Converting SSL-enabled Apache vhosts to Nginx

So I recently became beyond-the-point of fed up with Apache2, it is slow and clunky and has been doing a shitty job recently of hosting my 7-8 virtualhosts (4 of which are SSL-enabled), so I thought i’d move them over to Nginx. Simple right? You’d think so, but…

Some of the directives in Apache dont map very nicely to Nginx, but there is a lot to love about Nginx (namely, its a LOT faster!). This guide is to show you how to migrate the trickier parts of your Apache configs to Nginx.

Pre-reading

In order to start Nginx you need to stop Apache2, as in:

service apache2 stop

Nginx wont start if Apache2 has taken control of *:80.

Migrating ProxyPass

In my setup, I run Opsview and Splunk Light behind a ProxyPass virtualhost (one runs on a VM, one runs as a web app on port 8000). The config in Apache2 looks like:

  ProxyPass / http://192.168.0.6:8000/ disablereuse=On
  ProxyPassReverse / http://192.168.0.6:8000/

The config for Nginx is simpler still:

location / {
    proxy_pass       http://192.168.0.6:8000;
        }

Simply copy the code above to your website in /etc/nginx/conf.d/website.conf (for example) and modify accordingly. Very simple.

Migrating SSL

This one was a lot tricker and a total faff. In my Apache2 vhosts, I had the following entries:

SSLCertificateFile /etc/apache2/ssl/loguk/2_loguk.crt
SSLCertificateKeyFile /etc/apache2/ssl/loguk/loguk.key
SSLCertificateChainFile /etc/apache2/ssl/sub.class1.server.ca.pem

Whereas Nginx only supports the ‘ssl_certificate’ and ‘ssl_certificate_key’ directives. 2 directives, three files.. you see the problem, right?

What you have to do is simply combine the .crt and the .pem file into a single ‘name.pem’ file. For those using StartSSL, you will get 2 files on download:

2_name.uk.crt
1_root_bundle.crt

Cat those files into ‘bundle.pem’ as below:

cat 2_name.uk.crt 1_root_bundle.crt >> log.pem

And then update Nginx:

    ssl_certificate      /etc/ssl/nginx/log.uk/log.pem;
    ssl_certificate_key  /etc/ssl/nginx/log.uk/log.key;

Basically your key stays the same, you simple combine your crt’s into a .pem and reference that.

Hope this helps – and dont forget to use Qualys to test your SSL strength. For reference, my ‘hardened’ nginx config for Splunk/Opsview/ownCloud is below.

Note: There are some items you will need to do, such as generate a harder diffie-hellman param file, etc. Google is your friend.

# HTTPS server for Splunk Light
#
server {
    listen       443 ssl;
    server_name  log.uk;
    ssl_certificate      /etc/ssl/nginx/log.uk/log.pem;
    ssl_certificate_key  /etc/ssl/nginx/log.uk/log.key;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout  5m;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RS$
    ssl_prefer_server_ciphers   on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
  # Add headers to serve security related headers
  add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
  add_header X-Content-Type-Options nosniff;
  add_header X-Frame-Options "SAMEORIGIN";
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Robots-Tag none;
  add_header X-Download-Options noopen;
  add_header X-Permitted-Cross-Domain-Policies none;

Press ESC to close

Share Article:

sam

Fail2ban for Owncloud: Brute force prevention and alerting

Nagios plugins and Splunk.. wait, what?

Leave a Reply Cancel reply