Configure your redirect and bind manager’s port to use ssl by creating a redirect:
sudo nano /etc/nginx/conf.d/ssl.conf
Then paste the following content into the file before quitting and saving:
#redirect to 443
server {
listen 12000 default_server; #replace this by your manager port number
server_name _;
rewrite ^ https://$host$request_uri? permanent;
}
# HTTPS server
server {
access_log /etc/nginx/logs/ssl_access.log;
error_log /etc/nginx/logs/ssl_error.log;
listen 443 ssl;
server_name _;
root html;
index index.html index.htm;
ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;
location / {
try_files $uri $uri/ /index.html;
}
}
Create the folder to hold your ssl log files:
sudo mkdir /etc/nginx/logs
restart nginx:
sudo service nginx restart
Now this is where things go wrong for some reason the service won’t restart. Looking at the error logs in nginx:
cat /var/log/nginx/error.log
I get the following:
bind() to 0.0.0.0:12000 failed (98: Address already in use)
Meaning that the port 12000 is already in use by manager. Yes of course but how do you bind this port to redirect to ssl then? This is the last step to finish off the process.
I would appreciate any guru’s insight into this.
Many thanks!
As per your config, you are trying to make nginx to listen on ports 443 and 12000. It can’t listen on port 12000 if you have already Manager Server listening on that port.
You only want your nginx to listen on port 443 so remove the first server {} section.
Now, within the second server {} section which makes nginx listen on port 443, you need to set location / {} section so it’s redirecting requests to Manager Server on port 12000.
Thanks Lubos. Your suggestion makes sense and when I change the location the error nginx disappears however when I go to the browser it does not redirect http to https
Any ideas on this I am a bit lost here
Configure your redirect and bind manager’s port to use ssl by creating a proxy_pass redirect:
sudo nano /etc/nginx/sites-available/manager
Then paste the following content into the file before quitting and saving:
# access manager app on LAN and WAN over ssl on port 555
server {
listen 555 ssl;
server_name yourserver.com;
ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
# replace 12000 with your manager installation port here
location / {
proxy_pass http://127.0.0.1:12000;
}
# This takes care of redirecting the bad request made over http back to https on port 555
error_page 400 497 https://$host:555$request_uri;
}
restart nginx:
sudo service nginx restart
If things go wrong for some reason and the service won't restart. Look at the error logs for nginx:
cat /var/log/nginx/error.log
Visit your manager installation via your browser and enjoy the secure connection!
No worries thanks for your help on this. Still testing the server version and so far it is working!
Please note that you must use your localhost IP address in the nginx configuration file and not just “localhost” otherwise you will get all sorts of errors in your error log file even though manager will work!
I have rectified it in the above post!
Hope it will help other people to get it working.
Thank you for sharing, this is tremendous… I generated the /etc/nginx/sites-available/manager file as you described but found that I needed to edit the ssl.conf file when checking the error log, cat /var/log/nginx/error.log.
I made a small tweak on our server’s ngnix ssl.conf file which is similar to what you have already presented.
sudo nano /etc/nginx/conf.d/ssl.conf
Now instead of using port 555 as you have given in the example I popped in the SSL port number of 443. This change allows the user to simply enter https://myserver.domain.com and you are presented with the manager login as a secure login page in whatever web browser you have chosen to use. Great!
My question is has that change compromised anything on the system because it was really simple to setup using the information you provided?
My next step will be to purchase a Certificate to make the IE and Chrome Browsers happy and complain about a Certificate Error. However with Firefox once the Certificate message is okayed and accepted all is seamless and functional.
