Overview
To secure connections between VergeCloud and your backend, you must install an SSL certificate on your NGINX server. This is one of the most important steps in ensuring that all data passing between VergeCloud and your server remains protected. When SSL is enabled, every request and response is encrypted, which prevents attackers from intercepting, modifying, or reading the information sent through the connection. It also provides authentication so that VergeCloud can confirm it is genuinely communicating with your server rather than an unauthorized destination. Proper SSL configuration significantly improves the reliability, trustworthiness, and overall security posture of your entire infrastructure, especially when handling sensitive requests or API data.
Prepare the Certificate and Private Key
Before configuring SSL on your server, you need both a valid SSL certificate and the private key that corresponds to it. You can use an SSL certificate obtained from a certificate authority of your choice, or you can generate a free certificate directly from the SSL/TLS → Origin Server section in the VergeCloud dashboard. VergeCloud Origin certificates are designed specifically for protecting the connection between VergeCloud and your origin server, making them convenient and reliable for this type of setup. The VergeCloud dashboard provides a simple interface where you can generate the certificate and private key, then download them securely. If you are generating the certificate through VergeCloud for the first time, it is recommended to review the documentation available in the dashboard so that you understand how the certificates work, how long they remain valid, and how they should be installed on your server. Once your certificate and private key are ready, save them in a safe location and prepare them for upload.
Upload to Server
After you have downloaded the certificate and private key, upload both files to a secure directory on your server. It is important to choose a directory that is protected by proper permissions and accessible only by the user group responsible for running NGINX. For example, a typical storage path might look like:
/etc/ssl/vergecloud/certificate.crt
/etc/ssl/vergecloud/private.key
These files must be transferred through a secure channel such as SCP or SFTP. Avoid exposing your certificate or private key through unsecured uploads or publicly accessible storage locations. The private key is especially sensitive because it is what allows your server to prove its identity during the SSL handshake. Anyone who gains access to it could impersonate your server, which is why it must always remain private. Ensuring that the directory is owned by the correct user and restricted using the proper permissions is a crucial part of securing your deployment
Update NGINX Configuration
Once the certificate and private key are stored on your server, the next step is updating the NGINX configuration so that SSL can be enabled. Begin by editing your NGINX configuration file, usually located in /etc/nginx/sites-available or /etc/nginx/conf.d depending on the server setup. The first server block handles traffic arriving on port 80. This block should immediately redirect all requests to HTTPS so that no unencrypted traffic reaches your backend. The configuration may look like this:
server {
listen 80;
server_name yourdomain.com www.yourdomain.com;
return 301 https://$host$request_uri;
}
This redirect ensures that any user or service connecting over HTTP is immediately forwarded to the HTTPS version of your domain.
Next, configure the server block that handles secure HTTPS connections on port 443. The block will contain your SSL certificate path, private key path, and the necessary SSL directives:
server {
listen 443 ssl;
server_name yourdomain.com www.yourdomain.com;
ssl_certificate /etc/ssl/vergecloud/certificate.crt;
ssl_certificate_key /etc/ssl/vergecloud/private.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://localhost:3000
; }
}
These settings ensure the server uses modern protocols and strong ciphers, reducing the risk of downgrade or interception attacks. The proxy_pass directive is often used when your application runs on a local service such as a Node.js application listening on port 3000. NGINX will securely handle incoming HTTPS traffic and forward it to your application.
Reload NGINX
After updating the configuration, test the syntax of your NGINX configuration to ensure there are no mistakes. You can do this with:
sudo nginx -t
If the test passes successfully, reload NGINX to apply the new SSL configuration:
sudo systemctl reload nginx
Reloading applies the configuration without interrupting running services, allowing the server to immediately begin serving traffic over HTTPS.
Testing/Validation
Once the server reloads successfully, you should test your SSL installation to confirm everything is working as expected. You can use the openssl command to check whether the certificate is properly installed and whether the SSL handshake completes without errors:
openssl s_client -connect yourdomain.com:443
This command displays the certificate details, verifies the connection, and helps ensure your NGINX server is correctly presenting the VergeCloud certificate.
Considerations
Private key security is critical. Make sure the key file has the correct permissions and that only the appropriate user group such as www-data can access it. Store certificate files securely and never commit them to version control platforms like GitHub or GitLab. VergeCloud Origin certificates are valid for 90 days, so you must handle renewals manually. After each renewal, download the new certificate and key, replace the old files on your server, and reload NGINX so the updated certificate is used.