Help with ssl config nginx -> thin -> rails

dubstep · January 12, 2012, 7:31pm

I’m lost in a sea of configurations and every change I make ends up
causing
a different problem in relation to serving over HTTPS. I’ve tried all
kinds
of different combos of the headers. I’m using nginx in front of thin web
servers for rails.

With the below config, serving static content works. Serving rails pages
now just bombs over HTTPS with a 400. The prior config I had caused an
endless redirect.

Being a relative newbie to nginx and rails, my guess is that it has
something to do with the thin servers serving over the 400x ports, but
the
upstream below just referencing 443. How should this be configured to
serve
dynamic rails content over SSL when you have 20 nodes on thin started?

Thanks for any help!

upstream developmentmode{
server 127.0.0.1:4000;
server 127.0.0.1:4001;
server 127.0.0.1:4002;
server 127.0.0.1:4003;
server 127.0.0.1:4004;
server 127.0.0.1:4005;
server 127.0.0.1:4006;
server 127.0.0.1:4007;
server 127.0.0.1:4008;
server 127.0.0.1:4009;
server 127.0.0.1:4010;
server 127.0.0.1:4011;
server 127.0.0.1:4012;
server 127.0.0.1:4013;
server 127.0.0.1:4014;
server 127.0.0.1:4015;
server 127.0.0.1:4016;
server 127.0.0.1:4017;
server 127.0.0.1:4018;
server 127.0.0.1:4019;
}

upstream devmode-secure{
server 127.0.0.1:443;
}

server {
listen 80;
server_name govenga.com www.govenga.com;
server_name 50.56.121.244;
access_log /var/www/dev/log/access.log;
error_log /var/www/dev/log/error.log;

    client_max_body_size 50M;
    client_body_buffer_size 512k;

    root   /var/www/dev/public/;
    index  index.html;
    location ~*

^.+.(jpg|jpeg|gif|png|ico|css|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|txt|tar|mid|midi|wav|bmp|rtf|ttf|woff|svg|eot)$
{
root /var/www/dev/public/;
expires 10y;
add_header Cache-Control public;
}
location ~ ^(/javascripts/.*)$ {
root /var/www/dev/public/;
expires 10y;
add_header Cache-Control public;
}
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host:$proxy_port;
proxy_redirect off;

if (-f $request_filename/index.html) {
rewrite (.) $1/index.html break;
}
if (-f $request_filename.html) {
rewrite (.) $1.html break;
}
if (!-f $request_filename) {
proxy_pass http://developmentmode;
break;
}
}
}
server {
listen 443;
server_name govenga.com www.govenga.com;
ssl on;
ssl_certificate /etc/nginx/certificates/new/govenga.com.crt;
ssl_certificate_key
/etc/nginx/certificates/new/govenga_new.key;
ssl_client_certificate /etc/nginx/certificates/new/gd_bundle.crt;
keepalive_timeout 70;

    access_log /var/www/dev/log/access.log;
    error_log /var/www/dev/log/error.log;

    client_max_body_size 50M;
    client_body_buffer_size 512k;

    root   /var/www/dev/public/;
    index  index.html;
    location ~*

^.+.(jpg|jpeg|gif|png|ico|css|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|txt|tar|mid|midi|wav|bmp|rtf|ttf|woff|svg|eot)$
{
root /var/www/dev/public/;
expires 1y;
add_header Cache-Control public;
}
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
proxy_set_header X-Url-Scheme $scheme;

  if (-f $request_filename/index.html) {
    rewrite (.*) $1/index.html break;
  }
  if (-f $request_filename.html) {
    rewrite (.*) $1.html break;
  }
  if (!-f $request_filename) {
    proxy_pass https://devmode-secure;
    break;
  }
}

}

karl_j · January 12, 2012, 11:30pm

On Thursday 12 January 2012 22:30:43 Karl J. wrote:
[…]

Why did you put regexp captures everywhere and don’t use them?

It’s ugly. Please read:

…and use the “try_files” directive:
http://nginx.org/en/docs/http/ngx_http_core_module.html#try_files

[…]

}
}
server {
listen 443;
server_name govenga.com www.govenga.com;
[…]
proxy_pass https://devmode-secure;
[…]

and above:

upstream devmode-secure{
server 127.0.0.1:443;
}

…looks like you set up a loopback proxy pass to nginx itself.

wbr, Valentin V. Bartenev

karl_j · January 13, 2012, 4:43pm

Ignore all of the regex’s for now, they were left over from a previous
developer who configured the instance. I’ll remove them.

My biggest concern though is around what the address(s) should be for
devmode-secure.
What should that look like in the config if the IP plus 443 causes it to
loopback to nginx?

Thanks for your help.
Karl

karl_j · January 13, 2012, 5:43pm

On Friday 13 January 2012 19:42:42 Karl J. wrote:
[…]

My biggest concern though is around what the address(s) should be for
devmode-secure.

As usual, address and port that your backend listening.

What should that look like in the config if the IP plus 443 causes it to
loopback to nginx?

What do you want exactly? Use nginx for SSL and proxy https to http
backend?

Or proxy https to https transparently?

wbr, Valentin V. Bartenev