Nginx – HTTP/2 between Nginx reverse proxy and Express

http2nginxnode.jsreverse-proxy

I have an Express web server behind Nginx reverse proxy.
The Nginx is configured for HTTP/2.

Is it better to leave the default http1 connection between Nginx and Express, or is there worth in upgrading Express to HTTP/2 also?

I guess there'll be some performance loss since SSL is required on both, but don't know whether multiplexing (and other improvements) will make up for it.

Best Answer

Nginx does not support HTTP/2 for proxy_pass connections so this is not an option.

In my opinion, there is not huge reason to have HTTP/2 all the way through, in a similar way that HTTPS is not required all the way through.

For more details see the answers to this identical question on StackOverflow: https://stackoverflow.com/questions/41637076/http2-with-node-js-behind-nginx-proxy

Related Solutions

NGINX Reverse Proxy – URL Rewrite

Any redirect to localhost doesn't make sense from a remote system (e.g. client's Web browser). So the rewrite flags permanent (301) or redirect (302) are not usable in your case.

Please try following setup using a transparent rewrite rule:

location  /foo {
  rewrite /foo/(.*) /$1  break;
  proxy_pass         http://localhost:3200;
  proxy_redirect     off;
  proxy_set_header   Host $host;
}

Use curl -i to test your rewrites. A very subtle change to the rule can cause nginx to perform a redirect.

Nginx – wrong with the nginx reverse proxy configuration, with single server (and more later)

you are close, but there's no reverse proxy for http configured, only for https (in the above setup) — so it should show default content from document root. First server also lacks ending }.

You may configure both http and https in the same block, just use the ssl keyword in the listen directive (under the ssl port, so there's no need to set the ssl on directive):

server {
    listen 80 default_server;
    listen 443 ssl default_server;
    ...
    ssl_certificate /usr/local/nginx/conf/server1.crt;
    ssl_certificate_key /usr/local/nginx/conf/server1.key;
    ssl_session_cache shared:SSL:10m;
...

I must alert that using two different SSL certificates within the same IP is somewhat limited and complicated — that is because it would require HTTP renegotiation (since the request needs to be encrypted with the certificate before requesting the proper Host), so you'll probably need to separate the certificate by server block. For this, use a more specific, by IP listen:

server {
    listen 192.168.0.10:443 ssl; # for server1.mydomain.com
...

server {
    listen 192.168.0.11:443 ssl; # for server2.mydomain.com
...

I also recommend you use the Mozilla SSL Config Generator for best practices on SSL security.

EDIT1

To avoid the 400 error, just remove the directive ssl on; and reload. It was causing the http traffic to require SSL — you already indicated to use ssl on the line: listen 443ssldefault_server; (this means turn ssl on on this port).

The rest of the configuration is fine, but depending on your server response, you may need to adjust the proxy settings.

First, check if the spinning is client-side or server-side: access it with cURL or turn on web developer tools on your browser and check the network: if your browser is being redirected, you probably need to adjust the proxy_redirect or even make some string replacements on your server response.

Check it this way with cURL:

curl -i http://server1.mydomain.com

If you see a Location: header in your response, you'll need to finetune your proxy settings (that will depend on the response). For example, you may be accessing it as https then your proxy forwards as http and your backend server application redirects to https (but when the response goes through the proxy, it goes back to http to the browser). There are several ways of fixing it, by using proxy_set_header or even adjusting your backend server.

For example you could use:

proxy_set_header X-Forwarded-Proto $scheme;

But either your backend http server or your application would need to properly understand this.

Alternatively, if there's no redirect, but no response as well (or a No gateway response after the request timeout — 30s), check if your backend server is properly responding to the proxy server.

Please also note that you don't need a http server on your backend, you can use, for example, a FastCGI server directly — this sometimes has fewer downfalls.

EDIT2

Based on the cURL response, I see that the configuration is working as expected — the backend server response is asking for you to sign in. If the SSL certs weren't working, you wouldn't be able to curl -i https://server1.mydomain.com.

The traffic between frontend (proxy) and backend are made through http only (see the proxy_pass directive), and that's also usually expected (another encryption might add unnecessary overhead).

Now, if you wish to use https only, you have two options: either configure that in your backend (so that it forwards you to https://test1/users/sign_in) or use a different setting for nginx, where you strip the http:80 server and make it redirect everything to https:443. Something like this (be sure to remove the listen 80 from the next server block):

server {
    listen 80 default;
    server_name  _;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
...