Setting up ssl connection can be different for different kinds of server. To make the configuration process easier, we can use nginx as a https proxy server. In this design, the client connects to the nginx server using https with encrypted data. After that, nginx decrypts the data and forwards it to the real web server (also running locally in the same server with nginx). This post demonstrates the steps for configuring nginx as an https proxy server.
First, you need to install nginx with ssl support. On Mac OS, by default, Macports does not install ssl for nginx, you need to use this command
Next, you need to find out the configuration file for nginx. Usually, it is
located under /etc/nginx (or /opt/local/etc/nginx for macports version).
There are already some sample configuration files with the
there for you. You can use those sample config files by removing the
Usually, you don’t put all the settings in nginx.conf file. Instead, you can
create another directory for storing your own ones and include them in the main
config file. For example, you put all your config files inside
folder, add this inside the
http section of the nginx.conf file.
Config http proxy server using nginx
Now you have nginx installed in your computer. First, we’ll try to config nginx
as an http proxy server. Follow the previous example, create a new file in the
site-enabled directory (
myconf for example). Add a
server section like
The setting above indicate that it will listen on port 8080 or host name
mydomain.com. The port is for clients to connect through ip address, and the
server_name is for connecting to through DNS domain name or using
hosts file. For
every request to nginx server, it will redirect the connection to
http://localhost:3000, which is another server running in the same machine with
nginx. To test the connection, you need to start both nginx and the web server
at port 3000. You may need sudo for starting nginx. Next, open the browser and
http://127.0.0.1:8080 and see whether it redirects to the web server.
Also, you can edit the hosts file (usually in
mydomain.com and connect through that domain
Before you can proceed to the next step (setting up https for nginx), you need to create an SSL certificate for your server.
The last command will prompt for a passphrase. Make sure that you remember this passphrase for later use. Next, creating a signing request using this command
This will ask you several questions. The first few entries you can leave them blank. The most important line is “Common Name”. Enter your official domain name here or, if you don’t have one yet, your site’s IP address. Leave the challenge password and optional company name blank.
Finally, you need self-sign your certificate (in reality, you need to give this certificate to a Certificate Authority). By using the below command, you specify that this certificate will expire after 365 days.
Setting up https for nginx
Continue with the
myconf file in the previous example, add one more
section for the https server. Change the /path/to/server.crt and
/path/to/server.key to the correct path to server.crt and server.key file
you created in the last step.
You need to restart nginx for the changes to take place.
Now open the browser and access
https://127.0.0.1. Your browser should display
something similar to this and ask you to add ssl exception.
If you want to force the clients to use https when access certain location, you
rewrite to change the request from http to https server. Refer to the
server section you have added in the first step (for http server), inside that
section, add one more
location config for that path that you want to force.
The above config tells nginx that whenever a user access to
/login using http,
it will be redirected to that same location but using https. Now restart nginx
and open the browser, try to access
http://127.0.0.1:8080/login and see the
Here is the link to the sample config file used for the above example. You can view it directly in the browser at this link.
For Emacs users, Emacs has a built-in mode for config file called
conf-mode. Simply put this
line in the beginning of the nginx setting file for Emacs to auto activate
conf-mode when visit that file