Forum: NGINX Fwd: reverse proxy

Hi all,

I configured an nginx server as a reverse proxy few months ago. i have
apache server as a back end of the reverse proxy. Every thing worked
well until i start to use ssl.

When i try to redirect https://mydomain.com to https://www.mydomain.com 
it
gives me ssl untrusted error.

When i check HTTP_X_URL_SCHEME on backend server it shows only http.
Backend cannot understand if it is a http or https header.

How do i fix this?

below is my nginx vhost and back end apache vhost

server {
        listen 443;
        server_name mydomain.com www.mydomain.com;

        access_log  /var/log/nginx/mydomain.com.access.log;

        ssl     on;
        ssl_certificate /home/ssl/mydomain.com.crt;
        ssl_certificate_key /home/ssl/mydomain.com.pvk;

        ssl_prefer_server_ciphers on;
        ssl_protocols SSLv3 TLSv1;

        ssl_session_cache shared:SSL:2m;

        ssl_ciphers
DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;

        charset utf-8;
        keepalive_timeout 70;

        location / {
            proxy_pass         http://xx.xx.xx.xx:xx;
            proxy_redirect     off;

            proxy_set_header   Host             $host;
            proxy_set_header   X-Real-IP        $remote_addr;
            proxy_set_header   X-Forwarded-For 
$proxy_add_x_forwarded_for;
            proxy_set_header   X-Url-Scheme $scheme;
            client_max_body_size       10m;
            client_body_buffer_size    128k;

            proxy_connect_timeout      90;
            proxy_send_timeout         90;
            proxy_read_timeout         90;

            proxy_buffer_size          4k;
}

##########################################################

  DocumentRoot /path/
        <Directory /path>
                Options -Indexes FollowSymLinks MultiViews
                AllowOverride None
                RewriteEngine on
                AddDefaultCharset utf-8
 RewriteCond %{HTTP_HOST} ^mydomain.com
                RewriteCond %{HTTPS} !=on
                RewriteRule ^(.*)$ https://www.mydomain.com$1 [R=302,L]

                RewriteCond %{HTTP_HOST} ^mydomain.com
                RewriteRule ^(.*)$ http://www.mydomain.com$1 [R=302,L]

                RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)$
                RewriteRule .* - [F]
                RewriteRule ^(.*)$ index.php?route=$1 [L,QSA]

                Order allow,deny
                Allow from all
        </Directory>

        <IfModule mod_rpaf.c>
                RPAFenable On
                RPAFsethostname On
                RPAFproxy_ips xx.xx.xx.xx
        </IfModule>

On Tue, Dec 11, 2012 at 3:58 PM, Dinoosh Nikapitiya
<dinoosh.niki@gmail.com> wrote:
> Hi all,
>
> I configured an nginx server as a reverse proxy few months ago. i have
> apache server as a back end of the reverse proxy. Every thing worked well
> until i start to use ssl.
>
> When i try to redirect https://mydomain.com to https://www.mydomain.com it
> gives me ssl untrusted error.
>

SSL is handled by nginx and not usually passed at all to backend. The
error probably caused by nginx serving certificate for mydomain.com
but the browser is accessing www.mydomain.com. Domain mismatch raises
the error.

Put a certificate for www.mydomain.com instead which usually already
includes mydomain.com (depends on the provider) or create separate
server block which has certificate for each domain (which probably
better since it will skip backend entirely for the redirect).

> When i check HTTP_X_URL_SCHEME on backend server it shows only http.
> Backend cannot understand if it is a http or https header.
>

How did you check it? Have you tried hardcoding https to the proxy set 
header?

Hay Edho Arief,
We already have the certificate for both www.mydomain.com and 
mydomain.com.
But still get the error.


>> When i check HTTP_X_URL_SCHEME on backend server it shows only http.
>> Backend cannot understand if it is a http or https header.
>>

>How did you check it?

Usually php can get those headers. I just used php scrip to get it.

>Have you tried hardcoding https to the proxy set header?

Yes I tried that also. But still no luck.

On Tue, Dec 11, 2012 at 4:47 PM, Dinoosh Nikapitiya
<dinoosh.niki@gmail.com> wrote:
> Hay Edho Arief,
> We already have the certificate for both www.mydomain.com and mydomain.com.
> But still get the error.
>

are they both in single certificate or separate? Check the DNS Name in
certificate's Subject Alternative Name. The correct certificate should
include both names (mydomain.com and www.mydomain.com) if you want to
have only one server block. Otherwise you have to create two separate
server block:

server {
  listen 443 ssl;
  server_name mydomain.com;
  ssl_certificate ...<for mydomain.com>;
  ssl_certificate_key ...;
  return 301 https://www.mydomain.com$request_uri;
}

server {
  listen 443 ssl;
  server_name www.mydomain.com;
  ssl_certificate ...<for www.mydomain.com>;
  ...
}

>
>>> When i check HTTP_X_URL_SCHEME on backend server it shows only http.
>>> Backend cannot understand if it is a http or https header.
>>>
>
>>How did you check it?
>
> Usually php can get those headers. I just used php scrip to get it.
>

My guess is apache overwritten the variable.