I'm going to describe the steps I took to proxy QatarLiving to a secure site at F1a.me. QatarLiving is one of the most popular websites in Qatar, a small Middle Eastern state.
Step 0. Prerequisites
You'll need administrator (root) privileges to your own server to run an HTTPS site on port 443. I'm happy with my virtualized Linux box, hosted by Media Temple. It costs $50 a month, which is not the cheapest deal out there nor is the server particularly powerful, but I'm happy with the company's service and the box is sufficient to host all my websites and twitter feeds. If you sign up with Media Temple, you should install compilers and development tools.
Step 1. Buy your SSL certificate
Purchase an SSL certificate for your secure site. I bought mine from 123-reg. It is possible to run a secure site without buying a certificate, which is known as "self signing"; however, users of your site will be presented with scary warnings by their browser. It's best just to splash out on the SSL certificate: they're cheap.
Step 2. Downloads
If you've never come across nginx (pronounced Engine-X), don't feel too down-heartened. This tiny webserver fits into a niche of specialized webservers (including boa, lighttpd and thttpd) that compete on speed and small memory footprint. Many large sites have chosen nginx as their front-line server, including one of the very largest blogging sites, WordPress.com. I chose to use nginx because its small footprint is crucial on my limited-memory server.
Download the latest development release of nginx, currently version 8.1.14 [homepage | nginx-0.8.14.tar.gz]
Step 3. Installation
Unpack the nginx source, compile and install. The following commands work for me, on my fairly standard centos Linux box, but some of the paths may require tweaking on other systems.
$ tar zxvf nginx-0.8.14.tar.gz
$ cd nginx-0.8.14
$ ./configure \
--prefix=/usr \
--sbin-path=/usr/sbin/nginx-ssl \
--conf-path=/etc/nginx-ssl/nginx.conf \
--http-log-path=/var/log/nginx_ssl_access_log \
--error-log-path=/var/log/nginx_ssl_error_log \
--pid-path=/var/run/nginx-ssl.pid \
--http-client-body-temp-path=/var/tmp/nginx_ssl_client \
--http-proxy-temp-path=/var/tmp/nginx_ssl_proxy \
--http-fastcgi-temp-path=/var/tmp/nginx_ssl_fastcgi \
\
--with-http_ssl_module \
--with-http_stub_status_module \
\
--without-http_charset_module \
--without-http_gzip_module \
--without-http_userid_module \
--without-http_auth_basic_module \
--without-http_autoindex_module \
--without-http_geo_module \
--without-http_map_module \
--without-http_referer_module \
--without-http_fastcgi_module \
--without-http_limit_zone_module \
--without-http_browser_module \
--without-http_upstream_ip_hash_module
$ make
$ su
# make install
If any errors appear with the above commands, it probably means you need to install some required library. In most cases, using Google on an error message will provide the fastest solutions. Options may vary slightly between versions. Always check ./configure --help for the current list.
Step 4. Server Configuration
Download your server SSL certificate and private key, rename them to server.crt and server.key, and move them to your nginx config directory (/etc/nginx-ssl/). If you've bought a cheap SSL certificate like I did, the certificating authority probably won't be built into your users' browsers by default. You'll need to find the certificate of your CA and concatinate it with your server's SSL certificate. Your server.crt will then look something like this:
-----BEGIN CERTIFICATE-----
[your certificate here]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[your CA's certificate here]
-----END CERTIFICATE-----
Now, all that's left is to edit your config file /etc/nginx-ssl/nginx.conf. You'll want to play around with some of these setting, but they provide a good starting point.
# the number of worker processes should be
# equal to the number of processor cores in your server
worker_processes 4;
# disable error logging by uncommenting the next line
# error_log /dev/null crit;
events {
# max connections - 2048 is reasonable
worker_connections 2048;
}
http {
include mime.types;
default_type application/octet-stream;
# TCP tuning
sendfile on;
tcp_nopush on;
tcp_nodelay off;
# keepalive is highly beneficial for SSL
keepalive_timeout 10;
# disable logging
access_log off;
server {
listen 443;
# change this to your own website hostname
server_name f1a.me;
# these SSL options have been chosen to maximize
# throughput on small servers
ssl on;
ssl_certificate server.crt;
ssl_certificate_key server.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://www.qatarliving.com;
proxy_set_header X-Forwarded-For $remote_addr;
}
# don't proxy static content, redirect instead
location ~* \.(gif|jpg|jpeg|png|ico|js)$ {
rewrite ^/(.*?)$ http://www.qatarliving.com/$1 permanent;
}
}
}
Start up your server by running nginx-ssl as root:
$ su
# /usr/sbin/nginx-ssl
Tail the error log (/var/log/nginx_ssl_error_log) if the server fails to start.
Further Reading
Nginx English documentation
Useful changes to default nginx configuration file
O3 Magazine - Open-Source SSL Acceleration
SSL optimization and security
HTTPS performance tuning
Installing an intermediate authority certificate under nginx
Why SSL?
Outstanding issues
Cookies that contain the original site's domain will not be stored by the user's browser. Most websites don't set a domain within the cookie, so this isn't usually a problem. However, if your site is affected, it can be fixed by filtering the headers from the insecure site and removing domains. I'll post a blog entry in a few days about this, as it affects most Drupal sites including QatarLiving.
Navigation within a proxied site will only be successful if most links do not include the original hostname.