NGINX and https

Question

I'm trying to run my blog using ghost under nginx with ssl.

I've successfully made it work with http using the following steps:

created a custom application called "nginx" on port 14298
created a website called "nginx" with security set to http

nginx.conf contains:

server {
    listen 14298;
    server_name nginx.myusername.webfactional.com;

    location / {
        root    html;
        index  index.html index.htm;
    }

    error_page  404              /404.html;
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
    root   html;
    }
}

Everything works, nginx.myusername.webfactional.com displays the nginx html, and my blog included in vhosts also works. But while trying to enable ssl by doing this:

Updated my "website" called "nginx" with security set to https

Generated my keys:

openssl req -x509 -nodes -newkey rsa:2048 -keyout nginx.key -out nginx.crt

Changed my nginx.conf:

server {
    listen 14298 ssl;
    server_name nginx.myusername.webfactional.com;

   ssl on;
   ssl_certificate /home/myusername/usr/local/etc/nginx/nginx.crt; # Verified path
   ssl_certificate_key /home/myusername/usr/local/etc/nginx/nginx.key; # Verified path

    location / {
        root    html;
        index  index.html index.htm;
    }

    error_page  404              /404.html;
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
    root   html;
    }
}

I'm getting a 502 - Bad Gateway while trying to access:

https://nginx.myusername.webfactional.com

And every time I try to access the url above my nginx logs the following error:

no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 127.0.0.1, server: 0.0.0.0:14298

I've been trying to solve this for hours to no avail. help please.

Accepted Answer

1

You won't be able to configure HTTPS on a private Nginx instance, nor should you ever need to do so unless accessing it directly on an open port in the firewall (which you are not doing and in general you would not do). The reason is that you're proxying the request through the server's front-end Nginx server; see this image (http://docs.webfaction.com/user-guide/_images/inside-the-server.png).

The front-end Nginx server strips HTTPS and forwards HTTP to your application. The client (browser) negotiates the SSL handshake with the front-end Nginx server in that case, and we can install SSL certificates for you without you needing to manage them via a private Nginx. More information is available here (http://docs.webfaction.com/user-guide/websites.html#secure-sites-https).

permanent link

answered 10 Dec '15, 03:07

ryans ♦♦
5.0k●9●31●59
accept rate: 43%

Hi Ryans, I'm not well versed in networking software, but trying to understand what you said, the following statements are true?.

Having a private nginx instance is redundant (in my case) because all requests are being processed by webfaction nginx instance.
I won't be able to enable HTTP/2 or SPDY in my blog.

(10 Dec '15, 03:24) jmiranda

(1) Yes, that's true in general, except when you need it for the actual application deployment. An example of that would be an Nginx+Passenger+Rails application.

(2) Correct as of right now. Since requests go through the front-end Nginx server (which supports HTTP/1.1), this doesn't work yet. However we are currently considering the demand and implementation for this now that HTTP/2 is standardized.

(10 Dec '15, 06:27) ryans ♦♦

Gotcha, thank you Ryans! :)

(10 Dec '15, 15:31) jmiranda

NGINX and https

Follow this question

Related questions