nginx refusing SSL connection on cPanel server

Clifford asked:

I have nginx 4.4 installed on a cPanel server (via nginx admin plugin) as a proxy to Apache. I used to have nginx listening on ports 80 and 443 on a dedicated IP address without any problems but recently, nginx keeps refusing connection on 443 without any configuration changes. On Apache however, SSL is working fine. My objective is to have nginx redirect all the website traffic to HTTPS and proxy-pass to Apache (and cache when necessary) at HTTP port 8081.

When I put nginx on 443, web-sniffer is telling me this :

Connect to 192.190.83.81 on port 443 ... failed

Error 111: Connection refused

My nginx.conf files are shown below. Appreciate if you can help point out anything that I may have done wrong as I have really little experience with nginx.

My nginx.conf

user  nobody;
worker_processes  8;
error_log  /var/log/nginx/error.log info;
worker_rlimit_nofile 8192;
events {
    worker_connections 2048;
    use epoll;
}

http {
    open_file_cache max=30000 inactive=20s; 
    open_file_cache_valid 30s; 
    open_file_cache_min_uses 2;
    open_file_cache_errors on;
    access_log off;

    ssl_session_cache   shared:SSL:10m;
    ssl_session_timeout 10m;
    server_name_in_redirect off;
    server_names_hash_max_size 10240;
    server_names_hash_bucket_size 1024;
    include    mime.types;
    default_type  application/octet-stream;

    server_tokens off;
    sendfile on;
    keepalive_timeout 5;
    tcp_nopush on;
    tcp_nodelay on;
    gzip on;
    gzip_vary on;
    gzip_disable "MSIE [1-6].";
    gzip_proxied any;
    gzip_http_version 1.1;
    gzip_min_length  1000;
    gzip_comp_level  6;
    gzip_buffers  16 8k;
    gzip_types    text/plain text/xml text/css application/x-javascript application/xml  application/xml+rss text/javascript application/atom+xml;
    ignore_invalid_headers on;
    client_header_timeout  3m;
    client_body_timeout 3m;
    send_timeout     3m;
    reset_timedout_connection on;
    connection_pool_size  256;
    client_header_buffer_size 256k;
    large_client_header_buffers 4 256k;
    client_max_body_size 200M; 
    client_body_buffer_size 128k;
    request_pool_size  32k;
    output_buffers   4 32k;
    postpone_output  1460;
    client_body_in_file_only on;
    log_format bytes_log "$msec $bytes_sent .";

    proxy_cache_path /etc/nginx/nginx_cache levels=1:2
    keys_zone=main:128m
    max_size=2g inactive=1d;
    proxy_temp_path  /tmp/nginx_proxy/;
    include "/etc/nginx/vhosts/*";
}

My vhost.conf file

server {
    listen www.mydomain.com:80;
    server_name www.mydomain.com;  
    rewrite ^ https://mydomain.com$request_uri? permanent;
}
server {
    listen mydomain.com:80;
    server_name mydomain.com;  
    rewrite ^ https://mydomain.com$request_uri? permanent;
}
server {
    listen www.mydomain.com:443;
    ssl on;
    server_name www.mydomain.com;  
    ssl_certificate      /etc/nginx/ssl/www_mydomain_com_chained.crt;
    ssl_certificate_key  /etc/nginx/ssl/www_mydomain_com.key;
    rewrite ^ https://mydomain.com$request_uri? permanent;
}
server {
    listen mydomain.com:443;
    ssl on;
    server_name mydomain.com;
    root /home/chicky/public_html/mydomain.com;
    ssl_certificate      /etc/nginx/ssl/mydomain_certificate.crt;
    ssl_certificate_key  /etc/nginx/ssl/mydomain_RSAkey.key;
    ssl_protocols        SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers RC4:HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
    keepalive_timeout    60;

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    set $cache_keyssl $scheme$host$uri$is_args$args;

    location ~* ^/api/ {
    proxy_pass http://mydomain.com:8081;
    proxy_cache main;
    proxy_cache_key $cache_keyssl;
    proxy_cache_valid 1d; # 200, 301 and 302 will be cached.
    proxy_cache_use_stale error
        timeout
        invalid_header
        http_500
        http_502
        http_504
        http_404;
    }
    location ~* ^/imgp {
        proxy_pass http://mydomain.com:8081;
        proxy_cache main;
        proxy_cache_key $cache_keyssl;
        proxy_cache_valid 10d; # 200, 301 and 302 will be cached.
    }
    location = / {
        proxy_pass http://mydomain.com:8081;
        proxy_cache main;
        proxy_cache_key $cache_keyssl;
        proxy_cache_valid 1h; # 200, 301 and 302 will be cached.
    }
    location / {
        location ~.*.(3gp|gif|jpg|jpeg|png|ico|wmv|avi|asf|asx|mpg|mpeg|mp4|pls|mp3|mid|wav|swf|flv|html|htm|txt|js|css|exe|zip|tar|rar|gz|tgz|bz2|uha|7z|doc|docx|xls|xlsx|pdf|iso)$ {
            expires 1d;
            try_files $uri @backend;
        }

        error_page 405 = @backend;
        proxy_pass http://mydomain.com:8081;
        include proxy.inc;
    }
    location @backend {
        internal;
        proxy_pass http://mydomain.com:8081;
        include proxy.inc;
    }
    location ~ .*.(php|jsp|cgi|pl|py)?$ {
        proxy_pass http://mydomain.com:8081;
        include proxy.inc;
    }
    location ~ /.ht {
        deny all;
    }
}

I answered:

Don’t use hostnames in your listen directives. This causes unnecessary DNS lookups and can result in nginx binding to the wrong IP address if, for instance, the DNS entries are wrong or you have overriding entries in the /etc/hosts file, or perhaps other reasons I can’t think of right now.

listen 192.0.2.37:443 is sufficient.
listen 443 is better. This will bind to all IPv4 interfaces and enable you to use SNI.
listen [::]:443 ipv6only=off is best. This gives you IPv6 support as well. Even if you don’t have IPv6 now, it means you won’t have to change your nginx configuration when you do get it.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.