Use a deafult cert for nginx
If you use a service like cloudflare or sucuri you don’t need a valid cert on the backend servers to do full ssl to backend. If you want full ssl to the server you need 2 things
- self signed cert
- nginx proxy to send traffic to port 80
Using this method you need your application to send out redirects to ssl version of pages.
Self signed crt
You can gererate one with: selfsigned.sh
Usage: ./selfsigned.sh server.name.tld
This creates 2 files server.name.tld.key
and server.name.tld.crt
that should be coppied to /etc/nginx/ssl
Nginx server block
# /etc/nginx/conf.d/000_ssl.conf
server {
listen 443 default_server ssl;
ssl_certificate /etc/nginx/ssl/server.name.tld.crt;
ssl_certificate_key /etc/nginx/ssl/server.name.tld.key;
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:80;
}
}