DigitalOcean

Report this

What is the reason for this report?
Question

Setting up SSL with nginx reverse proxy

Posted on June 11, 2019
Nginx
Apache
WordPress
DigitalOcean
George Chanturidze

By George Chanturidze

I’m about to launch a major website. having a bit of a trouble with configuring SSL correctly, and need to make sure I don’t screw it up.

I do have SSL cert files, and following the guide here: https://www.digitalocean.com/community/tutorials/how-to-install-an-ssl-certificate-from-a-commercial-certificate-authority#install-certificate-on-web-server

  1. I have an Nginx in front/root acting as a reverse proxy.
  2. I have wordpress on Apache server at port 8090
  3. and my app is at port 8000 (nodejs), consuming API from wordpress above.

So my current setup is such: 1. /etc/nginx/sites-available/default:

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    root /var/www/html;
     index index.php index.js index.html index.htm index.nginx-debian.html;
     server_name domain.com www.domain.com;

    location / {
        proxy_pass http://localhost:8000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }

    location /wordpress {
        proxy_pass http://localhost:8090;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}

2. /etc/apache2/ports.conf:

Listen 8090

<IfModule ssl_module>
        Listen 443
</IfModule>

<IfModule mod_gnutls.c>
        Listen 443
</IfModule>

So, I suppose I need to modify ** /etc/nginx/sites-available/default:** like below.

Just need someone to tell me if there’s something wrong here:

server {
     listen 443 ssl default_server;
     listen [::]:443 ssl default_server;

     root /var/www/html;
     index index.php index.js index.html index.htm index.nginx-debian.html;
     server_name domain.com www.domain.com;
     ssl_certificate /ssl/domain.com.chained.crt;
     ssl_certificate_key /ssl/domain.com.key;

    location / {
        proxy_pass http://localhost:8000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }

    location /wordpress {
        proxy_pass http://localhost:8090;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0
George Chanturidze
George Chanturidze
June 11, 2019

@bobbyiliev thank you. I’ve received some feedback from other colleagues and I wonder if you could chime in on these:

  1. That apache shouldn’t be listening on port 443 since Nginx will be listnening there. Apache is actually listening on port 8090, I’m wondering should I remove these lines? :
<IfModule ssl_module>
        Listen 443
</IfModule>

<IfModule mod_gnutls.c>
        Listen 443
</IfModule>
  1. That I should not be messing with the default config for Nginx and should be adding the config for domain.com inside sites-available. I’m not planning to host any other sites on this server so I thought editing default would be fine… any thoughts?
sofiaoffice
sofiaoffice
June 12, 2019

This comment has been deleted

0
Bobby
Bobby
June 12, 2019

Hello,

  1. I believe that if you do not have an Apache Vhost for port 443 then Apache would not use the port. But to be on the safe side you could change those lines in the apache config to another port like 8443 for example.

  2. If there would be only one single site on the server, I don’t see a problem of making the changes to the default Nginx conf file. Creating a separate conf file would indeed be required if you decide to add another site.

As always make sure to backup your configuration files before making any chances, always run config test before restarting the services and it is best to have a dev environment where you could test your changes.

Hope that this helps :)

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2025 DigitalOcean, LLC.Sitemap.