Nginx/Railo connector for SSL-enabled sites

I was asked if I could provide my Nginx configuration for SSL-enabled sites yesterday so I thought I would write up a quick post. This is very similar to creating a standard site container with the addition of another server block that will be listening on port 443. Also, any traffic that comes in on port 80 will automatically be redirected over to the secure site. Nginx will handle the secure portion of the connection so there are no settings to modify on Tomcat. It should “Just Work” ™.

I will be referencing the additional configuration files that are outlined in My Final Nginx/Railo Connector post. Below is the template I use for SSL-enabled sites:

The important differences here are the ssl keys: ssl, ssl_certificate and finally ssl_certificate_key. Now I need to generate the certificate and certificate key that I am going to use. For clarity, here is the excellent post explaining how to generate the SSL keys. Although this is outlined on older versions of Ubuntu it should still work just fine.

Once the new keys have been generated and put in the proper place (/etc/ssl/certs and /etc/ssl/private) it is only a matter of restarting Nginx and enjoying the SSL goodness.


6 thoughts on “Nginx/Railo connector for SSL-enabled sites

  1. Should add listen 443 ssl;
    ssl on; directive is being deprecated.

    Saw your post on railo and i’m a big nginx geek.

    “It is recommended to use the ssl parameter of the listen directive instead of this directive.”

    also you could add buffering writes to access logs to help improve i/o performance when writing general access logs.


  2. you can take out includesubdomains if for any reason subdomains are not presented over ssl and should not be forced.

    Otherwise if you go to one time, modern browsers will recognize the sts header and subsequent subdomains presented will automatically be forced https, which can cause a pain if subdomains are not over ssl. Chrome, Firefox would have to clear cache, etc to see subdomains over non ssl.

    1. cool, but error logs shouldn’t be buffered. You want those written down immediately. You can remove the buffer param in the error log directive.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s