Nginx ssl

From wikinotes

Documentation

ssl module https://nginx.org/en/docs/http/ngx_http_ssl_module.html
ssl intro http://nginx.org/en/docs/http/configuring_https_servers.html

Example

server {
  listen 443 ssl;
  ssl_certificate /etc/ssl/${DOMAIN_NAME}.pem;      # or .crt
  ssl_certificate_key /etc/ssl/${DOMAIN_NAME}.key;  # private key

  # ssl_trusted_certificate /etc/ssl/${CA}.pem;     # not reqd
  # ...
}

Common Tasks

Redirect HTTP to HTTPS on same port

server {
  listen 443 ssl http2;
  error_page 497 301 =307 https://$host:$server_port$request_uri;  # <-- (this)
  # ...
}

Redirect HTTPS to HTTP

http {
  server {
    listen 443 ssl http2;

    proxy_pass http://localhost:8080;

    # decrypt GET route if origin, and request-origin match
    add_header Referrer-Policy same-origin;

    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header Host example.com:443;
    proxy_set_header X-Real-Ip $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  }
}

If you are using a webapp that is aware of the host, you may need to specify the protocol. 

# mediawiki (LocalSettings.php)
$wgServer = "//example.com:8080";  # use whichever proto was used, or indicated by headers

# baikal
# no configuration required, just header
w3c referrer policy docs https://w3c.github.io/webappsec-referrer-policy/
referrer policy intro https://www.perpetual-beta.org/weblog/the-curious-case-of-tls-and-the-missing-referrers.html
Retrieved from "http://willpittman.net:8080/index.php?title=Nginx_ssl&oldid=23553"