如何配置 Nginx 和 Node 使用 SSL？

Question

I'm trying to deploy a Node app for the first time, and I have some doubts regarding ssl configuration as this is not my area of expertise.

I'm using Sequelize to connect to a managed postgres db and every time I try to make a request, I get a "Self signed certificate in certificate chain" error. This is my Sequelize connection function:

const sequelize = new Sequelize({
  database: process.env.DB_NAME,
  username: process.env.DB_USERNAME,
  password: process.env.DB_PASSWORD,
  host: process.env.DB_HOST,
  port: process.env.DB_PORT,
  dialect: "postgres",
  dialectOptions: {
    ssl: true
  }
});

I searched for this problem, and I found 2 possible solutions: 1) include the certificate in the connection options, or 2) add NODE_TLS_REJECT_UNAUTHORIZED=0 as an env variable. Regarding the first solution, I have yet to find an example on how to do this using Sequelize and the documentation doesn't even mention this. With the 2nd solution it works just fine, but I understand that it shouldn't be used in a production environment as it disables Node SSL verification.

However, I'm also using Nginx as a reverse proxy and installed a LetsEncrypt SSL cert using certbot, which automatically configured my nginx server block to use SSL verification. This is my Nginx config:

server {
  location / {
    proxy_pass http://localhost:3000;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
  }
  listen [::]:443 ssl ipv6only=on; # managed by Certbot
  listen 443 ssl; # managed by Certbot
  ssl_certificate /etc/letsencrypt/live/{mydomain}/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/{mydomain}/privkey.pem; # managed by Certbot
  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

If I understand correctly, since nginx is already taking care of the SSL validation, I suppose it's okay to to do the 2nd solution since Nginx simply "redirects" requests to my Node app running on localhost:3000 via http after taking care of the SSL part. Am I right about this assumption? If not, what is the correct way to configure Sequelize to include the cert and avoid the "Self signed certificate in certificate chain" error?

I don't think this specific question was asked before, and I'm sorry if some of these questions seem "obvious", it's my first time doing this. Thanks for your help.

Answer 1

I have several servers in Node.js, and I never used them for https. All ssl-related stuff I delegated to nginx, exactly like you did, though a bit simpler.

Your guess is correct. Nginx passes all requests to your server in plain text and wraps all responses into TLS records. It works pretty fast, and certbot manages all my certificates. What a relief ;)

My typical config looks like this:

server {
  listen 443 ssl;
  listen [::]:443 ssl;
  server_name your.server.domain;

  location / {
    proxy_set_header Host      $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_pass                 http://localhost:3000/;
  }

  ssl_certificate /etc/letsencrypt/live/your.server.domain/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/your.server.domain/privkey.pem; # managed by Certbot
}

# Redirect from HTTP to HTTPS for all servers
server {
  listen 80;
  listen [::]:80;
  return 301 https://$host$request_uri;
}