Proxy HTTPS requests to a HTTP backend with NGINX

Question

I have nginx configured to be my externally visible webserver which talks to a backend over HTTP.

The scenario I want to achieve is:

Client makes HTTP request to nginx which is redirect to the same URL but over HTTPS
nginx proxies request over HTTP to the backend
nginx receives response from backend over HTTP.
nginx passes this back to the client over HTTPS

My current config (where backend is configured correctly) is:

server {
        listen       80;
        server_name  localhost;

        location ~ .* {
            proxy_pass http://backend;
            proxy_redirect http://backend https://$host;
            proxy_set_header Host $host;
            }
        }

My problem is the response to the client (step 4) is sent over HTTP not HTTPS. Any ideas?

ALex_hha · Answer 1 · 2016-01-20T11:52:07.230

I'm using the following config in production

server {
    listen xxx.xxx.xxx.xxx:80;
    server_name www.example.net;

    rewrite ^(.*) https://$server_name$1 permanent;
}

server {
    listen xxx.xxx.xxx.xxx:443;
    server_name www.example.net;

    root   /vhosts/www.example.net;

    ssl                  on;
    ssl_certificate      /etc/pki/nginx/www.example.net.crt;
    ssl_certificate_key  /etc/pki/nginx/www.example.net.key;

    ssl_prefer_server_ciphers on;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /etc/pki/nginx/dh2048.pem;

    # intermediate configuration. tweak to your needs.
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
    }
}

score 11 · Accepted Answer · answered May 26 '10 at 09:49

The type of proxy you are trying to set up is called a reverse proxy. A quick search for reverse proxy nginx got me this page:

http://intranation.com/entries/2008/09/using-nginx-reverse-proxy/

In addition to adding some useful features like an X-Forwarded-For header (which will give your app visibility into the actual source IP), it specifically does:

proxy_redirect off

Good luck! :)

score -3 · Answer 3 · answered Apr 05 '17 at 02:40

-3

server {

    listen 80;
    server_name www.example.net example.net;

   rewrite ^/(.*)$ https://$host$request_uri? permanent; 
}

server {
  listen 443;
  server_name www.example.net example.net;
  .....................

answered Apr 05 '17 at 02:40

Zhang Jun

1

Proxy HTTPS requests to a HTTP backend with NGINX

3 Answers3

Linked