So I recently became beyond-the-point of fed up with Apache2, it is slow and clunky and has been doing a shitty job recently of hosting my 7-8 virtualhosts (4 of which are SSL-enabled), so I thought i’d move them over to Nginx. Simple right? You’d think so, but…

Some of the directives in Apache dont map very nicely to Nginx, but there is a lot to love about Nginx (namely, its a LOT faster!). This guide is to show you how to migrate the trickier parts of your Apache configs to Nginx.


In order to start Nginx you need to stop Apache2, as in:

service apache2 stop

Nginx wont start if Apache2 has taken control of *:80.

Migrating ProxyPass

In my setup, I run Opsview and Splunk Light behind a ProxyPass virtualhost (one runs on a VM, one runs as a web app on port 8000). The config in Apache2 looks like:

  ProxyPass / disablereuse=On
  ProxyPassReverse /

The config for Nginx is simpler still:

location / {

Simply copy the code above to your website in /etc/nginx/conf.d/website.conf (for example) and modify accordingly. Very simple.

Migrating SSL

This one was a lot tricker and a total faff. In my Apache2 vhosts, I had the following entries:

SSLCertificateFile /etc/apache2/ssl/loguk/2_loguk.crt
SSLCertificateKeyFile /etc/apache2/ssl/loguk/loguk.key
SSLCertificateChainFile /etc/apache2/ssl/

Whereas Nginx only supports the ‘ssl_certificate’ and ‘ssl_certificate_key’ directives. 2 directives, three files.. you see the problem, right?

What you have to do is simply combine the .crt and the .pem file into a single ‘name.pem’ file. For those using StartSSL, you will get 2 files on download:

  • 1_root_bundle.crt

Cat those files into  ‘bundle.pem’ as below:

cat 1_root_bundle.crt >> log.pem

And then update Nginx:

    ssl_certificate      /etc/ssl/nginx/;
    ssl_certificate_key  /etc/ssl/nginx/;

Basically your key stays the same, you simple combine your crt’s into a .pem and reference that.

Hope this helps – and dont forget to use Qualys to test your SSL strength. For reference, my ‘hardened’ nginx config for Splunk/Opsview/ownCloud is below.

Note: There are some items you will need to do, such as generate a harder diffie-hellman param file, etc. Google is your friend.

# HTTPS server for Splunk Light
server {
    listen       443 ssl;
    ssl_certificate      /etc/ssl/nginx/;
    ssl_certificate_key  /etc/ssl/nginx/;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout  5m;
    ssl_prefer_server_ciphers   on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
  # Add headers to serve security related headers
  add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
  add_header X-Content-Type-Options nosniff;
  add_header X-Frame-Options "SAMEORIGIN";
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Robots-Tag none;
  add_header X-Download-Options noopen;
  add_header X-Permitted-Cross-Domain-Policies none;