Question

Setting up SSL with nginx reverse proxy

Posted June 11, 2019 5.8k views
Nginx Apache WordPress DigitalOcean

I’m about to launch a major website. having a bit of a trouble with configuring SSL correctly, and need to make sure I don’t screw it up.

I do have SSL cert files, and following the guide here: https://www.digitalocean.com/community/tutorials/how-to-install-an-ssl-certificate-from-a-commercial-certificate-authority#install-certificate-on-web-server

  1. I have an Nginx in front/root acting as a reverse proxy.
  2. I have wordpress on Apache server at port 8090
  3. and my app is at port 8000 (nodejs), consuming API from wordpress above.

So my current setup is such:
1. /etc/nginx/sites-available/default:

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    root /var/www/html;
     index index.php index.js index.html index.htm index.nginx-debian.html;
     server_name domain.com www.domain.com;

    location / {
        proxy_pass http://localhost:8000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }

    location /wordpress {
        proxy_pass http://localhost:8090;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}

2. /etc/apache2/ports.conf:

Listen 8090

<IfModule ssl_module>
        Listen 443
</IfModule>

<IfModule mod_gnutls.c>
        Listen 443
</IfModule>

So, I suppose I need to modify ** /etc/nginx/sites-available/default:** like below.

Just need someone to tell me if there’s something wrong here:

server {
     listen 443 ssl default_server;
     listen [::]:443 ssl default_server;

     root /var/www/html;
     index index.php index.js index.html index.htm index.nginx-debian.html;
     server_name domain.com www.domain.com;
     ssl_certificate /ssl/domain.com.chained.crt;
     ssl_certificate_key /ssl/domain.com.key;

    location / {
        proxy_pass http://localhost:8000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }

    location /wordpress {
        proxy_pass http://localhost:8090;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}
Add a comment
7addcc6c5a967f3224e6471a24199e96e7506dcb
By:
geochanto
Add a comment

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

4 answers
bobbyiliev June 11, 2019

Hi Geochanto,

I have a similar setup and I believe that your config looks correct. Just before restarting Nginx, make sure to run a configtest with the nginx -t command after your changes to make sure that there are no errors.

Reply Report
bobbyiliev June 12, 2019

Hello,

  1. I believe that if you do not have an Apache Vhost for port 443 then Apache would not use the port. But to be on the safe side you could change those lines in the apache config to another port like 8443 for example.

  2. If there would be only one single site on the server, I don’t see a problem of making the changes to the default Nginx conf file. Creating a separate conf file would indeed be required if you decide to add another site.

As always make sure to backup your configuration files before making any chances, always run config test before restarting the services and it is best to have a dev environment where you could test your changes.

Hope that this helps :)

Reply Report
geochanto June 11, 2019

@bobbyiliev thank you. I’ve received some feedback from other colleagues and I wonder if you could chime in on these:

  1. That apache shouldn’t be listening on port 443 since Nginx will be listnening there. Apache is actually listening on port 8090, I’m wondering should I remove these lines? :
<IfModule ssl_module>
        Listen 443
</IfModule>

<IfModule mod_gnutls.c>
        Listen 443
</IfModule>
  1. That I should not be messing with the default config for Nginx and should be adding the config for domain.com inside sites-available. I’m not planning to host any other sites on this server so I thought editing default would be fine… any thoughts?
Reply Report
sofiaoffice June 12, 2019
[deleted]
Reply Report
Submit an Answer

Related

Looking for something else?

Ask a new question Search for more help