Converting SSL-enabled Apache vhosts to Nginx

So I recently became beyond-the-point of fed up with Apache2, it is slow and clunky and has been doing a shitty job recently of hosting my 7-8 virtualhosts (4 of which are SSL-enabled), so I thought i’d move them over to Nginx. Simple right? You’d think so, but…

Some of the directives in Apache dont map very nicely to Nginx, but there is a lot to love about Nginx (namely, its a LOT faster!). This guide is to show you how to migrate the trickier parts of your Apache configs to Nginx.

Pre-reading

In order to start Nginx you need to stop Apache2, as in:

Nginx wont start if Apache2 has taken control of *:80.

Migrating ProxyPass

In my setup, I run Opsview and Splunk Light behind a ProxyPass virtualhost (one runs on a VM, one runs as a web app on port 8000). The config in Apache2 looks like:

The config for Nginx is simpler still:

Simply copy the code above to your website in /etc/nginx/conf.d/website.conf (for example) and modify accordingly. Very simple.

Migrating SSL

This one was a lot tricker and a total faff. In my Apache2 vhosts, I had the following entries:

Whereas Nginx only supports the ‘ssl_certificate’ and ‘ssl_certificate_key’ directives. 2 directives, three files.. you see the problem, right?

What you have to do is simply combine the .crt and the .pem file into a single ‘name.pem’ file. For those using StartSSL, you will get 2 files on download:

  • 2_name.uk.crt
  • 1_root_bundle.crt

Cat those files into  ‘bundle.pem’ as below:

And then update Nginx:

Basically your key stays the same, you simple combine your crt’s into a .pem and reference that.

Hope this helps – and dont forget to use Qualys to test your SSL strength. For reference, my ‘hardened’ nginx config for Splunk/Opsview/ownCloud is below.

Note: There are some items you will need to do, such as generate a harder diffie-hellman param file, etc. Google is your friend.

 

 

 

Leave a Reply