Magento 2 – Fix Varnish with NGINX SSL Proxy 502 Error

magento2nginxsslvarnish

I am trying to setup an nginx backend with Varnish and magento 2.3.2.
To do that the flow would be:
Port 80 is forwaded to 443.
443 proxypass to Varnish
Listener on 8080.

Here is the nginx config for port 80:

upstream fastcgi_backend {
# Socket path
  server unix:/run/php/php7.2-fpm.sock;
}

server {
    listen 80;
    server_name magento-test.example.com;

    location ^~ /.well-known/acme-challenge/ {
      allow all;
      root /var/lib/letsencrypt/;
      default_type "text/plain";
      try_files $uri =404;
    }
    return 301 https://magento-test.example.com$request_uri;
}

Then the listener on port 443 with proxypass:

server {
    listen 443 ssl http2;
    server_name magento-test.example.com;

    ssl_certificate ...
    ssl_certificate_key ...
    ssl_trusted_certificate ...
    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL';
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 24h;
    keepalive_timeout 300s;

    location / {
        proxy_pass http://127.0.0.1;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Ssl-Offloaded "1";
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Forwarded-Port 443;
        #proxy_hide_header X-Varnish;
        #proxy_hide_header Via;
        proxy_set_header X-Forwarded-Proto $scheme;

}

}

And finally the listener on port 8080:

server {
  server_name magento-test.example.com;
  listen 8080;
  set $MAGE_ROOT /var/www/magento-test.example.com;
  set $MAGE_MODE production; # or developer


  include /var/www/magento-test.example.com/nginx.conf.sample;
}

My varnish is configured the following way:

DAEMON_OPTS=" -a :6081 \
               -T localhost:6082 \
               -f /etc/varnish/default.vcl \
               -S /etc/varnish/secret \
               -p feature=+esi_ignore_other_elements \
               -p cli_buffer=16384 \
               -p vcc_allow_inline_c=on \
               -s malloc,256m"

And

backend default {
    .host = "127.0.0.1";
    .port = "8080";
    .first_byte_timeout = 300s;
}

Now i get a 502 error and in the logs I can see the following error:

*35 connect() failed (111: Connection refused) while connecting to upstream, client: xx.xx.xx.xx

If I put the IP in a browser that directs me to a Linksys page (which is what my home router is…)

I tried to remove 127.0.0.1 localhost in the hosts file but still get the same result.

Any idea ?

Best Answer

you need to use varnish port 6081 to proxy https

location / {
        proxy_pass http://127.0.0.1:6081;

user -> nginx:80 -> nginx:443 -> varnish:6081 -> nginx:8080

Related Solutions

Magento – 500 Internal Server Error nginx/1.12.0 on checkout page after Migration from Apache to Nginx

(1) This configuration file is derived from your file and is created with the assumption that you want to force SSL on your primary domain, abcsports.co.uk. This is recommended.

(2) I moved the subdomains, "media.abcsports.co.uk, skin.abcsports.co.uk, and js.abcsports.co.uk" into separate server blocks. By default, SSL is not forced for these subdomains, but you could enable the redirections as instructed in the configuration file. Ensure that the SSL certificates for abcsports.co.uk is applicable to the subdomains before activating the SSL block for the subdomains.

(3) There could be errors. Use the error log to debug them.

(4) Backup the current vhost file because using this one. You can do this during a low traffic period.

server {
    listen 80;
    server_name         media.abcsports.co.uk skin.abcsports.co.uk js.abcsports.co.uk;
    # root              /var/www/vhosts/abcsports.co.uk/httpdocs;
    root                /var/www/html/abcsports.co.uk/public_html;

    location / {
        index           index.php;
        try_files       $uri $uri/ /index.php?$args;
        expires         30d;
    }

    access_log          /var/log/nginx/abcsports.co.uk-access.log;
    error_log           /var/log/nginx/abcsports.co.uk-error.log;
}

# Enable this server block if you want to enable ssl redirection to the SSL block below. Ensure you disable the above HTTP block, you enable this block.
#server {
#    listen             80;
#    server_name        media.abcsports.co.uk skin.abcsports.co.uk js.abcsports.co.uk;
#   server_tokens       off;
#    return             301 https://$server_name$request_uri;
#}

#server {
    #listen                 443 ssl;
    #server_name            media.abcsports.co.uk skin.abcsports.co.uk js.abcsports.co.uk;
    #root                   /var/www/html/abcsports.co.uk/public_html/;
    #ssl_certificate        /etc/ssl/certs/abcsports.co.uk.pem; # Ensure certificate is wildcard and applies to subdomains of abcsports.co.uk
    #ssl_certificate_key    /etc/ssl/certs/abcsports.co.uk.key; # Ensure certificate is wildcard and applies to subdomains of abcsports.co.uk


    #access_log                 /var/log/nginx/abcsports.co.uk-ssl-access.log;
    #error_log              /var/log/nginx/abcsports.co.uk-ssl-error.log;

    #location / {
        #index              index.html index.php;
        #try_files          $uri $uri/ @handler;
        expires             30d;
    #}

