Using https on nginx

[mark-casias]

Hi there,
We are trying to use nginx locally to properly mirror the Pantheon environment, but don't see a way to configure HTTPS in the config.yml. I looked at the playbook and don't see anything there. Am I just missing it?

[geerlingguy]

See: https://github.com/geerlingguy/ansible-role-nginx#role-variables

You can basically configure the server using whatever server block directives you need (setting up ciphers, cert paths, using port 443, http2, etc.).

We should probably add an example in the docs for Nginx, like we have currently for Apache: http://docs.drupalvm.com/en/latest/extras/ssl/

[joestewart]

Looked like the provisioning/templates/nginx-vhost.conf.j2 template did not support the extra_parameters as in the template for ansible-role-nginx. So created #761

[geerlingguy]

D'oh... disadvantages of diverging from the upstream for a feature :P

[mchelen]

Yeah I think some more documentation here would be nice, or include it commented out in config.yml. Setting an Apache server to use SSL is pretty clear from looking at the config, it would be nice to say the same for Nginx.

[mattelkins]

Just thought I'd share my findings as I've been having a look in to this today. Here's the host definition I added to nginx_hosts in my config.yml:

- listen: "443 ssl default_server"
  server_name: "{{ drupal_domain }} www.{{ drupal_domain }}"
  ssl_certificate: "/vagrant/ssl/my.crt"
  ssl_certificate_key: "/vagrant/ssl/my.key"
  root: "{{ drupal_core_path }}"
  is_php: true

This definition is in addition to the default:

- server_name: "{{ drupal_domain }} www.{{ drupal_domain }}"
  root: "{{ drupal_core_path }}"
  is_php: true

vagrant up completed successfully, but I had to change a few configuration things.

In the server block within /etc/nginx/conf.d/{{ drupal_domain }}.conf (where drupal_domain is the domain I specified in the vagrant_hostname variable in my config.yml), only listen 443 ssl default_server was specified. The default listen 80 host configuration was nowhere to be found, so I added it to the server block:

server {
    listen 80 default_server;
    listen 443 ssl default_server;

    ...
}

I'm guessing I needed to do this because both the default host definition and my SSL host definition share the same server_name. Would this have caused the host configuration to be overwritten?

It seems as though both ssl_certificate and ssl_certificate_key were ignored during vagrant up, so I had to add them manually to the server block:

server {
    listen 80 default_server;
    listen 443 ssl default_server;

    ssl_certificate /vagrant/ssl/my.crt;
    ssl_certificate_key /vagrant/ssl/my.key;

    ...
}

I believe this is a bug and I'm happy to create a separate issue for it. However, I'm not 100% sure if this is an issue with Drupal VM or the Nginx Ansible role. Does anyone have any ideas?

After restarting Nginx, I can now access my site over HTTP or HTTPS.

[joestewart]

Try adding extra_parameters similar to:

    extra_parameters: |
      listen 443 ssl;
          ssl_certificate         /etc/ssl/certs/ssl-cert-snakeoil.pem;
          ssl_certificate_key     /etc/ssl/private/ssl-cert-snakeoil.key;
          ssl_protocols       TLSv1.1 TLSv1.2;
          ssl_ciphers         HIGH:!aNULL:!MD5;

[mattelkins]

Thanks for the tip, @joestewart!

The host definition for my Drupal site now looks like this:

- listen: "80 default_server"
  server_name: "{{ drupal_domain }} www.{{ drupal_domain }}"
  root: "{{ drupal_core_path }}"
  is_php: true
  extra_parameters: |
    listen 443 ssl default_server;

I've also removed the default host definition as the one above handles both HTTP and HTTPS thanks to the extra_parameters.

I still had to manually add ssl_certificate and ssl_certificate_key to the configuration file as vagrant up failed due to the two files not existing when Nginx was restarted. I think this must be because the Vagrant folder wasn't available in the VM at that point.

[geerlingguy]

Added to the docs. At some point I'll also make the upstream Nginx role a little less obtuse in this regard. Right now, for my own projects, I supply my own Nginx server templates for these things, but it would be nice if it were managed by the role itself.