How to properly set up a wildcard certificate in nginx and apache?

P

Pavel Samokhvalov2015-04-15 19:38:35

Nginx

Pavel Samokhvalov, 2015-04-15 19:38:35

Available:
1) wildcart *.mydomain.ru
2) Server with nginx - front
Config:

user www-data;
worker_processes 1;
pid /run/nginx.pid;

events {
        worker_connections 1024;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 15;
        types_hash_max_size 2048;
        # server_tokens off;

        proxy_buffers 8 64k;
        proxy_intercept_errors on;
        proxy_connect_timeout 1s;
        proxy_read_timeout 3s;
        proxy_send_timeout 3s;

        error_log /var/log/nginx/error.log;
        access_log /var/log/nginx/access.log;

# default virtual host
server {
                listen 80 default;
                server_name localhost;
                deny all;
                }

server {
       listen 443 ssl;
       server_name sub1.mydomain.ru;

        ssl on;
        ssl_certificate /etc/ssl/certs/mydomain.ru-bundle.crt;
        ssl_certificate_key /etc/ssl/private/mydomain.ru.key;
       index index.php index.html;

        location / {
        proxy_pass https://10.10.100.13:8080/;
        proxy_redirect off;
        proxy_ssl_session_reuse off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
}
}

3) Server with apache - back
It seems that I set up a proxy mode from front to back
But! firstly, a 502 Bad Gateway error is generated
secondly, nginx logs shit like this:
25051#0: *1 SSL_do_handshake() failed (SSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol) while SSL handshaking to upstream, client: xxxx server: sub1.mydomain.ru, request: "GET /favicon.ico HTTP/1.1", upstream: " https://10.10.100.13:8080/favicon.ico ", host: "sub1.mydomain.ru "
Hint where I screwed up, plz.
Found a solution

server {
        listen x.x.x.x:443 ssl;
        server_name sub1.mydomain.ru;
        ssl on;
        ssl_certificate /etc/ssl/certs/mydomain.ru-bundle.crt;
        ssl_certificate_key /etc/ssl/private/mydomain.key;

        ssl_protocols        SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers RC4:HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;
        keepalive_timeout    60;
        ssl_session_cache    shared:SSL:10m;
        ssl_session_timeout  10m;
       index index.php index.html;

        location / {
        proxy_pass          http://10.10.100.13:8080;
        proxy_set_header        Host $host;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;
        proxy_read_timeout  90;
        proxy_redirect off;
        proxy_set_header        X-Forwarded-Proto $scheme;
       #Следующей директивы не хватало
        add_header              Front-End-Https   on;
        #
        proxy_redirect     off;
        }
}

Highlighted what was missing to redirect from https to http

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

P

polozad, 2015-04-16
@polozad

proxy_pass https://10.10.100.13:8080/;
Are you listening to https at the back of the 8080?

P

Pavel Samokhvalov, 2015-04-16
@Power_ON

No, behind http