Nginx/Railo connector for SSL-enabled sites


I was asked if I could provide my Nginx configuration for SSL-enabled sites yesterday so I thought I would write up a quick post. This is very similar to creating a standard site container with the addition of another server block that will be listening on port 443. Also, any traffic that comes in on port 80 will automatically be redirected over to the secure site. Nginx will handle the secure portion of the connection so there are no settings to modify on Tomcat. It should “Just Work” ™.

I will be referencing the additional configuration files that are outlined in My Final Nginx/Railo Connector post. Below is the template I use for SSL-enabled sites:

The important differences here are the ssl keys: ssl, ssl_certificate and finally ssl_certificate_key. Now I need to generate the certificate and certificate key that I am going to use. For clarity, here is the excellent post explaining how to generate the SSL keys. Although this is outlined on older versions of Ubuntu it should still work just fine.

Once the new keys have been generated and put in the proper place (/etc/ssl/certs and /etc/ssl/private) it is only a matter of restarting Nginx and enjoying the SSL goodness.

About these ads

About Robert Zehnder

Web application developer specializing in ColdFusion/Railo and Open Source development.

Posted on October 10, 2013, in General and tagged , , . Bookmark the permalink. 6 Comments.

  1. Should add listen 443 ssl;
    ssl on; directive is being deprecated.

    Saw your post on railo and i’m a big nginx geek.

    http://nginx.org/en/docs/http/ngx_http_ssl_module.html

    “It is recommended to use the ssl parameter of the listen directive instead of this directive.”

    also you could add buffering writes to access logs to help improve i/o performance when writing general access logs.

    buffer=32k

  2. also another thing regarding ssl.

    ## Strict Transport Security (ForceHTTPS)
    add_header Strict-Transport-Security “max-age=2592000; includeSubdomains”;

    the above is what we use in production.

    https://www.owasp.org/index.php/HTTP_Strict_Transport_Security

  3. you can take out includesubdomains if for any reason subdomains are not presented over ssl and should not be forced.

    Otherwise if you go to https://www.mysslsite.com one time, modern browsers will recognize the sts header and subsequent subdomains presented will automatically be forced https, which can cause a pain if subdomains are not over ssl. Chrome, Firefox would have to clear cache, etc to see subdomains over non ssl.

  4. Awesome comments David, I will update the post ASAP. Thank you!

    • cool, but error logs shouldn’t be buffered. You want those written down immediately. You can remove the buffer param in the error log directive.

  5. Corrected. Thank you, sir!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 831 other followers

%d bloggers like this: