Forum: NGINX Invalid ports added in redirects on AWS EC2 nginx

2974d09ac2541e892966b762aad84943?d=identicon&s=25 allang (Guest)
on 2014-06-01 19:48
(Received via mailing list)
On AWS, I'm trying to migrate a PHP Symfony app running on nginx. I want
to
be able to test the app by directly talking to the EC2 server and via an
Elastic Load Balancer (ELB -the public route in).

I've setup the ELB to decrypt all the SSL traffic and pass this on to my
EC2
server via port 80, as well as pass port 80 directly onto my EC2 server
via
port 80.

Initially this caused infinite redirects in my app but I researched and
then
fixed this by adding

fastcgi_param HTTPS $https;
with some custom logic that looks at $http_x_forwarded_proto to figure
out
when its actually via SSL.

There remains one issue I can't solve. When a user logs into the Symfony
app, if they come via the ELB, the form POST eventually returns a
redirect
back to https://elb.mysite.com:80/dashboard instead of
https://elb.mysite.com/dashboard which gives the user an error of "SSL
connection error".

I've tried setting

fastcgi_param SERVER_PORT $fastcgi_port;
to force it away from 80 and I've also added the

port_in_redirect off
directive but both make no difference.

The only way I've found to fix this is to alter the ELB 443 listener to
pass
traffic via https. The EC2 server has a self certified SSL certificate
configured. But this means the EC2 server is wasting capacity performing
this unnecessary 2nd decryption.

Any help very much appreciated. Maybe there is a separate way within
nginx
of telling POST requests to not apply port numbers?

Nginx vhost config:
server {
        port_in_redirect off;

        listen 80;
        listen 443 ssl;

        ssl_certificate /etc/nginx/ssl/mysite.com/self-ssl.crt;
        ssl_certificate_key /etc/nginx/ssl/mysite.com/self-ssl.key;

        # Determine if HTTPS being used either locally or via ELB
        set $fastcgi_https off;
        set $fastcgi_port 80;
        if ( $http_x_forwarded_proto = 'https' ) {
          # ELB is using https
          set $fastcgi_https on;
#          set $fastcgi_port 443;
        }
        if ( $https = 'on' ) {
          # Local connection is using https
          set $fastcgi_https on;
#          set $fastcgi_port 443;
        }

        server_name *.mysite.com
my-mysite-com-1234.eu-west-1.elb.amazonaws.com;

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log error;

        rewrite ^/app\.php/?(.*)$ /$1 permanent;

        location / {
                port_in_redirect off;
                root /var/www/vhosts/mysite.com/web;
                index app.php index.php index.html index.html;
                try_files $uri @rewriteapp;
        }

        location ~* \.(jpg|jpeg|gif|png)$ {
               root /var/www/vhosts/mysite.com/web;
               access_log off;
               log_not_found off;
               expires 30d;
        }

        location ~* \.(css|js)$ {
                root /var/www/vhosts/mysite.com/web;
                access_log off;
                log_not_found off;
                expires 2h;
        }

        location @rewriteapp {
           rewrite ^(.*)$ /app.php/$1 last;
        }

        location ~ ^/(app|app_dev|config)\.php(/|$) {
                port_in_redirect off;
                fastcgi_pass   127.0.0.1:9000;
                fastcgi_split_path_info ^(.+\.php)(/.*)$;
                fastcgi_param HTTPS $fastcgi_https;
#                fastcgi_param SERVER_PORT $fastcgi_port;
                #fastcgi_index  index.php;
                fastcgi_param  SCRIPT_FILENAME
/var/www/vhosts/mysite.com/web$fastcgi_script_name;
                include fastcgi_params;
        }
}

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,250545,250545#msg-250545
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2014-06-02 17:32
(Received via mailing list)
Hello!

On Sun, Jun 01, 2014 at 01:48:09PM -0400, allang wrote:

>
> I've tried setting
>
> fastcgi_param SERVER_PORT $fastcgi_port;
> to force it away from 80 and I've also added the

[...]

>                 fastcgi_param HTTPS $fastcgi_https;
> #                fastcgi_param SERVER_PORT $fastcgi_port;
>                 #fastcgi_index  index.php;
>                 fastcgi_param  SCRIPT_FILENAME
> /var/www/vhosts/mysite.com/web$fastcgi_script_name;
>                 include fastcgi_params;

Make sure you've commented out SERVER_PORT from the fastcgi_params
file.

--
Maxim Dounin
http://nginx.org/
Aa465f1e3edb041cfc0a58da2f51acd7?d=identicon&s=25 ron ramos (Guest)
on 2014-06-02 18:08
(Received via mailing list)
how about binding it to another port like 8080. so elb will receive
request
as https port 443 and send it to ec2 instance via http port 8080. will
that
help?

regards,
nhadie
2974d09ac2541e892966b762aad84943?d=identicon&s=25 allang (Guest)
on 2014-06-02 18:45
(Received via mailing list)
That's fixed it !  Thanks Maxim.  You are a lifesaver.  Much
appreciated.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,250545,250586#msg-250586
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.