#}

server {
    listen              80 default_server;
    server_name         abcsports.co.uk www.abcsports.co.uk;
    server_tokens       off;
    return              301 https://www.abcsports.co.uk$request_uri;
}

server {
    listen              443 ssl;
    #listen             443 http2 ssl; uncomment this line and comment line 9 if Nginx was compiled with http2
    server_name         abcsports.co.uk;
    server_tokens       off;
    return 301          https://www.abcsports.co.uk$request_uri;
}

server {
    listen              443 ssl default_server;
    #listen             443 http2 ssl default_server;
    server_name         www.abcsports.co.uk;
    root                /var/www/html/abcsports.co.uk/public_html;
    index               index.php;
    access_log          /var/log/nginx/abcsports.co.uk-ssl-access.log combined;
    error_log           /var/log/nginx/abcsports.co.uk-ssl-error.log error;

    ssl_certificate      /etc/ssl/certs/abcsports.co.uk.pem;
    ssl_certificate_key  /etc/ssl/certs/abcsports.co.uk.key;

    client_body_buffer_size         128K;
    client_body_timeout             3m;
    client_header_buffer_size       3m;
    large_client_header_buffers     4 256k;
    client_header_timeout           3m;
    client_max_body_size            100M;

    gzip                on;
    gzip_proxied        any;
    gzip_types          text/plain text/css application/json application/x-javascript text/xml 
    application/xml     application/xml+rss text/javascript application/javascript text/x-js; 
    gzip_vary           on;
    gzip_comp_level     6;
    gzip_buffers        16 8k; 
    gzip_disable        "MSIE [1-6]\.(?!.*SV1)";

    #add_header         Strict-Transport-Security "max-age=31536000"; #Enable this after you understand the implications of STS

    location / {
        try_files       $uri $uri/ @handler; ## If missing pass the URI to Magento's front handler
        expires         30d; ## Assume all files are cachable

        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
            expires     max;
        }
    }

    map $http_cookie $phpfpm_socket {
        default unix:/var/run/php-fpm/abcsports.co.uk.sock;
        ~adminhtml unix:/var/run/php-fpm/abcsports.co.uk-admin.sock;
    }

    location ~ \.php$ {
        charset        utf-8;
        default_type   text/html;

        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;

        fastcgi_param           SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_pass            $phpfpm_socket;
        fastcgi_param           MAGE_RUN_CODE default;
        fastcgi_param           MAGE_RUN_TYPE store;
        #fastcgi_param          HTTPS $httpss; #No longer needed
        fastcgi_read_timeout    300;
        fastcgi_keep_conn       on;
        fastcgi_buffer_size     32k;
        fastcgi_buffers 512     32k;
        fastcgi_read_timeout    300;
        fastcgi_index           index.php;
        #include                /etc/nginx/fastcgi_params; #To include additional fastcgi_param
    }

    location @handler { ## Magento uses a common front handler
        rewrite / /index.php?$args;
    }

    # Enable to restrict access to your downloader folder 
    #location /downloader {
        #error_page 403 = @deny_downloader;
        #allow  xx.xx.xx.xx; #Change to your static or current dynamic IP. Restart Nginx after each modification. You can duplicate this line.
        #deny all;
        #index  index.php;
        #try_files $uri $uri/ /index.php?$args;
    #}

    location @deny_downloader {
        return 303 https://www.abcsports.co.uk;
    }

    location ~ .php/ {
        rewrite ^(.*.php)/ $1 last;
    }

    location ~ /.well-known {
        allow all;
    }

    ## These locations would be hidden by .htaccess normally
    location ^~ /app/                { deny all; }
    location ^~ /includes/           { deny all; }
    location ^~ /lib/                { deny all; }
    location ^~ /var/                { deny all; }
    location /var/export/            { deny all; }
    location /media/customer/        { deny all; }
    location /media/downloadable/    { deny all; }
    location ~ cron\.php             { deny all; }

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one    
    location ~ /\.ht {
        deny  all;
    }

    location /. {
        return 404;
    }

    # Enable for custom error files
    #error_page  403 /error/404.html;
    #error_page  404 /error/404.html;
    #error_page  500 502 503 504 /error/50x.html;

    #location /error/ {
        #alias   /home/admin/web/abcsports.co.uk/document_errors/;
    #}

    location ~* "/\.(htaccess|htpasswd)$" {
        deny    all;
        return  404;
    }
}

Expecting your feedback. Cheers!

Magento 2 – Get Real IP with Varnish, Nginx, and SSL

to help you debug this, you can add this php file for example, headers.php:

<?php
foreach($_SERVER as $key_name => $key_value) {
print $key_name . "  =  <font style='color: rgb(0,0,255);'>" . $key_value . "</font><br/>";
}
?>

where you can see all the headers.

make sure you proxy pass correct header:

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;

add remote IP variations and check headers with file above.

Best Answer

Related Solutions

Magento – 500 Internal Server Error nginx/1.12.0 on checkout page after Migration from Apache to Nginx

Magento 2 – Get Real IP with Varnish, Nginx, and SSL

Related Topic