I have an NGINX reverse proxy configured to forward to different ports on the same machine based on the request URL. I have service1 on port 8070 and service2 on port 8071.
This is my nginx config
upstream service1 {
server 127.0.0.1:8070;
}
upstream service2 {
server 127.0.0.1:8071;
}
server {
server_name a.example.com;
location /foo/ {
proxy_pass http://service1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /bar/ {
proxy_pass http://service2;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
listen 80; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/a.example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/a.example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
I need to have port 80 enabled for certbot (lets encrypt) to be able to deploy certificates. I'm using the python3-certbot-nginx plugin
The problem right now with this config is that clients can do http (unencrypted) requests to my services via the proxy.
Is there any way I can disable redirecting http requests and make the location rule only match https requests so that http requests are not redirected but http is still available for the certbot challenges? If not, is there any other way to have nginx not allow http requests/force https that won't break certbot?
