Definitive guide for nginx + apache + SSL?

Hiya,

I'm running a production server with CentOS 6.9 and latest CWP for several domains, in nginx + Apache configuration, on a shared IP.

I'm under pressure to get SSL enabled on all domains before Google Chrome starts spewing out warnings in October for any text field submitted over http (even a friggin search), and LetsEncrypt would be a fantastic option.

Last I remember, when I tried enabling LetsEncrypt by following the Wiki tutorial, I ended up with Apache and nginx fighting each other, and all sites down. Also, if I am also not mistaken, since the Wiki article was prepared and the forum post with instructions, LetsEncrypt manager has been labeled "DO NOT USE".

Is there a definitive guide I can follow now to enable SSL successfully, please? Do I need to also edit template files, rebuild hosts, stuff like that in order to keep this running every time I compile a new version of Apache?

Many thanks in advance!

The Auto SSL option works well now so you should use that (CWP > Apache settings > SSL Cert Manager). The Let's Encrypt module is being phased out & no longer receives updates.

It's easy to use just click 'AutoSSL' button from within the SSL Cert Manager, choose user/domain & check IP is correct. Then click 'Install SSL'.

Please note that once you make the change to SSL then your nginx reverse proxy becomes obsolete as it doesn't listen on port 443 (unless you modify the nginx hosts file but not recommended as will be over written when CWP updates).

Hope this helps 

Thanks for the quick reply, 6Sense!

I was hoping that SSL can still work through nginx + Apache, meaning nginx taking both http and https traffic and redirecting it to Apache. Wouldn't this set-up be beneficial, just like in non-SSL configuration?

In that set up my understanding is nginx only deals with http traffic (CWP > Apache Settings > Select WebServers - will show you what traffic/ports your server handles with what).

 I've created a custom setup previously allowing nginx to handle both http & https but it always gets over written when you update CWP.

There has been talk of including a nginx only option in CWP (ie: no apache) )but I have no info if or when this would eventuate.

 

Indeed, the combination of nginx + Apache is using the best features of both. What doesn't make sense to me is why the addition of SSL would by-pass this architecture and rely solely on Apache. In my view, it would make more sense to keep nginx as a front-end with the additional role of encrypting traffic if accessed via https, and continue to benefit from its speed and low resources. Ideally I'd like to see the option to use nginx alone as a web server, without Apache at all (at least for the hosted domains, irrelevant if the web admin keeps it).

Indeed, the combination of nginx + Apache is using the best features of both. What doesn't make sense to me is why the addition of SSL would by-pass this architecture and rely solely on Apache. In my view, it would make more sense to keep nginx as a front-end with the additional role of encrypting traffic if accessed via https, and continue to benefit from its speed and low resources. Ideally I'd like to see the option to use nginx alone as a web server, without Apache at all (at least for the hosted domains, irrelevant if the web admin keeps it).

that is in the test phase and maybe will be out soon with the new version of CWP

Cool!! How soon is "soon"?

Meanwhile, I made some progress - I generated the SSL certificates and they seem to be working. It took several tries to get them right, and in multiple occasions Apache would not restart successfully. It seems that some threads remain running and I have to manually identify and kill the PIDs before I can restart the httpd service.

The next challenge is to make nginx bind to port 443 and answer https requests, then either deliver static files over SSL or forward the request to Apache for processing. I will manually build the virtual hosts files for nginx for this.

One more point I need to clarify: right now, http goes through nginx (80) and then apache (8181 with multiple virtual hosts), while https goes directly to apache (443 with multiple virtual hosts). If I want to have http and https going to nginx (80 and 443 with multiple virtual hosts), the request forwarded to Apache can continue working as if it was a http request, only on port 8181. I don't need Apache to have a secondary port to listen on, nor separate vhost profiles for ssl traffic. Am I right?

1. Cool!! How soon is "soon"?

2. I don't need Apache to have a secondary port to listen on, nor separate vhost profiles for ssl traffic. Am I right?

1. probably in the next 30 days
2. you can have only apache on port 8181 http as there is no need for ssl with apache then as ssl is handled at port 443 with nginx.

Awwww yisssssss!! Can't wait! And thanks for the clarification!