Forum: NGINX ssl accelerator

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
2974d09ac2541e892966b762aad84943?d=identicon&s=25 lovewadhwa (Guest)
on 2009-04-29 16:16
(Received via mailing list)
Hi

I m using nginx to configure ssl accelerator.Have specified the
following in my configuration file to accomplish the same:

    upstream dev1.magazine.com{
         server dev1.magazine.com:8000;
              }


server {
        listen       443;
        server_name  192.168.8.31;
        ssl on;
        ssl_certificate server.crt;
        ssl_certificate_key server.key;
        location / {
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_set_header X-FORWARDED_PROTO https;
            proxy_redirect false;
            if (!-f $request_filename) {
            proxy_pass http://dev1.magazine.com;
            }
            root   html;
            index  index.html index.htm;
        }

Setting the above things in my configuration file, i have my request say
https://192.168.8.31 being translated to http://dev1.magazine.com on
port 8000, but the page returned is over http instead of that being
https. Please help.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,1545,1545#msg-1545
2974d09ac2541e892966b762aad84943?d=identicon&s=25 lovewadhwa (Guest)
on 2009-04-30 13:31
(Received via mailing list)
If anybody out there can help me out.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,1545,1582#msg-1582
5640e332954fc0006aea97a155ce0afd?d=identicon&s=25 Igor Sysoev (Guest)
on 2009-04-30 14:19
(Received via mailing list)
On Wed, Apr 29, 2009 at 10:08:49AM -0400, lovewadhwa wrote:

>         listen       443;
>             if (!-f $request_filename) {
>             proxy_pass http://dev1.magazine.com;
>             }
>             root   html;
>             index  index.html index.htm;
>         }
>
> Setting the above things in my configuration file, i have my request say 
https://192.168.8.31 being translated to http://dev1.magazine.com on port 8000, but the 
page returned is over http instead of that being https. Please help.

Probably, you need to rewrite redirects:

       proxy_redirect  http://dev1.magazine.com:8000/   /;

Also, it's better to use this configuration

       location / {
           root   html;
           index  index.html index.htm;
           try_files  $uri  @magazine;
       }

       locaiton @magazine {
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header Host $http_host;
           proxy_set_header X-FORWARDED_PROTO https;

           proxy_pass http://dev1.magazine.com:8000;
       }

without "if" and "upstream dev1.magazine.com".

By default

       proxy_pass      http://dev1.magazine.com:8000;

also adds

       proxy_redirect  http://dev1.magazine.com:8000/   /;
5923944e339711de2c4dc21659cc517f?d=identicon&s=25 Jb jb (icebofh)
on 2009-05-01 00:49
Igor,

Can you explain why it's better to use this format?

--J

Igor Sysoev wrote:

>
> Also, it's better to use this configuration
>
>        location / {
>            root   html;
>            index  index.html index.htm;
>            try_files  $uri  @magazine;
>        }
>
>        locaiton @magazine {
>            proxy_set_header X-Real-IP $remote_addr;
>            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
>            proxy_set_header Host $http_host;
>            proxy_set_header X-FORWARDED_PROTO https;
>
>            proxy_pass http://dev1.magazine.com:8000;
>        }
>
> without "if" and "upstream dev1.magazine.com".
>
> By default
>
>        proxy_pass      http://dev1.magazine.com:8000;
>
> also adds
>
>        proxy_redirect  http://dev1.magazine.com:8000/   /;
5640e332954fc0006aea97a155ce0afd?d=identicon&s=25 Igor Sysoev (Guest)
on 2009-05-01 08:04
(Received via mailing list)
On Fri, May 01, 2009 at 12:49:21AM +0200, Joe Bofh wrote:

> Igor,
>
> Can you explain why it's better to use this format?

Due to unbethought implementation "if" may work not so as you expect.
Probably, the only natural usage is:

     if (...) {
         return 403;
     }

and

     if (...) {
         rewrite  ...   last;
     }

The following examples

     if (...) {
         rewrite  ...   break;
     }

     if (...) {
         break;
     }

have may drawbacks.

As to "upstream", you do not need it for single upstream server and
using real host in proxy_pass allow to use default proxy_redirect.

With upstream you should add

       proxy_redirect  http://dev1.magazine.com:8000/   /;

because default proxy_redirect will be without port

       proxy_redirect  http://dev1.magazine.com/   /;
5923944e339711de2c4dc21659cc517f?d=identicon&s=25 Jb jb (icebofh)
on 2009-05-01 08:38
Hmm, that's kinda hard to do with this block.

    location / {
      root /var/www/crm;
      access_log off;

      index index.php index.html;
      fastcgi_param  SCRIPT_FILENAME  /var/www/crm/index.php;

      if (-f $request_filename) {
        expires 1d;
        break;
      }

      try_files $uri $uri/ /index.php?q=$uri;
    }


I don't see a way to take out the if block which should serve with
specific conditions if the file exists.
5640e332954fc0006aea97a155ce0afd?d=identicon&s=25 Igor Sysoev (Guest)
on 2009-05-01 08:54
(Received via mailing list)
On Fri, May 01, 2009 at 08:38:25AM +0200, Joe Bofh wrote:

>         expires 1d;
>         break;
>       }
>
>       try_files $uri $uri/ /index.php?q=$uri;
>     }
>
>
> I don't see a way to take out the if block which should serve with
> specific conditions if the file exists.

     location / {
       root /var/www/crm;
       access_log off;

       index index.php index.html;
       expires 1d;

       try_files $uri $uri/ /index.php?q=$uri;
     }

     location ~ \.php$ {
       access_log off;

       fastcgi_param  SCRIPT_FILENAME  /var/www/crm/index.php;
       fastcgi_pass   ...
     }
5923944e339711de2c4dc21659cc517f?d=identicon&s=25 Jb jb (icebofh)
on 2009-05-01 10:13
Thanks!

For the record, I have this now working with a bunch of different apps
such as sugarcrm.


    location / {
      root /var/www/crm;
      access_log off;

      index index.php index.html;
      expires 1d;

      try_files $uri $uri/ /index.php?q=$uri;
    }

    location ~ \.php$ {
      fastcgi_pass   127.0.0.1:9000;
      fastcgi_index  index.php;
      fastcgi_buffer_size 128k;
      fastcgi_buffers 4 256k;
      fastcgi_param  SCRIPT_FILENAME  /var/www/crm$fastcgi_script_name;
      include        /usr/local/nginx/conf/fastcgi_params;
    }
5923944e339711de2c4dc21659cc517f?d=identicon&s=25 Jb jb (icebofh)
on 2009-05-01 10:15
Igor,

While I have your attention, is there a better way to write status
blocks than the following? I figure this would be useful information for
everyone.



    error_page 500 502 503 504 /500.html;
    location = /500.html {
      expires 5d;
      root /var/www/crm;
    }

    error_page 404 /404/index.php;
    location = /404/index.php {
      expires 5d;
      root /var/www/crm;
    }
5640e332954fc0006aea97a155ce0afd?d=identicon&s=25 Igor Sysoev (Guest)
on 2009-05-01 10:47
(Received via mailing list)
On Fri, May 01, 2009 at 10:15:44AM +0200, Joe Bofh wrote:

>     }
>
>     error_page 404 /404/index.php;
>     location = /404/index.php {
>       expires 5d;
>       root /var/www/crm;
>     }

1) "expires" works only for 200, 204, 301, 302, and 304 responses.
2) /404/index.php will be handled as static file.
3) "root" may be set on server level, if it's common for server.
This topic is locked and can not be replied to.