Configuring Nginx SSL on Non-Standard Ports (9443) with Automatic HTTPS Redirection


1 views 


When migrating Nginx SSL configurations from default port 443 to custom ports like 9443, developers often face connection refusal errors despite correct certificate setup. This stems from three key technical requirements that must be addressed simultaneously:

1. Proper port binding in Nginx configuration
2. Firewall/security group adjustments
3. Correct HTTP-to-HTTPS redirection logic


Here's the full working configuration for port 9443 with automatic redirection:


# /etc/nginx/sites-available/myexample.com
server {
    listen 80;
    listen [::]:80;
    server_name myexample.com www.myexample.com;
    return 301 https://$host:9443$request_uri;
}

server {
    listen       9443 ssl;
    listen       [::]:9443 ssl;
    
    server_name myexample.com www.myexample.com;
    
    # Security headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    
    # SSL certificates
    ssl_certificate /etc/letsencrypt/live/myexample.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/myexample.com/privkey.pem;
    
    # SSL protocol configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384...';
    
    # Root configuration
    root /var/www/myexample.com;
    index index.html index.htm;
}



1. Port Accessibility:
Before implementing this config, ensure the port is open:

sudo ufw allow 9443/tcp
sudo ufw allow 80/tcp


2. SELinux Considerations (if applicable):

semanage port -a -t http_port_t -p tcp 9443


3. Testing Configuration:
Always verify config syntax before reloading:

sudo nginx -t
sudo systemctl reload nginx



For production environments using multiple backend servers:


upstream backend {
    server 10.0.0.1:9443;
    server 10.0.0.2:9443;
}

server {
    listen 9443 ssl;
    location / {
        proxy_pass https://backend;
        proxy_ssl_verify off;
    }
}



- Verify port listening status: netstat -tulnp | grep 9443
- Check error logs: tail -f /var/log/nginx/error.log
- Test SSL handshake: openssl s_client -connect myexample.com:9443
- Inspect headers: curl -vI https://myexample.com:9443

When running Nginx with SSL on non-standard ports (like 9443), users typically face connection issues when trying to access the site without explicitly specifying the port in the URL. While https://example.com:9443 might work, we want seamless redirection from http://example.com to https://example.com:9443.

Here's the proper way to configure this in Nginx:

# HTTP server block for redirection
server {
    listen 80;
    listen [::]:80;
    server_name example.com www.example.com;
    
    # Redirect all HTTP to HTTPS on port 9443
    return 301 https://$host:9443$request_uri;
}

# HTTPS server block on port 9443
server {
    listen 9443 ssl;
    listen [::]:9443 ssl;
    
    server_name example.com www.example.com;
    
    # SSL configuration
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    
    # Security headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    
    # Root configuration
    root /var/www/example.com;
    index index.html index.htm;
    
    # Other SSL settings (recommended)
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256...';
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
}

1. Port Forwarding: Ensure your firewall allows traffic on port 9443:

sudo ufw allow 9443/tcp

2. Certificate Validation: When using Let's Encrypt with non-standard ports, you may need to use DNS validation or temporarily open port 80 for domain validation.

3. HSTS Considerations: The HSTS header will only work if users first visit the site with the port explicitly specified. For full HSTS protection, consider running both standard 443 and your custom port.

If you must keep port 443 available for other services, you can set up iptables forwarding:

sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 9443

This way, users connecting to standard HTTPS will be silently redirected to your custom port.

If you still encounter issues:

# Check Nginx configuration
sudo nginx -t

# Check listening ports
sudo netstat -tulnp | grep nginx

# Test connectivity
curl -v https://example.com:9443

Remember that some corporate networks or ISPs might block non-standard ports, which is why using standard 443 is generally recommended when possible.