If you use a service like cloudflare or sucuri you don't need a valid cert on the backend servers to do full ssl to backend. If you want full ssl to the server you need 2 things - self signed cert - nginx proxy to send traffic to port 80

Using this method you need your application to send out redirects to ssl version of pages.

Self signed crt

You can gererate one with: selfsigned.sh

Usage: ./selfsigned.sh server.name.tld

This creates 2 files server.name.tld.key and server.name.tld.crt that should be coppied to /etc/nginx/ssl

Nginx server block

# /etc/nginx/conf.d/000_ssl.conf

server {
  listen 443 default_server ssl;

  ssl_certificate   /etc/nginx/ssl/server.name.tld.crt;
  ssl_certificate_key   /etc/nginx/ssl/server.name.tld.key;

  location / {
      proxy_set_header          Host $host;
      proxy_set_header          X-Forwarded-Proto $scheme;
      proxy_pass                http://localhost:80;
  }

}

- Stein van Broekhoven


Comments

comments powered by Disqus