22

we have: Ubuntu 16.04
nginx 1.10.3

i am new to nginx and need help on proxy_pass to https.
We have clients in internet they call a url for example.

https://testapp.mobios.example.com

i want to pass this traffic to my server with the ip address 192.168.0.10. On this server i have ssl enabled listen port 9443.

We want use nginx as reverse_proxy. My nginx config looks like.

server {  
  listen 443;
  servername testapp.mobios.example.com;

  location / {
    proxy_pass https://192.168.0.10:9443;
}
}

If the clients try to contact the ssl server with https://testapp.mobios.example.com they get nothing.

What i need is just pass https to https. Is SNI a problem here?

Any idea? Please help ayyoladi

mobios
  • 353
  • 1
  • 2
  • 7
  • 1
    [This article](https://reinout.vanrees.org/weblog/2017/05/02/https-behind-proxy.html) seems relevant here. – x-yuri Jul 16 '21 at 01:56

3 Answers3

8

Not directly same but similar question brought me here.

Load balancing to HTTPS:

Client <- HTTPS -> (decrypt) Load balancer (encrypt) <- HTTPS -> Server

Generally thisisayush answer (http://reinout.vanrees.org/weblog/2017/05/02/https-behind-proxy.html) is very good and it partially solves my problem but adding load balancing makes it a bit more difficult to google.

When you make upstream list you must remember about adding a 443 port.

NOT WORKING:

upstream myapp2 {
  server 10.0.1.1;
}

WORKING:

upstream myapp2 {
  server 10.0.1.1:443;
}

Even if you use in location https protocol (which I expected to point by default to 443):

location / {
  proxy_pass https://myapp2;
}

Full example:

http {
  upstream myapp2 {
    server 10.0.1.1:443;
  }

  server {
    listen 443;

    ssl_certificate     /etc/nginx/cert.crt;
    ssl_certificate_key /etc/nginx/cert.key;

    ssl on;

    location / {
      proxy_pass https://myapp2;
    }
  }
}

Answer is based on documentation which I eventually found with help of thisisayush comment:

https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/#complete-example

Łukasz Kotyński
  • 1,007
  • 1
  • 9
  • 10
  • I may be having the same problem. In my case, I have an Nginx server with TLS that proxies requests to a Gunicorn server with TLS as well. Gunicorn is listening on port 8080 and Nginx is listening (to the Internet) on port 443. From that doc you linked, would you say I need to change the port where Gunicorn is listening from 8080 to 443 and then update the upstream in my Nginx? – Jaume Sabater Dec 14 '22 at 07:51
  • Hello Jaume. In my opinion, it does not matter what your Gunicorn port is - as long as 8080 is an HTTPS port and not HTTP. But have in mind that often 8080 is the default development HTTP (without S) port. And 8443 is sometimes the default development HTTPS (but probably it needs to be enabled and a Certificate needs to be added!). On the other hand, if you run Nginx and Gunicorn on the same machine you NEED different ports - so choosing 443 on Gunicorn will either break Gunicorn or Nginx startup. – Łukasz Kotyński Dec 15 '22 at 08:16
  • 1
    Thanks for your kind reply, Lukasz. I can confirm Gunicorn with TLS works just fine on port 8080 and any problems with Nginx I had were bugs of Nginx related to HTTP2 and had nothing to do with Gunicorn. – Jaume Sabater Dec 17 '22 at 07:25
8
server {
    listen 80;
    server_name website.domain.com;
    return 301 https://$server_name$request_uri;
}

server {
        listen 443 ssl;
        listen [::]:443 ssl;
        server_name website.domain.com;

       #Size archive        client_max_body_size 50M;

        ssl_certificate          /etc/letsencrypt/live/mydomain/fullchain.pem;
        ssl_certificate_key      /etc/letsencrypt/live/mydomain/privkey.pem;
        ssl_trusted_certificate  /etc/letsencrypt/live/mydomain/chain.pem;

       location / {
               proxy_set_header   X-Forwarded-For $remote_addr;
               proxy_set_header   Host $http_host;
   1   ===>    proxy_pass         https://website5.domain.ru;
[ OR ]
   2   ===>    proxy_pass         http://192.65.87.4:8020;
       }

}
AnonymousWebHacker
  • 81
  • 1
  • 2
  • 1
    I know this is an old thread but I just spent 2 days tracking a similar error, where it would proxypass https to google fine but it wouldn't work on my own HTTPS server. Even if I bypass ssl verify.. the error for me was that `proxy_set_header Host $http_host;` would pass an header that my server would reject. Remove it fixed my issue. I know in this example you do need the host because you're pointing to an IP. – zzarbi Sep 09 '22 at 23:25
  • 1
    hahha, I forgot to mention that part, at that time, we were focused on the redirection of an example – AnonymousWebHacker Sep 18 '22 at 06:23
2

I did this once for my client. What you do is enable and install SSL in Nginx rather than to the server being proxied.

thisisayush
  • 292
  • 1
  • 8
  • 2
    Hi thisisayush, thank you for your answer. I dont want install ssl on nginx. I want just pass https traffic from internet internally to a server. – mobios Aug 15 '18 at 13:00
  • 1
    Have a look at https://reinout.vanrees.org/weblog/2017/05/02/https-behind-proxy.html This might help :) – thisisayush Sep 07 '18 at 09:11
  • 4
    @mobios In this case you want a TCP **tunnel**. I'm not sure who well it works with SSL. But if you want to use nginx to proxy SSL traffic it needs an SSL certificate - the nature of proxying is that it will look into the traffic and re-encapsulate it so it needs SSL to do that. – Rolf Mar 07 '19 at 12:20