Similar to some of our previous recipes, we use NGINX to combine the SSL encryption side and the proxy components:
server {
listen 443 ssl;
server_name ssl.nginxcookbook.com;
ssl_certificate /etc/ssl/public.pem;
ssl_certificate_key /etc/ssl/private.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
access_log /var/log/nginx/ssl-access.log combined;
location / {
proxy_pass http://localhost:8000;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
}
}
The following are some useful tips you should keep in mind:
- One thing to note is that most SSL certificates are only valid for a single domain, unless they're a wildcard or Subject Alternative Name (SAN). If you're intending to use NGINX as an SSL terminator to multiple hosts, you'll need to have a server block or a SAN certificate mapped for each host.
- Be careful with internal redirects within your application, especially if you tell it to enforce HTTPS. When using NGINX for SSL termination, this needs to be done at the NGINX level to avoid redirect loops.