1

I'm running a web app that is using websockets and have nginx as a reverse proxy for that and that works fine. I've also been able to get SSL to work without the socket. Now we're nearing the official launch and would be required to have SSL too.

Any ideas on how to make that happen? Here's my nginx config file:

server {
    listen               443 ssl;
    ssl                  on;
    ssl_certificate      /etc/nginx/server.crt;
    ssl_certificate_key  /etc/nginx/server.key;
    ssl_session_timeout  5m;
    ssl_protocols  SSLv2 SSLv3 TLSv1;
    ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    ssl_prefer_server_ciphers   on;

    listen 80;
    server_name sub.domain.com;

    location / {
      proxy_pass http://localhost:8866;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_read_timeout 43200000;
    }

    location /static/ {
        autoindex on;
        alias /home/xyz/.jenkins/jobs/app/workspace/main/static/;
    }

}

EDIT: As @dhl_p noted in the comments, this config isn't secure and YOU SHOULD NOT use it. These days you should only allow TLS and a more hardened suite of ciphers.

jesseniem
  • 21
  • 5
  • What's not working? What are you expecting and what is actually happening? Are you getting any errors? If so, what are they? – chrskly Jun 12 '13 at 21:41
  • Actually the config seemed to work as it is. The problem was with one of the URLs to my internal API being still hardcoded to use :http// – jesseniem Jun 13 '13 at 17:56
  • 1
    IMPORTANT: this SSL configuration is not secure. It allows all ssl_ciphers, including none at all. Use https://mozilla.github.io/server-side-tls/ssl-config-generator/ to generate your configuration. This means that while identity is still being verified, once a sessions' private key is compromised all recorded and future traffic can be listened in on. – dhr_p Jun 24 '16 at 18:34
  • 1
    @dhr_p Thanks for the comment. I've migrated away from this configuration a long time ago. My current config only allows for TLS and few select ciphers. Edited the question to indicate this. – jesseniem Jun 26 '16 at 09:00

0 Answers0