nginx proxy_pass to https

Question

So I would like to proxy_pass requests to an https backend server, however, every time I try to reload nginx server with https:// configured backend I get the following error:

nginx: [emerg] https protocol requires SSL support

This is the nginx config

server{

    listen 8080;

    root /opt/nginx_1.17.0/nginx_ok/html;
    server_name www.frontedndomain.com;

    index index.php index.html;

            location /health-monitor/ {
                    add_header Custom-Header test;
            }

            location ~* ^\/([a-z][a-z]\/)?abc\/?(.*)? {
                    error_log /opt/nginx_1.17.0/nginx_ok/logs/proxy_error.log;
                    add_header X-query-string $is_args$query_string;
                    resolver 0.0.0.0;
                    resolver_timeout 15s;
                    proxy_pass https://backenddomain.com;
                    proxy_ssl on;
                    proxy_http_version 1.1;
                    proxy_set_header Accept-Encoding "";
                    proxy_set_header Cache-Control no-cache;
                    proxy_set_header Upgrade $http_upgrade;
                    proxy_set_header Connection 'upgrade';
                    proxy_set_header X-Real-IP $remote_addr;
                    subs_filter_types *;
           }
    }

Originally I've built nginx for source and this is the output of nginx -V

nginx version: nginx/1.16.0 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC) configure arguments: --prefix=/opt/nginx_1.17.0/nginx_ok/ --sbin-path=/opt/nginx_1.17.0/nginx_ok/sbin/nginx --with-openssl=/opt/nginx_1.17.0/openssl-1.1.1c/ --add-module=/opt/nginx_1.17.0/ngx_http_substitutions_filter_module/ --with-zlib=/opt/nginx_1.17.0/zlib-1.2.11/

Can someone please outline what I'm missing from this config please. I would like to also forward a query string to the backend.

Why not just use prebuild version of nginx for your platform? — Alexey Ten, Aug 12 '19 at 14:38
BTW, there is no `proxy_ssl` directive in ngx_http_proxy_module — Alexey Ten, Aug 12 '19 at 14:40
@AlexeyTen He's adding in that old third party nginx module ngx_http_substitutions_filter_module. It's not clear why, as there aren't any substitutions being done here. — Michael Hampton, Aug 13 '19 at 03:33
@AlexeyTen I've built from source since i need a 3rd party subs_filter module (cloned repo from github). As michael clearly pointed out I didn't included the subs_filter in the question as it's not relevant to this question :) — joebegborg07, Aug 13 '19 at 07:07
This module is included in `nginx-full` or `nginx-extras` package in Debian/Ubuntu. — Alexey Ten, Aug 13 '19 at 12:36

score 11 · Accepted Answer · answered Aug 14 '19 at 09:10

11

The issue was resolved by adding the following directive

proxy_ssl_server_name on;

This allowed for the request to be handled by the server specified in the certificate's SNI at the upstream endpoint.

answered Aug 14 '19 at 09:10

joebegborg07

869
5
16
24

2

I can confirm this works. – hayd Jan 29 '20 at 21:13
1

Multiple hours of agony finally come to an end. Thank you! – Slbox Feb 14 '21 at 22:04
Could you share the full nginx config? Does it go in the `location` block? – Connor Leech Aug 18 '22 at 15:11

Matheus Santz · Answer 2 · 2021-12-20T22:39:07.660

I had the same problem because my DNS host provider has https and I dont need to encrypt my connection 2 times, as it would be slower.

It worked for me as follows:

  upstream backend {
        server node_socket1:3000 weight=10 max_fails=3 fail_timeout=30s;
        server node_socket2:3000 weight=10 max_fails=3 fail_timeout=30s;
  }

  server {
        listen 80;
        server_name 0.0.0.0;
        root  /var/www/public;

        location / {
              try_files $uri $uri/ https://backend;
        }

        location /socket.io/ {
              proxy_http_version    1.1;
              proxy_redirect        off;
              proxy_set_header      Upgrade $http_upgrade;
              proxy_set_header      Connection "upgrade";
              proxy_set_header      Host $host;
              proxy_set_header      X-Real-IP        $remote_addr;
              proxy_set_header      X-Forwarded-For  $proxy_add_x_forwarded_for;
              proxy_set_header      X-NginX-Proxy    true;
              proxy_pass            https://backend/socket.io/;
        }
  }

Aslan Varoqua · Answer 3 · 2019-08-12T22:45:54.407

1

You are listening on a port 8080 with no SSL (http) and trying to proxy to an SSL enabled host on port 443 (https). if this worked it would essentially make encryption pointless as it would be encrypted only on your end and not while the packets are in transit to your client. The solution is to make sure you have certificates installed and ssl enabled for the port in question and that any proxy_pass does not forward from non-ssl enabled ports to ssl enabled ones.

edited Aug 12 '19 at 22:45

answered Aug 12 '19 at 22:39

Aslan Varoqua

21
4

I understand your point and it's very valid, only in this case this reverse proxy is sitting behind a load balancer with SSL being terminated there. I will try changing the proxy to listen on port 443 and bind SSLs to check if it works, but still would rather have the reverse proxy listening on http port and proxying requests to an HTTPS backend. – joebegborg07 Aug 13 '19 at 07:39

nginx proxy_pass to https

3 Answers3