Reverse proxy from HTTPS to HTTP from an unknown source location

luislavena · July 22, 2011, 10:43pm

I’ve searched these forums and the internet and haven’t found anyone
asking/answering this particular question. Hopefully I’m just missing
something obvious in the configuration options that make this easy…

I’ve got a configuration where nginx will listen on both HTTP and HTTPS,
and reverse proxy to a back-end server over only HTTP. This is a pretty
simple configuration, however, with the HTTPS connection, the back-end
server returns Location: headers with HTTP (instead of HTTPS) which need
to be fixed. I do this like so:

location / {
proxy_pass http://mybackendserver:8080;
proxy_redirect http://myknown.host.com/ https://$host:$server_port/;
}

This works when I know the host that will be returned to match (ex:
“myknown.host.com”), however, our target environment is a private
network where clients each NAT their own IP’s and internal DNS to access
this site over HTTPS.

In this environment, if a client DNS’d their route to our server as
https://companyx.com/their/application, I presume the return Location:
header would be “Location: http://companyx.com”, while I need to rewrite
it to use HTTPS as “Location: https://companxy.com”.

Based on the documentation and experimation, it does not appear I can
use any kind of variable or wildcard matching int he first portion of
the proxy_redirect configuration option.

Is there another way to accomplish this? The end goal is to reverse
proxy from HTTPS to a back-end HTTP server, and fix the Location:
headers on the responses to be HTTPS (as they should be, since the
client accessed the site over HTTPS).

I’m not opposed to changing the way I reverse proxy if that’s causing
the problem.

Thanks,

Posted at Nginx Forum:

alex.sherwin · July 23, 2011, 5:33am

normally, your backend server should do the redirect in a relative URL,
unless you really want to redirect to another host. That’s something
like

sendRedirct(“/redirectTo/anotherPath”);

In this way, the backend server will send redirect URL with the HOST
header specified in the request. In your case, it should be:

Location: http://mybackendserver:8080/redirectTo/anotherPath

If you don’t use “proxy_add_header Host xxxx”, nginx will the argument
specified in “proxy_pass” as the Host to the backend. And in this case,
the config:

proxy_redirect default;

Or
proxy_redirect http://mybackendserver:8080/ /;

will automatically handle everything.

If you insist to let the backend server do the FULL URL redirection, you
have to manually specify all possible proxy_redirect like this:

proxy_redirect <FULL URL 1> /;
proxy_redirect <FULL URL 2> /;
…

By the way, the first argument of “proxy_redirect” doesn’t support var.
If you specify a var, nginx doesn’t recognize it, and doesn’t report an
error too. It just considers it as literal.

Posted at Nginx Forum: