How to properly proxy with https?

N

nepster-web2017-07-31 12:39:16

PHP

nepster-web, 2017-07-31 12:39:16

There is a certain server on which there is nginx as the server.
There is a docker that is running on this server and keeps the application on the internal network, for example: http://192.167.117.1:8080.
The task is to proxy from the main nginx to the internal network using https.
The problem was solved like this:

server {
    server_name  www.example.com;
    rewrite ^(.*) https://example.com$1 permanent;
}

server {
    server_name  www.example.com;
    rewrite ^(.*) https://example.com$1 permanent;
}

server {
       listen         80;
       server_name    example.com;
       return         301 https://$server_name$request_uri;
}

server {

    server_name *.example.com example.com;

    listen   443;

    ssl    on;
    ssl_certificate    /var/www/example.com/ssl/ssl-bundle.crt;
    ssl_certificate_key    /var/www/example.com/ssl/example.com.key;

    # side note: only use TLS since SSLv2 and SSLv3 have had recent vulnerabilities
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    # 301 редирект со страниц со слешем на страницы без слеша в конце URL
    rewrite ^/(.*)/$ /$1 permanent;

    charset utf-8;
    client_max_body_size 128M;

    gzip  on;

    # Минимальная длина ответа, при которой модуль будет жать, в байтах
    gzip_min_length  1000;

    # Разрешить сжатие для всех проксированных запросов
    gzip_proxied     any;

    # MIME-типы которые необходимо жать
    gzip_disable "msie6";

    # Compress all output labeled with one of the following MIME-types.
    gzip_types
      application/atom+xml
      application/javascript
      application/json
      application/rss+xml
      application/vnd.ms-fontobject
      application/x-font-ttf
      application/x-web-app-manifest+json
      application/xhtml+xml
      application/xml
      font/opentype
      image/svg+xml
      image/x-icon
      text/xml
      text/css
      text/plain
      text/javascript
      text/x-component;

    # Запрещает сжатие ответа методом gzip для IE6  (старый вариант gzip_di$
    gzip_disable "MSIE [1-6]\.(?!.*SV1)";

    # Уровень gzip-компрессии
    gzip_comp_level  6;


    location / {
        proxy_pass       http://192.167.117.1:8080;
        proxy_set_header Host 192.167.117.1:8080;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $host;
        proxy_redirect off;
        proxy_buffering off;
        break;
    }

    location ~* .(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|txt|rtf|css|js)$ {
        expires max;
        add_header Pragma public;
       #add_header Cache-Control "public, must-revalidate, proxy-revalidate";
        proxy_pass http://192.167.117.1:8080;
    }

}

However, the application inside the docker does not understand that it works via https, can you please tell me how this can be configured?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

L

Lynn "Coffee Man", 2017-07-31
@nepster-web

Depends on the application.
Usually this information is conveyed using headers, for example,
proxy_set_header X-Forwarded-Proto https;or proxy_set_header X-HTTPS yes;or something similar.
It can also be configured somewhere in the application itself.
In general, see the documentation for your application/framework