Proxy HTTPS requests to a HTTP backend with NGINX
Solution 1
The type of proxy you are trying to set up is called a reverse proxy. A quick search for reverse proxy nginx got me this page:
http://intranation.com/entries/2008/09/using-nginx-reverse-proxy/
In addition to adding some useful features like an X-Forwarded-For header (which will give your app visibility into the actual source IP), it specifically does:
proxy_redirect off
Good luck! :)
Solution 2
I'm using the following config in production
server {
listen xxx.xxx.xxx.xxx:80;
server_name www.example.net;
rewrite ^(.*) https://$server_name$1 permanent;
}
server {
listen xxx.xxx.xxx.xxx:443;
server_name www.example.net;
root /vhosts/www.example.net;
ssl on;
ssl_certificate /etc/pki/nginx/www.example.net.crt;
ssl_certificate_key /etc/pki/nginx/www.example.net.key;
ssl_prefer_server_ciphers on;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/pki/nginx/dh2048.pem;
# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
Related videos on Youtube
Mike
I'm a software developer for a telecommunications company. In my spare time I like to play with web technologies, in particular API programming.
Updated on September 17, 2022Comments
-
Mike over 1 year
I have nginx configured to be my externally visible webserver which talks to a backend over HTTP.
The scenario I want to achieve is:
- Client makes HTTP request to nginx which is redirect to the same URL but over HTTPS
- nginx proxies request over HTTP to the backend
- nginx receives response from backend over HTTP.
- nginx passes this back to the client over HTTPS
My current config (where backend is configured correctly) is:
server { listen 80; server_name localhost; location ~ .* { proxy_pass http://backend; proxy_redirect http://backend https://$host; proxy_set_header Host $host; } }
My problem is the response to the client (step 4) is sent over HTTP not HTTPS. Any ideas?
-
Mike about 14 yearsThanks for your response - the link was indeed very helpful. I think I've solved my problem by splitting it up - I configured a redirect for all HTTP requests on port 80 to HTTPS on port 443. I then configured a new server in the config for 443. I was previously trying to do this all same place.
-
Faisal Feroz over 5 years+1 Adding
proxy_set_header X-Forwarded-Proto https;
did the trick for me. -
Constantin over 2 yearsFor newer versions of nginx you might want to remove the line
ssl on
-
Tobi over 2 years@Constantin why