NGINX : How to configure SSL server + etherpad within subdirectory


you wil find below a working NGINX configuration in order to run Spip but also etherpad-lite with restricted access in subdirectory


Pre-requisite :

OS = Debian > Install NGINX obviously :)


installation of Etherpad-lite \o/

Create a new virtual host (server block) in NGINX

nano or vim  /etc/nginx/sites-available/

then adapt this config below according to your own domain and items \m/

Note that location of etherpad subdirectory is also password restricted through htpasswd and you will need to follow this howto

server {
        listen 80;
	if ($request_method = POST) {
		return 307$request_uri;
        return 301$request_uri;

server {
	listen 80;
	if ($request_method = POST) {
		return 307 https://$host$request_uri;
	rewrite ^ https://$host$request_uri? permanent;

server {
	listen 443;
	access_log /var/log/nginx/;	
	log_format cache '***$time_local '
                     '$upstream_cache_status '
                     'Cache-Control: $upstream_http_cache_control '
                     'Expires: $upstream_http_expires '
                     '"$request" ($status) '
                     '"$http_user_agent" ';
	access_log  /var/log/nginx/cache.log cache;
	client_max_body_size 15m;

        root /var/www/spip;
        index index.php index.html index.htm;

	ssl on;

	ssl_certificate /etc/ssl/certs/;
	ssl_certificate_key /etc/ssl/private/;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;	
	add_header Strict-Transport-Security max-age=15552000;
	location ~^/(tmp|config)/{
		return 403;

	location ~* \.(jpg|jpeg|gif|css|png|js|ico|swf|mp3|pdf)(/?)$ {
		expires        1w;
		add_header  Cache-Control public;
		rewrite ^/(.*)/$ /$1 last;
		gzip_static on;
		log_not_found off;

        error_page 404 /404.html;

        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
                root /usr/share/nginx/html;

	location / {
		# standard files
		rewrite ^/([^/]*)robots\.txt$    /spip.php?page=robots.txt    last;
		rewrite ^/([^/]*)favicon\.ico$   /spip.php?page=favicon.ico   last;
		rewrite ^/([^/]*)sitemap\.xml$   /spip.php?page=sitemap.xml   last;
		rewrite ^/([^/]*)mobile\.html$    /spip.php?page=mobile_uk   last;

		try_files $uri $uri/ /spip.php?q=$uri&$args;
		gzip_static on;

	location ~ \.php$ {
		include fastcgi_params;

		# Where to send the php data
		#fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_pass unix:/var/run/php5-fpm.sock;
		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

		set $ecrire 0;
                if ($uri ~ ^/ecrire.*) {
                        set $ecrire 1;

                # I want to activate cache
                fastcgi_cache myNGOdotorg;
                fastcgi_cache_valid 302 5m;
                fastcgi_cache_valid 404 0;
                fastcgi_cache_bypass $cookie_spip_session $ecrire;

		# Since we're caching for 30 minuts, keep the browser away for that time
		expires 30m;

		location ~ ^/$ {
		# We will play with lang. Mapping is done in /etc/nginx/conf.d/lang.conf
		# We do not want redirect POST because we gonna lose data and it sucks.
		if ($request_method = GET)
			return 307 $scheme://$host/$lang/;

# etherpadlite section on port 9001 with nginx proxy

		location ^~ /pad {
			auth_basic            "Restricted";
    			auth_basic_user_file  /var/www/etherpad-lite/.htpasswd;
			rewrite /pad/(.*) /$1 break;
			proxy_set_header X-Real-IP $remote_addr;  #
			rewrite ^/pad$ /pad/ permanent; 
			proxy_pass http://localhost:9001/;
			proxy_redirect / /pad/;
			proxy_set_header Host $host;
			proxy_buffering off;
			proxy_set_header Upgrade $http_upgrade;
            		proxy_set_header Connection $connection_upgrade;


		# we're in the http context here
		map $http_upgrade $connection_upgrade {
		  default upgrade;
		  ''      close;

then activate by creating symlink to  /etc/nginx/sites-enabled/

ln -s /etc/nginx/sites-available/ /etc/nginx/sites-enabled/
service nginx reload


Comments are closed.