0

I have the config below. However, when user switch from http to https, the session doesn't stick no more. Eg. homepage http but payment page is https.

How do I solve this?

upstream backend  {
    ip_hash;
    server <server-1-ip>;
    server <server-2-ip>;
}

upstream backend_ssl {
    ip_hash;
    server <server-1-ip>:443;
    server <server-2-ip>:443;
}

server {
    location / {
        proxy_pass http://backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

}

server {
    listen 443 ssl;
    ssl_certificate /etc/nginx/ssl/mycert.crt;
    ssl_certificate_key /etc/nginx/ssl/mykey.key;
    location / {
        proxy_pass https://backend_ssl;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}
Tuan Anh Tran
  • 165
  • 1
  • 13
  • I'm quite unsure about the problem you're trying to solve. "[...] the session doesn't stick no more. Eg. homepage http but payment page is https [...]": Please elaborate. – gxx May 26 '16 at 06:12
  • Eg user go to homepage (server1) but going to payment page, they were redirected to (server2) – Tuan Anh Tran May 26 '16 at 06:13
  • Because the protocol switches from http to https i guess. Sorry cant edit old comment on mobile – Tuan Anh Tran May 26 '16 at 06:14

1 Answers1

1

Well, I guess, because you're using two upstream groups, the state isn't shared between the two groups. Right now I can't test this further, but here are some ideas of mine:

  • Use one upstream group, inspect the $scheme, leverage map with a variable to assign the correct ports to the $scheme (either http or https), and use this variable in your server directive, so this becomes server <server-1-ip>:$variable.

  • Use zone which "keeps the group’s configuration and run-time state that are shared between worker processes. Several groups may share the same zone."

  • Instead of using ip_hash, you could insert a cookie containing the correct backend server (which will be used for all further requests) using sticky.

Note: This is not a copy-paste one-size-fits-all answer, but merely some quick ideas of mine. Read the docs, and you'll find a solution. Good luck and all the best!

gxx
  • 5,591
  • 2
  • 22
  • 42
  • `zone` directive is unknown. it seems it's not available in open-source version. `sticky` seems to require domains which i'm not aware. it's managed by the upstream. I will try `map`. – Tuan Anh Tran May 26 '16 at 07:47
  • @TuanAnhTran `zone` is in the open source version, but, according to the docs, "This directive appeared in version 1.9.0."; not sure which version you're running right now. "sticky seems to require domains which i'm not aware. it's managed by the upstream.": Don't understand this, please elaborate. – gxx May 26 '16 at 08:02