How to Configure NGINX as an SSL Reverse Proxy

Steps

NOTE: In this example we will configure NGINX to use an SSL certificate exported from Digital Certificate Manager (DCM), the same SSL certificate assigned to the IBM Apache server.

1) First we will need to go through the installation instructions provided above to ensure that the NGINX server is configured for SSL and that it is using the same certificate as the IBM Apache server.

2) We can then update our NGINX server configuration to look like the following (replace https://systemName:63443 with your URL for your IBM Apache server):

    server {
        listen       443 ssl;
        ssl_certificate      /home/cert.pem;
        ssl_certificate_key  /home/cert.key;
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
        ssl_protocols        TLSV1.1 TLSV1.2 TLSV1.3;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

    location / {
        proxy_pass https://systemName:63443;
        proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    }

This will route all requests to the URL referenced in the proxy_pass statement and will allow access to the site with TLSv1.3, the backend Apache server currently does not allow for TLSv1.3 and will communicate with NGINX with the proxy_ssl_protocols specified.

3) Once the NGINX configuration has been updated we need to either stop/start the server, or perform a reload operation:

A) On the IBM i command line type STRQSH

B) Type the following commands to stop/start the server:

cd /QOpenSys/pkgs/bin

nginx -s stop

nginx

NOTE: If you want to use a different configuration than the default '/QOpenSys/etc/nginx/nginx.conf' you would use this command to start it instead:

nginx -c /path/nginx.conf

If you would like to perform a reload instead of a stop/start run the following command:

nginx -s reload

The reload will gracefully end the existing worker processes and start new ones, which will pick up the new configuration changes.