NGINX proxy SSL termination best practices

dockernginxssl

I am dockerizing a few websites behind a NGINX proxy. I am migrating from an Apache setup and am new to NGINX. As far as I understand, I should use a NGINX proxy to a web server. I want everything to be over SSL and all non-ssl requests to be redirected to HTTPS.

Should my private websites that are behind the proxy communicate with the proxy over normal HTTP port 80? Is that still encrypted totally? Just for information, is it possible to proxy from a NGINX proxy to an apache website?

Best Answer

You have to install SSL certificates to Nginx (your clients will communicate with it directly) and also define 80 port server then redirect it to 443. Here is a sample configuration for this kind of setup:

upstream APP {
  server CONTAINER:PORT;
}

// Redirect 80 to 443
server {
    listen 80 default_server;
    server_name yourdomain.com;
    return 301 https://www.yourdomain.com$request_uri;
}


server {
        listen 443 ssl default_server;
        server_name yourdomain.com;
        ssl on;
        ssl_certificate /etc/nginx/ssl/server.crt;
        ssl_certificate_key /etc/nginx/ssl/server.key;

 // Rest of your configuration is all up to your architecture

       location / {
            // more config...
            proxy_pass APP;
            // more config...    
       }
}

I don't know what kind of applications you have on your docker containers.
As an example if you have a PHP application. you can use PHP-FPM & completely remove Apache in between. Nginx can work with your container via fast-cgi. There can be hundreds of different setup depending on your needs & load etc.

Nginx is highly(!) configurable web server + proxy server. But just remember if your dns records points to Nginx ip address then you have to install SSL on it. & if you containers has no access from web which is a good security practice, you don't need to encrypt traffic between nginx & your containers which saves you off cpu power

Also nginx has powerful proxy/fastcgi cache functionality thus you can cache application's output (if they are not dynamic for each request, eg static files)

As of Wed Apr 25 14:57:24 2018 ssl on; directive is deprecated. You can just comment it out. Details: http://hg.nginx.org/nginx/rev/46c0c7ef4913

Related Solutions

Ssl – Apache ProxyPass with SSL

You'll need mod_ssl, mod_proxy and optionally mod_rewrite. Depending on your distribution and Apache version you may have to check if mod_proxy_connect and mod_proxy_http are loaded as well.

The directives for enabling SSL proxy support are in mod_ssl:

<VirtualHost 1.2.3.4:80>
    ServerName foo.com
    SSLProxyEngine On
    SSLProxyCheckPeerCN on
    SSLProxyCheckPeerExpire on
    ProxyPass / https://secure.bar.com
    ProxyPassReverse / https://secure.bar.com
</VirtualHost>

IIRC you can also use:

    RewriteRule / https://secure.bar.com [P]    # don't forget to setup SSLProxy* as well

Nginx – How to use nginx as reverse proxy with multiple IPs and SSL

Your first configuration should look like this.

server {
  listen x.x.x.84:80;
  server_name firstdomain.com;

  access_log /var/log/nginx/access.log proxy;
  error_log  /var/log/nginx/error.log;

  return https://$server_name$request_uri;
}

server {
  listen x.x.x.84:443 ssl;
  server_name firstdomain.com;
  root ????;

  ssl_certificate      /etc/nginx/ssl/combined.firstdomain.com.crt;
  ssl_certificate_key  /etc/nginx/ssl/wildcard.firstdomain.com.key;

  access_log /var/log/nginx/access.log proxy;
  error_log  /var/log/nginx/error.log;

  location / {
    # Do not proxy everything to the backend, deliver static files
    # right away!
    try_files $uri @proxy;
  }

  location @proxy {
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Client-IP $remote_addr;
    proxy_set_header X-Host $host;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_redirect off;
    # The backend MUST be SSL enabled as well!
    proxy_pass https://x.x.x.85;
  }
}

Your second configuration should look like this.

server {
  listen x.x.x.87:80;
  server_name anotherdomain.org;

  access_log /var/log/nginx/access.log proxy;
  error_log  /var/log/nginx/error.log;

  return https://$server_name$request_uri;
}

server {
  listen x.x.x.87:443 ssl;
  server_name anotherdomain.org;
  root ????;

  ssl_certificate      /etc/nginx/ssl/combined.anotherdomain.org.crt;
  ssl_certificate_key  /etc/nginx/ssl/wildcard.anotherdomain.org.key;

  access_log /var/log/nginx/access.log proxy;
  error_log  /var/log/nginx/error.log;

  location / {
    # Do not proxy everything to the backend, deliver static files
    # right away!
    try_files $uri @proxy;
  }

  location @proxy {
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Client-IP $remote_addr;
    proxy_set_header X-Host $host;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_redirect off;
    # The backend MUST be SSL enabled as well!
    proxy_pass https://x.x.x.85;
  }
}

Please let me know if this helps so we can redefine the configuration further.

Best Answer

Related Solutions

Ssl – Apache ProxyPass with SSL

Nginx – How to use nginx as reverse proxy with multiple IPs and SSL

Related Topic