Setup Nginx as Apache SSL frontend

Details
Written by: andre
Category: Uncategorised
Hits: 30746
In this tutorial I want to demonstrate how to use nginx webserver as a proxy for apache2.

The article is complete, and the example is based on a bare ubuntu installation.
In the first section I will setup a basic apache and configure nginx to act as a proxy for apache.

  1. Setup Apache

    root@testkraxn /home/tester # apt-get install apache2
    When you browse to http://localhost, you should see apaches default page.

  2. Configure Apache

    We need to change the ports of apache, because nginx will act as a proxy for it, and therefore needs to listen to port 80 later. Change /etc/apache2/ports.conf 
    NameVirtualHost 127.0.0.1:8080
Listen 127.0.0.1:8080
    Create a copy of the default site, and replace it with the copy: 
    root@testkraxn ~ # cd /etc/apache2/sites-available
root@testkraxn /etc/apache2/sites-available # cp default tutorial-example

root@testkraxn /etc/apache2/sites-available # a2dissite 000-default
root@testkraxn /etc/apache2/sites-available # a2ensite tutorial-example
    Also set port 8080 to the tutorial-example page: 
    root@testkraxn /etc/apache2/sites-available # vim tutorial-example
<VirtualHost 127.0.0.1:8080>
...

root@testkraxn /etc/apache2/sites-available # service apache2 restart
    When you browse to http://localhost:8080, you should see apaches default page.

  3. Setup nginx

    root@testkraxn ~ # apt-get install nginx
    Replace the nginx config file with a copy and edit this copy: 
    root@testkraxn ~ # cp /etc/nginx/sites-available/default /etc/nginx/sites-available/tutorial-example
root@testkraxn ~ # rm /etc/nginx/sites-enabled/default
root@testkraxn ~ # ln -s /etc/nginx/sites-available/tutorial-example /etc/nginx/sites-enabled/tutorial-example

root@testkraxn ~ # vim /etc/nginx/sites-available/tutorial-example

root@testkraxn ~ # grep -vE '^\s*(#.*|)$' /etc/nginx/sites-available/tutorial-example
server {
        listen 80;
        server_name localhost;
        location / {
               proxy_set_header X-Real-IP  $remote_addr;
               proxy_set_header X-Forwarded-For $remote_addr;
               proxy_set_header Host $host;
               proxy_pass http://127.0.0.1:8080;
        }
        location ~ /\.ht {
                deny all;
        }
}



root@testkraxn ~ # ln -s /etc/nginx/sites-available/tutorial-example /etc/nginx/sites-enabled/
root@testkraxn ~ # service nginx restart
    When you browse to http://localhost, you should see apaches default page.

  4. Prepare SSL setup

    Create a selfsigned ssl certificate: 
    root@testkraxn ~ # mkdir my-ssl-cert
root@testkraxn ~ # cd my-ssl-cert
root@testkraxn ~/my-ssl-cert # openssl req -new > selfsigned-cert.csr
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
(you may leave everything to defaults)

root@testkraxn ~/my-ssl-cert # openssl rsa -in privkey.pem -out selfsigned.key
Enter pass phrase for privkey.pem:
writing RSA key

root@testkraxn ~/my-ssl-cert # openssl x509 -in selfsigned.csr -out selfsigned.cert -req -signkey selfsigned.key -days 999
Signature ok
subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
Getting Private key

root@testkraxn ~/my-ssl-cert # ls -l
total 16
-rw-r--r-- 1 root root 1041 Jan 31 00:21 privkey.pem
-rw-r--r-- 1 root root  757 Jan 31 00:22 selfsigned.cert (SSLCertificateFile)
-rw-r--r-- 1 root root  603 Jan 31 00:21 selfsigned.csr
-rw-r--r-- 1 root root  887 Jan 31 00:21 selfsigned.key  (SSLCertificateKeyFile)
    Copy the certificate to the proper location: 
    root@testkraxn ~/my-ssl-cert # cp selfsigned.cert /etc/ssl/certs/
root@testkraxn ~/my-ssl-cert # cp selfsigned.key /etc/ssl/private/

  5. Enable SSL in nginx configuration

    Add the lines listed in green to your example site: 
    root@testkraxn /home/tester # grep -vE '^\s*(#.*|)$' /etc/nginx/sites-available/tutorial-example
server {
        listen 80;
        server_name localhost;
        location / {
               proxy_set_header X-Real-IP  $remote_addr;
               proxy_set_header X-Forwarded-For $remote_addr;
               proxy_set_header Host $host;
               proxy_pass http://127.0.0.1:8080;
        }
        location ~ /\.ht {
                deny all;
        }
}
server {
        listen 443;
        server_name localhost;
        ssl on;
        ssl_certificate     /etc/ssl/certs/selfsigned.cert;
        ssl_certificate_key /etc/ssl/private/selfsigned.key;
        ssl_session_timeout 15m;
        ssl_protocols SSLv3 TLSv1;
        ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
        ssl_prefer_server_ciphers on;
        location / {
               proxy_set_header X-Real-IP  $remote_addr;
               proxy_set_header X-Forwarded-For $remote_addr;
               proxy_set_header Host $host;
               proxy_pass http://127.0.0.1:8080;
        }
        location ~ /\.ht {
                deny all;
        }
}

  6. Final step

    Now restart nginx and browse to https://localhost.
    Congratulations, we have set up nginx as a proxy for apache!