nginx + ssl + rails
by jd
While nginx has been covered here before, it seems the blogosphere is a bit lacking in covering a nginx + ssl + rails setup, which requires a little bit of putting 2 and 2 together and getting 5. The configuration is as such:
server {
listen 443;
ssl on;
# path to your certificate
ssl_certificate /etc/nginx/certs/server.crt;
# path to your ssl key
ssl_certificate_key /etc/nginx/certs/server.key;
# put the rest of your server configuration here.
location / {
# set X-FORWARDED_PROTO so ssl_requirement plugin works
proxy_set_header X-FORWARDED_PROTO https;
# standard rails+mongrel configuration goes here.
}
}
The kicker is the proxy_set_header line—it is crucial to allowing your Rails app to know whether the request was sent over http or https.
You will note that there is no server_name directive—this is because it is impossible to do name-based virtual hosts when doing https. You must have a separate IP address for each ssl host—you can specify which IP address to use (if your machine has multiple assigned IPs) by modifying the the listen directive, e.g. listen 101.102.103.104:443.
On a related note, here at Agora Games we recently launched our first production site running on nginx and Rails!
Addendum (13 June 2007): It is worth noting that Ezra’s excellent nginx configuration includes an ssl section, although it unfortunately lacks the ssl commands themselves.
November 3rd, 2006 at 11:42 AM Congrats on launching the first site JD. As the only known site launched by anyone in TechValley, I think you officially hold the title of local rails guru. We're gunning for the lead though! :) -B
February 22nd, 2007 at 08:28 AM Um, OT... the phrase is "not rocket *science*," not "not rocket surgery." Rocket surgery is a weird mental image. Rockets as animate objects? A bit too Pynchon for my taste.
February 22nd, 2007 at 03:50 PM Don't worry, understanding "NotRocketSurgery":http://www.urbandictionary.com/define.php?term=rocket+surgery isn't rocket surgery.
March 31st, 2007 at 02:12 PM I'll keep this as a reference when -- finally -- adding SSL support to 16bugs... :)
June 1st, 2007 at 11:30 AM Thanks for the tips...I set myself up with a temporary cert in development mode and it's working well under Nginx. For the uninformed, this document helped me when making my own SSL certificate for use in development mode: http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#selfcert
July 3rd, 2007 at 09:37 AM Looks like nginx's SSL support now handles name-based vhosts. From changelog: Changes with nginx 0.5.23 04 Jun 2007 *) Feature: the ngx_http_ssl_module supports Server Name Indication TLS extension.
November 27th, 2007 at 03:12 AM The information was very helpful. Thank you for the post :)
January 16th, 2008 at 11:51 AM Excellent tip! For those using Ubuntu Linux, that want to create a quick and dirty self-signed certificate: http://smallbiztechguy.blogspot.com/2007/12/adding-ssl-site-to-nginx-quick-start.html
March 9th, 2008 at 06:24 PM This article is still helping us out here! I dug through a bunch of stuff with no love and finally putting the snippets you outlined here worked like a charm!
April 16th, 2008 at 03:34 PM Great tip! Thanks!