TLS for NGINX and Node

June 17 2016

Not too long ago was finally time to get with the times and get a TLS (SSL) cert. I went with Let’s Encrypt whose installer made the process simple.

But once you have the certificates you need to serve them!

Here was my old NGINX config file:

server {
   listen 80;
   server_name mysite.com;
   location / {
       proxy_pass http://127.0.0.1:3000;
       proxy_http_version 1.1;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection 'upgrade';
       proxy_set_header Host $host;
       proxy_cache_bypass $http_upgrade;
   }
}

This is a reverse-proxy setup as described in another post.

Here is my new TLSified version. There are two server blocks. This first block is to redirect the http requests to use https

server {
    listen  80;
    server_name mysite.com;
    return  301 https://mysite.com;
}

The second block has the good stuff. You’ll notice a couple key things:

The listen line is now the standard SSL port of 443.
THere are lines for the location of the certificate and key file. These were the files created by Letsencrypt.
Below that there’s some additional SSL config.
The location block is the same.

server {
    listen 443 ssl;
    server_name mysite.com;
    ssl_certificate /etc/letsencrypt/live/mysite.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mysite.com/privkey.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    location / {
        proxy_pass http://127.0.0.1:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}

My NGINX config file (in sites-available) is composed of those two server blocks. HTTPS now works great.