Answer the question
In order to leave comments, you need to log in
C
C
cowan2020-05-07 19:52:57
cowan, 2020-05-07 19:52:57
Setting up Nginx proxy SSL?
Hello guys!
It is necessary to configure a proxy to the downstream server, but it does not work.
On the upstream this config:
server {
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/domain.ru/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.ru/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
# Редирект с www на без www
if ($host = www.domain.ru) {
return 301 https://domain.ru$request_uri;
}
server_name domain.ru www.domain.ru;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass https://192.168.1.85/;
}
}
# Редирект с https на https и www на без www
server {
if ($host = www.domain.ru) {
return 301 https://domain.ru$request_uri;
}
if ($host = domain.ru) {
return 301 https://domain.ru$request_uri;
}
listen 80;
server_name domain.ru www.domain.ru;
return 404;
}Works norms.
Now I have a problem with 2 certificates on the upstream server and on the downstream. To what extent is this correct? In principle, everything works.
2 answer(s)
@shambler81
Next, repeat already for http
@cowan
V
Viktor Taran, 2020-05-07 @shambler81
in all mana on the Internet there is an error about proxying HTTPS traffic to the HTTP backend, this is not correct and will never work 100% valid, on the other side there is js ajax, etc., etc. who do not know and have not heard about the proxy for this and back and front must be https
Here is the working config
server {
######################################################################
## Server configuration
######################################################################
listen *:443 ssl http2;
server_name 5job.ru www.5job.ru ;
root /var/www/5job.ru/web;
######################################################################
## Enable gzip for proxied requests and static files
######################################################################
# Enable gzip for proxied requests and static files
gzip on;
gzip_proxied any;
gzip_vary on;
gzip_http_version 1.1;
gzip_types application/javascript application/json text/css text/xml;
gzip_comp_level 4;
######################################################################
## SSL configuration
######################################################################
# recommended but not manditory directive
# leave commented out unless you know what it is doing
#more_set_headers 'Strict-Transport-Security: max-age=15768000';
ssl on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1h;
ssl_protocols TLSv1.2 TLSv1.1;
add_header Strict-Transport-Security "max-age=15768000" always;
ssl_stapling on;
ssl_stapling_verify on;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK;
ssl_certificate /var/www/clients/client26/web28/ssl/5job.ru-le.crt;
ssl_certificate_key /var/www/clients/client26/web28/ssl/5job.ru-le.key;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
######################################################################
## Log configuration
######################################################################
#Все логи отключены
error_log /dev/null crit;
access_log off;
######################################################################
## 555 Еrror requires password password
######################################################################
# Дев сайты закрыты htpass login:dev pass:dev (второй кусок ниже)
error_page 555 = @pass;
location @pass {
auth_basic "Unauthorized";
auth_basic_user_file /var/www/dev_htpasswd;
proxy_pass https://127.0.0.1:4443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header HTTPS YES;
}
######################################################################
## Errors send to apache2
######################################################################
# у апача своих алиасов куча, а так же некоторая статика отдается
# средствамси php, по этому все ошибки обрабатывать только apache2
error_page 401 403 404 405 500 502 503 = @fallback;
location @fallback {
proxy_pass https://127.0.0.1:4443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header HTTPS YES;
}
######################################################################
## Locations configuration
######################################################################
#Отключаем логирование ошибок No such file or directory
## Disable .htaccess files
location ~ /\.ht {
deny all;
access_log off;
log_not_found off;
}
##
location = /favicon.ico {
log_not_found off;
access_log off;
}
##
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
##
######################################################################
# сервисы на сайте phpmyadmin почта и letxencrypt
location /phpmyadmin/ {
deny all;
# поставить пароль на phpmyadmin
return 555;
root /usr/share/phpmyadmin/;
}
##
location /webmail/ {
rewrite ^/(.*)$ https://$http_host:8080/$1 permanent;
}
# letsencrypt
location /.well-known/acme-challenge/ {
alias /usr/local/ispconfig/interface/acme/;
default_type text/plain;
}
# static content
# Отдаем статику напрямую с nginx
location ~* ^.+\.(jpg|jpeg|svg|gif|png|ico|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf|js|swf|flv|mp3)$ {
root /var/www/5job.ru/web;
access_log off;
expires 30d;
gzip_static on;
}
# default location
location / {
index index.php index.html index.htm;
proxy_pass https://127.0.0.1:4443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header HTTPS YES;
######################################################################
## Dev site Protection Requests in location /
######################################################################
# Дабы дев сайты не индексировались поисковиками, принудительно
# Ставим пароли на них, все что начинается с dev,old. или домен ks03
if ($http_host ~* "^(dev|old|www.old|www.dev)\..*\..{2,8}$"){
return 555;
}
if ($http_host ~* "^.*\.ks03\.ru$"){
return 555;
}
proxy_set_header X-Forwarded-Proto https;
include /etc/nginx/locations.d/*.conf;
}
}Next, repeat already for http
C
cowan, 2020-05-08 @cowan
Viktor Taran
So I'm proxying to the backend via https. The receiving party is iRedMail (192.168.1.85). He generally lives his own life.
The size of the config is frightening, of course, I'll try to figure it out.
And I separately recommend that you change the authorization password for phpmyadmin.
Similar questions
V
S
V
E
N
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question