Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

nginx proxy based on host when using https

Tags:

nginx

proxy

https

ssl

wildcard-subdomain

I need to use Nginx as an SSL proxy, which forwards traffic to different back ends depending on the subdomain.

I have seem everywhere that I should define multiple "server {" sections but that doesn't work correctly for SSL. Doing that I would always have the SSL being processed in the first virtual host as the server name is unknown until you process the https traffic.

Scenario:

  • One IP address
  • One SSL wildcard wildcard

  • Multiple backends which needs to be accessed like the following:

    https://one.mysite.com/ -> http://localhost:8080
https://two.mysite.com/ -> http://localhost:8090

Nginx says "if" is evil: http://wiki.nginx.org/IfIsEvil, but what else can I do?

I have tried this, but it doesn't work, I get an 500 error but nothing in the error logs.

    server {
    listen 443;
    server_name *.mysite.com;

    ssl on;
    ssl_certificate ssl/mysite.com.crt;
    ssl_certificate_key ssl/mysite.com.key;

    location / {
        if ($server_name ~ "one.mysite.com") {
            proxy_pass http://localhost:8080;
        }
        if ($server_name ~ "two.mysite.com") {
            proxy_pass http://localhost:8090;
        }
    }

Has anyone managed to accomplish this with Nginx? Any help/alternatives, link, would be much appreciated.

like image 626
Angel Abad Cerdeira Avatar asked Aug 19 '13 17:08

Angel Abad Cerdeira

People also ask

What is HTTPS forward proxy?

A forward proxy is the most common form of a proxy server and is generally used to pass requests from an isolated, private network to the Internet through a firewall. Using a forward proxy, requests from an isolated network, or intranet, can be rejected or allowed to pass through a firewall.

Can Nginx be a forward proxy?

By using the nginx forward proxy we can masking the location and IP for gaining access to services. Nginx forward proxy will continuing the request on behalf of the client. At the time when the host server will accept the request then only we can see the IP of the nginx proxy server.

Does reverse proxy work with HTTPS?

An HTTPS to HTTP reverse proxy service can be used if external clients need to access a HTTP web server hosted in an internal network. Learn how to set it up!

1 Answers

I found the solution which is basically to define the SSL options and the SSL certificate outside the "server" block:

ssl_certificate ssl/mysite.com.crt;
ssl_certificate_key ssl/mysite.com.key;
ssl_session_timeout  5m;
ssl_protocols        SSLv3 TLSv1;
ssl_ciphers          ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+EXP;
ssl_prefer_server_ciphers   on;

server {
    listen 80;
    server_name *.mysite.com;
    rewrite ^ https://$host$request_uri? permanent;
}
server {
    listen 443 ssl;
    server_name one.mysite.com;

    ssl on;

    location / {
        proxy_pass http://localhost:8080;
    }
}
server {
    listen 443 ssl;
    server_name two.mysite.com;

    ssl on;

    location / {
        proxy_pass http://localhost:8090;
    }
}

Key things:

  • "ssl on;" is the only thing that needs to be within the "server" blocks that listen in https, you can put it outside too, but what will make the "server" blocks that listen in port 80 to use https protocol and not the expected http.
  • Because the "ssl_certificate", "ssl_ciphers: and other "ssl_*" are outside the "server" block, Nginx does the SSL offloading without a server_name. Which is what it should do, as the SSL decryption cannot happen based on any host name, as at this stage the URL is encrypted.
  • JAVA and curl don't fail to work now. There is no server_name - host miss match.
like image 160
Angel Abad Cerdeira Avatar answered Nov 18 '22 03:11

Angel Abad Cerdeira
Sign in to Comment

Related questions

Java heap space - Out of memory error - Kafka Broker with SASL_SSL
Web Crypto API without ssl
openssl how to check server name indication (SNI)
Chrome says SSL invalid, but certificate is valid
AWS Java SDK SSL Certificates
Verify hostname of the server who invoked the API
Pip SSLError WRONG_VERSION_NUMBER under proxy
Github - TLS certificate verification has been disabled! on Windows
Cannot reach SSL IP when in docker container over bridge. Getting SSL_ERROR_SYSCALL
MySQL Workbench SSL connection error: SSL is required but the server doesn't support it
Problem with NSStream SSL Connection
iPhone - SSL connection
SSL HandShake on Java Client
PyQt + QtWebkit behind a proxy
AS3: Sockets & HTTPS/SSL
KeyTool error : java.lang.Exception : Alias does not exist
How to add multiple truststore paths to “java.net.ssl.trustStore”?
Can't find the openssl.cnf file on my mac
Does firebase hosting benefit from CloudFlare?
Whats an easy way to totally ignore ssl with java url connections?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!