I have the config below. However, when user switch from http to https, the session doesn't stick no more. Eg. homepage http but payment page is https.
How do I solve this?
upstream backend {
ip_hash;
server <server-1-ip>;
server <server-2-ip>;
}
upstream backend_ssl {
ip_hash;
server <server-1-ip>:443;
server <server-2-ip>:443;
}
server {
location / {
proxy_pass http://backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server {
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/mycert.crt;
ssl_certificate_key /etc/nginx/ssl/mykey.key;
location / {
proxy_pass https://backend_ssl;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Best Answer
Well, I guess, because you're using two
upstreamgroups, the state isn't shared between the two groups. Right now I can't test this further, but here are some ideas of mine:Use one
upstreamgroup, inspect the$scheme, leverage map with a variable to assign the correct ports to the$scheme(either http or https), and use this variable in yourserverdirective, so this becomesserver <server-1-ip>:$variable.Use zone which "keeps the group’s configuration and run-time state that are shared between worker processes. Several groups may share the same zone."
Instead of using
ip_hash, you could insert a cookie containing the correct backend server (which will be used for all further requests) using sticky.Note: This is not a copy-paste one-size-fits-all answer, but merely some quick ideas of mine. Read the docs, and you'll find a solution. Good luck and all the best!