I realize this looks like a duplicate of at least a few other questions, but I have read them each several times and am still doing something wrong.
Following are the contents of my myexample.com nginx config file located in /etc/nginx/sites-available
.
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name myexample.com www.myexample.com;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
ssl_certificate /etc/letsencrypt/live/myexample.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myexample.com/privkey.pem;
#Configures the publicly served root directory
#Configures the index file to be served
root /var/www/myexample.com;
index index.html index.htm;
}
It works, when I go to https://myexample.com the content is served and the connection is secure. So this config seems to be good.
Now if I change the ssl port to 9443 and reload the nginx config, the config reloads without error, but visiting https://myexample.com shows an error in the browser (This site can’t be reached / myexample.com refused to connect. ERR_CONNECTION_REFUSED)
I have tried suggestions and documentation here, here, and here (among others) but I always get the ERR_CONNECTION_REFUSED error.
I should note that I can use a non-standard port and then explicitly type that port into the URL, e.g., https://myexample.com:9443. But I don't want to do that. What I want is for a user to be able to type myexample.com into any browser and have nginx redirect to the secure connection automatically.
Again, I have no issues whatsoever when I use the standard 443 SSL port.
Edit: I'm using nginx/1.6.2 on debian/jessie
Best Answer
In order to support typing "https://myexample.com" in your browser, and having it handled by the
nginx
config listening on port 9443, you will need an additionalnginx
config that still listens on port 443, since that is the IP port to which the browser connects.Thus:
Notice that the same certificate/key is needed for both sections, since the certificate is usually tied to the DNS hostname, but not necessarily the port.
Hope this helps!