Nginx – HTTPS to HTTPS reverse proxy with nginx

apache-2.2httpsnginxPROXYssl

I have an Apache webserver configures with an SSL certificate. I have to put it behind a proxy, from some reasons.
I'd like to configure the proxy (nginx?) to works as simple relay, from HTTPS to HTTPS, as simple as possible.

My questions are:

is HTTPS to HTTPS proxy a good idea?
if so, do I need to give the proxy the SSL certificate too or can I just enable SSL in nginx/apache/whatever's parameters?

Thanks a lot for your help 🙂

Best Answer

is HTTPS to HTTPS proxy a good idea?

Depends on the situation/use-case/reasoning, there's no one-fits-all answer for that.

if so, do I need to give the proxy the SSL certificate too or can I just enable SSL in nginx/apache/whatever's parameters?

Yes and No!

You have two ways of doing this:

SSL Reverse Proxy
TCP Load Balancing

SSL Reverse Proxy

Certificates are needed on the load balancer, you set up a HTTPS proxy and all HTTPS connections to the load balancer are terminated there before being proxied to the backends and the HTTPS re-applied if your backend supports it.

TCP Load Balancing

You do not need SSL certificates on the load balancer. The connections are distributed at the TCP layer, the SSL content is ignored/unmodified and just passed through. Your backend needs to be HTTPS ready with the SSL certs etc.

Hopefully this will set you in the right direction...

Correct way in new versions of nginx

Turn out my first answer to this question was correct at certain time, but it turned into another pitfall - to stay up to date please check Taxing rewrite pitfalls

I have been corrected by many SE users, so the credit goes to them, but more importantly, here is the correct code:

server {
       listen         80;
       server_name    my.domain.com;
       return         301 https://$server_name$request_uri;
}

server {
       listen         443 ssl;
       server_name    my.domain.com;
       # add Strict-Transport-Security to prevent man in the middle attacks
       add_header Strict-Transport-Security "max-age=31536000" always; 

       [....]
}

Apache SSL – Is It Bad to Redirect HTTP to HTTPS?

The [R] flag on its own is a 302 redirection (Moved Temporarily). If you really want people using the HTTPS version of your site (hint: you do), then you should be using [R=301] for a permanent redirect:

RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R=301,L]

A 301 keeps all your google-fu and hard-earned pageranks intact. Make sure mod_rewrite is enabled:

a2enmod rewrite

To answer your exact question:

Is it bad to redirect http to https?

Hell no. It's very good.

Best Answer

Related Solutions

NGINX Redirect – How to Rewrite All HTTP Requests to HTTPS While Maintaining Sub-Domain

Correct way in new versions of nginx

Apache SSL – Is It Bad to Redirect HTTP to HTTPS?

Related Topic