Ssl accelerator


#1

Hi

I m using nginx to configure ssl accelerator.Have specified the
following in my configuration file to accomplish the same:

upstream dev1.magazine.com{
     server dev1.magazine.com:8000;
          }

server {
listen 443;
server_name 192.168.8.31;
ssl on;
ssl_certificate server.crt;
ssl_certificate_key server.key;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-FORWARDED_PROTO https;
proxy_redirect false;
if (!-f $request_filename) {
proxy_pass http://dev1.magazine.com;
}
root html;
index index.html index.htm;
}

Setting the above things in my configuration file, i have my request say
https://192.168.8.31 being translated to http://dev1.magazine.com on
port 8000, but the page returned is over http instead of that being
https. Please help.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,1545,1545#msg-1545


#2

If anybody out there can help me out.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,1545,1582#msg-1582


#3

On Wed, Apr 29, 2009 at 10:08:49AM -0400, lovewadhwa wrote:

    listen       443;
        if (!-f $request_filename) {
        proxy_pass http://dev1.magazine.com;
        }
        root   html;
        index  index.html index.htm;
    }

Setting the above things in my configuration file, i have my request say https://192.168.8.31 being translated to http://dev1.magazine.com on port 8000, but the page returned is over http instead of that being https. Please help.

Probably, you need to rewrite redirects:

   proxy_redirect  http://dev1.magazine.com:8000/   /;

Also, it’s better to use this configuration

   location / {
       root   html;
       index  index.html index.htm;
       try_files  $uri  @magazine;
   }

   locaiton @magazine {
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header Host $http_host;
       proxy_set_header X-FORWARDED_PROTO https;

       proxy_pass http://dev1.magazine.com:8000;
   }

without “if” and “upstream dev1.magazine.com”.

By default

   proxy_pass      http://dev1.magazine.com:8000;

also adds

   proxy_redirect  http://dev1.magazine.com:8000/   /;

#4

Igor,

Can you explain why it’s better to use this format?

–J

Igor S. wrote:

Also, it’s better to use this configuration

   location / {
       root   html;
       index  index.html index.htm;
       try_files  $uri  @magazine;
   }

   locaiton @magazine {
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header Host $http_host;
       proxy_set_header X-FORWARDED_PROTO https;

       proxy_pass http://dev1.magazine.com:8000;
   }

without “if” and “upstream dev1.magazine.com”.

By default

   proxy_pass      http://dev1.magazine.com:8000;

also adds

   proxy_redirect  http://dev1.magazine.com:8000/   /;

#5

Hmm, that’s kinda hard to do with this block.

location / {
  root /var/www/crm;
  access_log off;

  index index.php index.html;
  fastcgi_param  SCRIPT_FILENAME  /var/www/crm/index.php;

  if (-f $request_filename) {
    expires 1d;
    break;
  }

  try_files $uri $uri/ /index.php?q=$uri;
}

I don’t see a way to take out the if block which should serve with
specific conditions if the file exists.


#6

On Fri, May 01, 2009 at 08:38:25AM +0200, Joe Bofh wrote:

    expires 1d;
    break;
  }

  try_files $uri $uri/ /index.php?q=$uri;
}

I don’t see a way to take out the if block which should serve with
specific conditions if the file exists.

 location / {
   root /var/www/crm;
   access_log off;

   index index.php index.html;
   expires 1d;

   try_files $uri $uri/ /index.php?q=$uri;
 }

 location ~ \.php$ {
   access_log off;

   fastcgi_param  SCRIPT_FILENAME  /var/www/crm/index.php;
   fastcgi_pass   ...
 }

#7

Thanks!

For the record, I have this now working with a bunch of different apps
such as sugarcrm.

location / {
  root /var/www/crm;
  access_log off;

  index index.php index.html;
  expires 1d;

  try_files $uri $uri/ /index.php?q=$uri;
}

location ~ \.php$ {
  fastcgi_pass   127.0.0.1:9000;
  fastcgi_index  index.php;
  fastcgi_buffer_size 128k;
  fastcgi_buffers 4 256k;
  fastcgi_param  SCRIPT_FILENAME  /var/www/crm$fastcgi_script_name;
  include        /usr/local/nginx/conf/fastcgi_params;
}

#8

Igor,

While I have your attention, is there a better way to write status
blocks than the following? I figure this would be useful information for
everyone.

error_page 500 502 503 504 /500.html;
location = /500.html {
  expires 5d;
  root /var/www/crm;
}

error_page 404 /404/index.php;
location = /404/index.php {
  expires 5d;
  root /var/www/crm;
}

#9

On Fri, May 01, 2009 at 10:15:44AM +0200, Joe Bofh wrote:

}

error_page 404 /404/index.php;
location = /404/index.php {
  expires 5d;
  root /var/www/crm;
}
  1. “expires” works only for 200, 204, 301, 302, and 304 responses.
  2. /404/index.php will be handled as static file.
  3. “root” may be set on server level, if it’s common for server.

#10

On Fri, May 01, 2009 at 12:49:21AM +0200, Joe Bofh wrote:

Igor,

Can you explain why it’s better to use this format?

Due to unbethought implementation “if” may work not so as you expect.
Probably, the only natural usage is:

 if (...) {
     return 403;
 }

and

 if (...) {
     rewrite  ...   last;
 }

The following examples

 if (...) {
     rewrite  ...   break;
 }

 if (...) {
     break;
 }

have may drawbacks.

As to “upstream”, you do not need it for single upstream server and
using real host in proxy_pass allow to use default proxy_redirect.

With upstream you should add

   proxy_redirect  http://dev1.magazine.com:8000/   /;

because default proxy_redirect will be without port

   proxy_redirect  http://dev1.magazine.com/   /;