So I recently became beyond-the-point of fed up with Apache2, it is slow and clunky and has been doing a shitty job recently of hosting my 7-8 virtualhosts (4 of which are SSL-enabled), so I thought i’d move them over to Nginx. Simple right? You’d think so, but…
Some of the directives in Apache dont map very nicely to Nginx, but there is a lot to love about Nginx (namely, its a LOT faster!). This guide is to show you how to migrate the trickier parts of your Apache configs to Nginx.
Pre-reading
In order to start Nginx you need to stop Apache2, as in:
service apache2 stop
Nginx wont start if Apache2 has taken control of *:80.
Migrating ProxyPass
In my setup, I run Opsview and Splunk Light behind a ProxyPass virtualhost (one runs on a VM, one runs as a web app on port 8000). The config in Apache2 looks like:
ProxyPass / http://192.168.0.6:8000/ disablereuse=On ProxyPassReverse / http://192.168.0.6:8000/
The config for Nginx is simpler still:
location / { proxy_pass http://192.168.0.6:8000; }
Simply copy the code above to your website in /etc/nginx/conf.d/website.conf (for example) and modify accordingly. Very simple.
Migrating SSL
This one was a lot tricker and a total faff. In my Apache2 vhosts, I had the following entries:
SSLCertificateFile /etc/apache2/ssl/loguk/2_loguk.crt SSLCertificateKeyFile /etc/apache2/ssl/loguk/loguk.key SSLCertificateChainFile /etc/apache2/ssl/sub.class1.server.ca.pem
Whereas Nginx only supports the ‘ssl_certificate’ and ‘ssl_certificate_key’ directives. 2 directives, three files.. you see the problem, right?
What you have to do is simply combine the .crt and the .pem file into a single ‘name.pem’ file. For those using StartSSL, you will get 2 files on download:
- 2_name.uk.crt
- 1_root_bundle.crt
Cat those files into ‘bundle.pem’ as below:
cat 2_name.uk.crt 1_root_bundle.crt >> log.pem
And then update Nginx:
ssl_certificate /etc/ssl/nginx/log.uk/log.pem; ssl_certificate_key /etc/ssl/nginx/log.uk/log.key;
Basically your key stays the same, you simple combine your crt’s into a .pem and reference that.
Hope this helps – and dont forget to use Qualys to test your SSL strength. For reference, my ‘hardened’ nginx config for Splunk/Opsview/ownCloud is below.
Note: There are some items you will need to do, such as generate a harder diffie-hellman param file, etc. Google is your friend.
# HTTPS server for Splunk Light # server { listen 443 ssl; server_name log.uk; ssl_certificate /etc/ssl/nginx/log.uk/log.pem; ssl_certificate_key /etc/ssl/nginx/log.uk/log.key; ssl_session_cache shared:SSL:10m; ssl_session_timeout 5m; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RS$ ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_dhparam /etc/ssl/certs/dhparam.pem; # Add headers to serve security related headers add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options "SAMEORIGIN"; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none;