How to run nginx SSL on non-standard port

Question

I realize this looks like a duplicate of at least a few other questions, but I have read them each several times and am still doing something wrong.

Following are the contents of my myexample.com nginx config file located in /etc/nginx/sites-available.

server {

  listen       443 ssl;
  listen       [::]:443 ssl;

  server_name myexample.com www.myexample.com;
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
  ssl_certificate /etc/letsencrypt/live/myexample.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/myexample.com/privkey.pem;

  #Configures the publicly served root directory
  #Configures the index file to be served
  root /var/www/myexample.com;
      index index.html index.htm;

}

It works, when I go to https://myexample.com the content is served and the connection is secure. So this config seems to be good.

Now if I change the ssl port to 9443 and reload the nginx config, the config reloads without error, but visiting https://myexample.com shows an error in the browser (This site can’t be reached / myexample.com refused to connect. ERR_CONNECTION_REFUSED)

I have tried suggestions and documentation here, here, and here (among others) but I always get the ERR_CONNECTION_REFUSED error.

I should note that I can use a non-standard port and then explicitly type that port into the URL, e.g., https://myexample.com:9443. But I don't want to do that. What I want is for a user to be able to type myexample.com into any browser and have nginx redirect to the secure connection automatically.

Again, I have no issues whatsoever when I use the standard 443 SSL port.

Edit: I'm using nginx/1.6.2 on debian/jessie

you mentioned that "I should note that I can use a non-standard port and then explicitly type that port into the URL, e.g., https://myexample.com:9443." Can you please explain how were you able to do this because I want to access my website using smth like "https://myexample.com:9443" with SSL included — Ghassan Zein, Aug 07 '18 at 14:50

Castaglia · Accepted Answer · 2017-01-23T23:17:38.343

38

In order to support typing "https://myexample.com" in your browser, and having it handled by the nginx config listening on port 9443, you will need an additional nginx config that still listens on port 443, since that is the IP port to which the browser connects.

Thus:

server {
  listen 443 ssl;
  listen [::]:443 ssl;

  server_name myexample.com www.myexample.com;
  ssl_certificate /etc/letsencrypt/live/myexample.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/myexample.com/privkey.pem;

  # Redirect the browser to our port 9443 config
  return 301 $scheme://myexample.com:9443$request_uri;
}

server {
  listen 9443 ssl;
  listen [::]:9443 ssl;

  server_name myexample.com www.myexample.com;
  ssl_certificate /etc/letsencrypt/live/myexample.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/myexample.com/privkey.pem;
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

  #Configures the publicly served root directory
  #Configures the index file to be served
  root /var/www/myexample.com;
  index index.html index.htm;
}

Notice that the same certificate/key is needed for both sections, since the certificate is usually tied to the DNS hostname, but not necessarily the port.

Hope this helps!

edited Jan 23 '17 at 23:17

answered Jan 23 '17 at 21:43

Castaglia

3,239
3
19
40

This is the most complete answer, but what I think you're telling me is that in order to redirect to a secure connection automatically, nginx still has to be bound to port 443. Is this the case? That's the problem :-( I have another process bound to that port. – Gojira Jan 23 '17 at 21:47
Nginx is a reverse proxy. You can have it listen on 443 and pass requests to the appropriate application. – Tim Jan 23 '17 at 21:48
Tim - you're correct. I probably asked a real dumb question but I was hoping there was a way to just "magically" change the SSL port. – Gojira Jan 23 '17 at 21:49
@GojiraDeMonstah If you don't want to use port 443, you put your chosen port number in the URL. That is all. – Michael Hampton Jan 23 '17 at 22:16
The "ssl" was quite important. I had default_server before and struggled with it for quite sometime. – swateek May 14 '18 at 17:18
How do I do this if another web server is listening to port 443? – markhorrocks Jun 03 '21 at 11:50

score 1 · Answer 2 · answered Jan 23 '17 at 21:45

When you type https://example.com, the standard for the https:// scheme is to connect to port 443. In your case, you have moved your server so that it now listens on port 9443. You get the connection refused message because of this - nothing is listening on port 443.

You will need to arrange to have something listen on port 443 that redirects connections to port 9443 or use a port as part of the URL.

score 0 · Answer 3 · answered Jan 23 '17 at 21:40

0

if you change the port to a non standard one like 9443 you need to add a redirection from 443 to 9443. Set nginx to reverse proxy to that port.

answered Jan 23 '17 at 21:40

Kitsufan

11

How to run nginx SSL on non-standard port

3 Answers3

Linked