Proxy HTTPS requests to a HTTP backend with NGINX

nginx reverse-proxy https

146,891

Solution 1

The type of proxy you are trying to set up is called a reverse proxy. A quick search for reverse proxy nginx got me this page:

http://intranation.com/entries/2008/09/using-nginx-reverse-proxy/

In addition to adding some useful features like an X-Forwarded-For header (which will give your app visibility into the actual source IP), it specifically does:

proxy_redirect off

Good luck! :)

Solution 2

I'm using the following config in production

server {
    listen xxx.xxx.xxx.xxx:80;
    server_name www.example.net;

    rewrite ^(.*) https://$server_name$1 permanent;
}

server {
    listen xxx.xxx.xxx.xxx:443;
    server_name www.example.net;

    root   /vhosts/www.example.net;

    ssl                  on;
    ssl_certificate      /etc/pki/nginx/www.example.net.crt;
    ssl_certificate_key  /etc/pki/nginx/www.example.net.key;

    ssl_prefer_server_ciphers on;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /etc/pki/nginx/dh2048.pem;

    # intermediate configuration. tweak to your needs.
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
    }
}

146,891

Mike

I'm a software developer for a telecommunications company. In my spare time I like to play with web technologies, in particular API programming.

Updated on September 17, 2022

Comments

Mike over 1 year
I have nginx configured to be my externally visible webserver which talks to a backend over HTTP.

The scenario I want to achieve is:
1. Client makes HTTP request to nginx which is redirect to the same URL but over HTTPS
2. nginx proxies request over HTTP to the backend
3. nginx receives response from backend over HTTP.
4. nginx passes this back to the client over HTTPS
My current config (where backend is configured correctly) is:
```
server {
        listen       80;
        server_name  localhost;

        location ~ .* {
            proxy_pass http://backend;
            proxy_redirect http://backend https://$host;
            proxy_set_header Host $host;
            }
        }
```
My problem is the response to the client (step 4) is sent over HTTP not HTTPS. Any ideas?
Mike about 14 years

Thanks for your response - the link was indeed very helpful. I think I've solved my problem by splitting it up - I configured a redirect for all HTTP requests on port 80 to HTTPS on port 443. I then configured a new server in the config for 443. I was previously trying to do this all same place.
Faisal Feroz over 5 years

+1 Adding proxy_set_header X-Forwarded-Proto https; did the trick for me.
Constantin over 2 years

For newer versions of nginx you might want to remove the line ssl on
Tobi over 2 years

@Constantin why