Converting SSL-enabled Apache vhosts to Nginx

So I recently became beyond-the-point of fed up with Apache2, it is slow and clunky and has been doing a shitty job recently of hosting my 7-8 virtualhosts (4 of which are SSL-enabled), so I thought i’d move them over to Nginx. Simple right? You’d think so, but…

Some of the directives in Apache dont map very nicely to Nginx, but there is a lot to love about Nginx (namely, its a LOT faster!). This guide is to show you how to migrate the trickier parts of your Apache configs to Nginx.


In order to start Nginx you need to stop Apache2, as in:

Nginx wont start if Apache2 has taken control of *:80.

Migrating ProxyPass

In my setup, I run Opsview and Splunk Light behind a ProxyPass virtualhost (one runs on a VM, one runs as a web app on port 8000). The config in Apache2 looks like:

The config for Nginx is simpler still:

Simply copy the code above to your website in /etc/nginx/conf.d/website.conf (for example) and modify accordingly. Very simple.

Migrating SSL

This one was a lot tricker and a total faff. In my Apache2 vhosts, I had the following entries:

Whereas Nginx only supports the ‘ssl_certificate’ and ‘ssl_certificate_key’ directives. 2 directives, three files.. you see the problem, right?

What you have to do is simply combine the .crt and the .pem file into a single ‘name.pem’ file. For those using StartSSL, you will get 2 files on download:

  • 1_root_bundle.crt

Cat those files into  ‘bundle.pem’ as below:

And then update Nginx:

Basically your key stays the same, you simple combine your crt’s into a .pem and reference that.

Hope this helps – and dont forget to use Qualys to test your SSL strength. For reference, my ‘hardened’ nginx config for Splunk/Opsview/ownCloud is below.

Note: There are some items you will need to do, such as generate a harder diffie-hellman param file, etc. Google is your friend.




Leave a Reply