Setting up SSL with nginx reverse proxy

June 11, 2019 662 views
Nginx Apache DigitalOcean WordPress

I’m about to launch a major website. having a bit of a trouble with configuring SSL correctly, and need to make sure I don’t screw it up.

I do have SSL cert files, and following the guide here: https://www.digitalocean.com/community/tutorials/how-to-install-an-ssl-certificate-from-a-commercial-certificate-authority#install-certificate-on-web-server

  1. I have an Nginx in front/root acting as a reverse proxy.
  2. I have wordpress on Apache server at port 8090
  3. and my app is at port 8000 (nodejs), consuming API from wordpress above.

So my current setup is such:
1. /etc/nginx/sites-available/default:

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    root /var/www/html;
     index index.php index.js index.html index.htm index.nginx-debian.html;
     server_name domain.com www.domain.com;

    location / {
        proxy_pass http://localhost:8000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }

    location /wordpress {
        proxy_pass http://localhost:8090;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}

2. /etc/apache2/ports.conf:

Listen 8090

<IfModule ssl_module>
        Listen 443
</IfModule>

<IfModule mod_gnutls.c>
        Listen 443
</IfModule>

So, I suppose I need to modify ** /etc/nginx/sites-available/default:** like below.

Just need someone to tell me if there’s something wrong here:

server {
     listen 443 ssl default_server;
     listen [::]:443 ssl default_server;

     root /var/www/html;
     index index.php index.js index.html index.htm index.nginx-debian.html;
     server_name domain.com www.domain.com;
     ssl_certificate /ssl/domain.com.chained.crt;
     ssl_certificate_key /ssl/domain.com.key;

    location / {
        proxy_pass http://localhost:8000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }

    location /wordpress {
        proxy_pass http://localhost:8090;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}
4 Answers

Hi Geochanto,

I have a similar setup and I believe that your config looks correct. Just before restarting Nginx, make sure to run a configtest with the nginx -t command after your changes to make sure that there are no errors.

Hello,

  1. I believe that if you do not have an Apache Vhost for port 443 then Apache would not use the port. But to be on the safe side you could change those lines in the apache config to another port like 8443 for example.

  2. If there would be only one single site on the server, I don’t see a problem of making the changes to the default Nginx conf file. Creating a separate conf file would indeed be required if you decide to add another site.

As always make sure to backup your configuration files before making any chances, always run config test before restarting the services and it is best to have a dev environment where you could test your changes.

Hope that this helps :)

@bobbyiliev thank you. I’ve received some feedback from other colleagues and I wonder if you could chime in on these:

  1. That apache shouldn’t be listening on port 443 since Nginx will be listnening there. Apache is actually listening on port 8090, I’m wondering should I remove these lines? :
<IfModule ssl_module>
        Listen 443
</IfModule>

<IfModule mod_gnutls.c>
        Listen 443
</IfModule>

  1. That I should not be messing with the default config for Nginx and should be adding the config for domain.com inside sites-available. I’m not planning to host any other sites on this server so I thought editing default would be fine… any thoughts?
Have another answer? Share your knowledge.