you are close, but there's no reverse proxy for http configured, only for https (in the above setup) — so it should show default content from document root. First server also lacks ending }
.
You may configure both http and https in the same block, just use the ssl
keyword in the listen directive (under the ssl port, so there's no need to set the ssl on
directive):
server {
listen 80 default_server;
listen 443 ssl default_server;
...
ssl_certificate /usr/local/nginx/conf/server1.crt;
ssl_certificate_key /usr/local/nginx/conf/server1.key;
ssl_session_cache shared:SSL:10m;
...
I must alert that using two different SSL certificates within the same IP is somewhat limited and complicated — that is because it would require HTTP renegotiation (since the request needs to be encrypted with the certificate before requesting the proper Host), so you'll probably need to separate the certificate by server
block. For this, use a more specific, by IP listen
:
server {
listen 192.168.0.10:443 ssl; # for server1.mydomain.com
...
server {
listen 192.168.0.11:443 ssl; # for server2.mydomain.com
...
I also recommend you use the Mozilla SSL Config Generator for best practices on SSL security.
EDIT1
To avoid the 400 error, just remove the directive ssl on;
and reload. It was causing the http traffic to require SSL — you already indicated to use ssl on the line: listen 443
ssl
default_server;
(this means turn ssl on on this port).
The rest of the configuration is fine, but depending on your server response, you may need to adjust the proxy settings.
First, check if the spinning is client-side or server-side: access it with cURL or turn on web developer tools on your browser and check the network: if your browser is being redirected, you probably need to adjust the proxy_redirect
or even make some string replacements on your server response.
Check it this way with cURL:
curl -i http://server1.mydomain.com
If you see a Location:
header in your response, you'll need to finetune your proxy settings (that will depend on the response). For example, you may be accessing it as https then your proxy forwards as http and your backend server application redirects to https (but when the response goes through the proxy, it goes back to http to the browser). There are several ways of fixing it, by using proxy_set_header
or even adjusting your backend server.
For example you could use:
proxy_set_header X-Forwarded-Proto $scheme;
But either your backend http server or your application would need to properly understand this.
Alternatively, if there's no redirect, but no response as well (or a No gateway response after the request timeout — 30s), check if your backend server is properly responding to the proxy server.
Please also note that you don't need a http server on your backend, you can use, for example, a FastCGI server directly — this sometimes has fewer downfalls.
EDIT2
Based on the cURL response, I see that the configuration is working as expected — the backend server response is asking for you to sign in. If the SSL certs weren't working, you wouldn't be able to curl -i https://server1.mydomain.com
.
The traffic between frontend (proxy) and backend are made through http only (see the proxy_pass
directive), and that's also usually expected (another encryption might add unnecessary overhead).
Now, if you wish to use https only, you have two options: either configure that in your backend (so that it forwards you to https://test1/users/sign_in) or use a different setting for nginx, where you strip the http:80 server and make it redirect everything to https:443. Something like this (be sure to remove the listen 80
from the next server block):
server {
listen 80 default;
server_name _;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
...
Best Answer
Nginx does not support HTTP/2 for proxy_pass connections so this is not an option.
In my opinion, there is not huge reason to have HTTP/2 all the way through, in a similar way that HTTPS is not required all the way through.
For more details see the answers to this identical question on StackOverflow: https://stackoverflow.com/questions/41637076/http2-with-node-js-behind-nginx-proxy