Search This Blog

Friday, June 7, 2013

Windows - set up SSL/HTTPS reverse proxy using NGINX; Wrap HTTP traffic in SSL tunnel layer

Our main goal is to secure traffic that would normally go in an unsecured HTTP channel with SSL tunnel. To do that you need to buy an SSL certificate - you need to have private as well as public key for that certificate.


This means that we want to call address:  https://yourdomain.com  and have that browser call transfered to our unsecured HTTP server WRAPPED in SSL tunnel.

First download NGINX Windows-1.4.1 from: http://nginx.org/en/download.html
(Remember to choose the stable version, as the Windows-1.5.1 crashes often on Windows XP SP3)

After successful installation of the nginx, you can start the balancer with:

start nginx

and shut it down with:

nginx -s stop

from the main directory of nginx (that's where nginx.exe resides).

The most important parts of the config file (nginx.conf) are:

listen          0.0.0.0:443;
ssl_certificate      ssl/companypub.pem;
ssl_certificate_key  ssl/companypriv.key;
proxy_pass  http://127.0.0.1:80;

Both certificates are in PEM format. This configuration listens an all interfaces on port 443 and tunnels the traffic to its local HTTP server on port 80 (port 80 can be ignored in this case as it is the default port nginx would forward to).

You can download the configuration file along with sample certificate files here.

4 comments:

  1. Tried this but I get this message in error.log and nginx quits. [alert] 16916#7728: the event "ngx_master_16916" was not signaled for 5s

    ReplyDelete
    Replies
    1. Sorry, didn't see the "Reply" link...

      Just in case you miss my separate comment, try removing any password associated with ssl_certificate_key.

      Delete
  2. @Harley Do you have a password protecting your ssl_certificate_key? If so, remove the password and try again.

    ReplyDelete
    Replies
    1. No. I didn't have the password. That's not the solution unfortunately.

      Delete

If you like this post, please leave a comment :)