How to complete proxying on nginx with ssl?

A

AnGel2016-12-11 02:01:29

Nginx

AnGel, 2016-12-11 02:01:29

Well, let's get started :)
There are 2 servers, the main one and for requesting traffic. I installed the VestaCP control panel on both to quickly set everything up and not bother.
I successfully made http traffic proxying, but I have an ssl certificate on the site and everything flies. I will not show the site and IP addresses, as I am worried about my resource.
site_name - site name
Serv1 - main server
Serv2 - proxy server
mIP1 - main server IP
mIP2 - proxy server IP
Serv2 config:

server {
    listen      mIP2:443;
    server_name site_name  www.site_name;
    root        /home/admin/web/site_name/public_html;
    index       index.php index.html index.htm;
    access_log  /var/log/nginx/domains/site_name.log combined;
    access_log  /var/log/nginx/domains/site_name.bytes bytes;
    error_log   /var/log/nginx/domains/site_name.com.error.log error;

    ssl         on;
    ssl_certificate      /home/admin/conf/web/ssl.site_name.pem;
    ssl_certificate_key  /home/admin/conf/web/ssl.site_name.key;

    location / {
    proxy_pass https://mIP1:443;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header realip $remote_addr;
    try_files $uri $uri/ /index.php?$uri&$args;
        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
            expires     max;
        }

        location ~ [^/]\.php(/|$) {
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            if (!-f $document_root$fastcgi_script_name) {
                return  404;
            }

            fastcgi_pass    127.0.0.1:9001;
            fastcgi_index   index.php;
            include         /etc/nginx/fastcgi_params;
        }
    }

Serv1 config:

server {
    listen      mIP1:443;
    server_name site_name  www.site_name ;
#	if ($http_user_agent ~* (WordPress/4)) {
#	return 444;
#	}
#	if ($server_protocol = "HTTP/1.0") {
#	return 444;
#	}
#	if ($http_user_agent = "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0") {
#	return 444;
#	}
#	if ($http_user_agent ~* (2743.116|2311.135|2704.103)) {
#	return 444; }
    root        /home/admin/web/site_name /public_html;
    index       index.php index.html index.htm;
    access_log  /var/log/nginx/domains/site_name .log combined;
    access_log  /var/log/nginx/domains/site_name .bytes bytes;
    error_log   /var/log/nginx/domains/site_name .error.log error;

    ssl         on;
    ssl_certificate      /home/admin/conf/web/ssl.site_name .pem;
    ssl_certificate_key  /home/admin/conf/web/ssl.site_name .key;

    location / {
    set_real_ip_from mIP1;
    real_ip_header X-Forwarded-For;
    real_ip_recursive on;
    try_files $uri $uri/ /index.php?$uri&$args;
        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
            expires     max;
        }

        location ~ [^/]\.php(/|$) {
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            if (!-f $document_root$fastcgi_script_name) {
                return  404;
            }

            fastcgi_pass    127.0.0.1:9004;
            fastcgi_index   index.php;
            include         /etc/nginx/fastcgi_params;
        }
    }

Ignore the commented lines.
Above I have provided configs from both servers named snginx.conf. In the same folder there is nginx.conf, there is a redirect to ssl.

rewrite ^ https://site_name/$request_uri? permanent;
  if ($host != site_name) {
    rewrite ^(.*) https://site_name/$request_uri? permanent;
    }

As you can see - nothing interesting. There were no more edits.
In both panels (on both servers) I connected the ssl certificate.
I repeat, how can I make sure that the styling of the site does not go. I am sure on 29999*n that the problem is in the ssl proxy. I think that both servers communicate with each other via http((
A small screenshot of a separate part of the site, so that there is a visual understanding.

Answers to questions that may arise.
What is proxying for? To protect against DDoS attacks on l4. This DC has similar protection up to 750Gb, and the main server is located in another DC, which does not filter traffic in any way and is put on two times when the attack exceeds 1Gbit (I have such a channel)
.Other proxy services are not suitable, I'm my own boss :)
Ps at DC tunnels are prohibited. I did not check it myself and there is no desire, because. started to develop this topic.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

D

Dmitry, 2016-12-11
@prolis

Press f12 on the browser page, you will see that the styles did not load, because they are registered via http. Look for the place of the hardcode in the engine and change, as mentioned above, http to //.

P

Peter, 2016-12-11
@petermzg

Maybe, of course, I don’t understand something in the nginx settings, but why leave SSL traffic from the Serv2 proxy server?
SSL is all the same a load on the server, and if Serv1 does not accept direct connections, then why send encrypted traffic to it?