd /etc/nginx/sites-available

Change the visual editor to “vi”:

export VISUAL=vi

Edit the default site configuration file:

sudoedit default

If you have not used “vi” before, it has two modes: command mode and insert mode. It starts out in command mode where many keys refer to commands. You can still use the arrow keys to move around. Move to the second “server { … }” block in the file. The first server block defines the default server. The second block defines the TLS server. You will be able to identify this second block because it has a comment “SSL configuration”. Navigate to the “location { … }” block inside the second server block. This defines where the served files come from. Right now it has a line “try_files $uri $uri/ =404”. This maps the requested path to a file in the file system and if a corresponding file doesn’t exist, it returns a 404 error. Instead we want to proxy these requests to our Node.js application. Move your cursor to the end of the “try_files $uri $uri/ =404” line. Hit the “a” key on your keyboard which will put “vi” in insert mode so you type in text. Add the following lines:

  proxy_pass http://localhost:8080;
  proxy_http_version 1.1;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection 'upgrade';
  proxy_set_header Host $host;
  proxy_cache_bypass $http_upgrade;

Move the cursor back up to the beginning of the “try_files $uri $uri/ =404” line and type “#” at the beginning of the line to comment it out.

Hit the “ESC” key on your keyboard to get out of insert mode and back into command mode. Type “:wq” and then hit the “ENTER” key on your keyboard to save the file.

Restart NGINX:

sudo systemctl restart nginx

Refresh the page in the browser and you should see your Node.js application.


  1. In a text file, answer the following questions:
    1. Find a site with a DV certificate (other than your site or my own site).
    2. Find a site with an OV certificate (other than *.langara.ca).
    3. Find a site with an EV certificate (other than *.vancity.com).
  2. Provision a TLS certificate for mysecondapp.4949NN.xyz.
  3. Proxy mysecondapp.4949NN.xyz through NGINX.