3

Related to my question about how to setup a reverse proxy using nginx, I am now stuck when setting up one which additionally requires a SSL connection.

I have docker container which provides the mapped SSL-port 4430 to my host-stystem. The webserver is using a self-signed certificate.

In my /etc/hosts file, I have defined:

127.0.0.1 app.local

And my nginx server config looks like:

server {
    listen 80;
    server_name app.local;
    location / {
        return https://$host$request_uri;
    }
}

server {
    listen 443;
    server_name app.local;
    location / {
        proxy_pass https://127.0.0.1:4430;
    }
}

When I access my webapp using https://127.0.0.1::4430 it works fine. I get a warning about the certificate the first time though, which I then have to allow.

Yet when connecting to it via either http://app.local orhttps://app.local , my browser shows a:

SSL connection error
ERR_SSL_PROTOCOL_ERROR

I also was expecting for the certificate warning to appear which I then could allow.

How to get the reverse proxy working when using SSL with nginx?

Community
  • 1
k0pernikus
  • 4,170
  • 4
  • 17
  • 17

2 Answers2

3

To terminate SSL on nginx:

a) The server section needs to specify port and 'ssl'

listen 192.168.2.26:443 ssl;

b) The server block then also specifies certs and ssl params

ssl_certificate      new-cert.cer;
ssl_certificate_key  new-cert.key;

ssl_protocols SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
Jonesome Reinstate Monica
  • 5,445
  • 10
  • 56
  • 82
2

You're close, I think (I'm new to Nginx myself), but your second server block needs a bit more... I have one on my server with this:

listen 443 ssl;
listen [::]:443 ipv6only=on ssl;
charset utf-8;
client_max_body_size 75M;
server_name example.com www.example.com;
ssl_certificate /etc/ssl/certs/example.com.crt;
ssl_certificate_key /etc/ssl/private/example.com.key;

Note the following:

  1. The listen directive specifies ssl.
  2. The certificate and certificate key are specified. The cert should be in a place easy to access because it's sent to everyone accessing your site. The key is in a place where only the users needing it can access it.

The ipv6, charset, and client max body are lines I have on my server but aren't needed for what you're doing here. You could name these anything and place them anywhere, so don't get hung up on the exact filename or location if you store yours somewhere else. This is just how I like to do it, and my ls -l output is:

-rw-r--r-- 1 root root 1887 Oct  8 14:16 /etc/ssl/certs/example.com.crt
-rw-r----- 1 root ssl-cert 1704 Oct  8 13:47 /etc/ssl/private/example.com.key
Palu Macil
  • 133
  • 1
  • 6