using nginx reverse proxy, to HTTPS Abyss server

 
Post new topic   Reply to topic    Aprelium Forum Index -> General Questions
View previous topic :: View next topic  
Author Message
Lawrence
-


Joined: 16 Jan 2003
Posts: 205
Location: Brisbane, AU

PostPosted: Tue Oct 03, 2017 2:33 am    Post subject: using nginx reverse proxy, to HTTPS Abyss server Reply with quote

I'm running a web app that only works with Linux, and it uses websockets which Abyss doesn't support. So I put the Linux box up front, and it uses a reverse proxy to send all other requests to the Abyss server, and this works fine.

But I want to transition all my domains to HTTPS, and I can't make this work no matter what I try. I spent hours on it and gave up several months ago, so I don't have a really fresh memory of what I tried, but I need to get it sorted out now, so I'm going to dive back in.

My question is: should this work? Can I use nginx to handle the HTTPS part and retrieve content from Abyss insecurely? This would simplify things greatly because having to manually sort out the Let's Encrypt certs for a dozen domains will suck.

To be clear:

Internet <-> my nginx box <-> Abyss server

Should it work? If so, can anyone assist with the implementation?
Back to top View user's profile Send private message Visit poster's website ICQ Number
pkSML
-


Joined: 29 May 2006
Posts: 876
Location: Michigan, USA

PostPosted: Tue Oct 10, 2017 4:04 am    Post subject: Reply with quote

Hello Lawrence. What you want to do would work. Nginx can handle SSL for you. You can make it reverse proxy the web content from Abyss in a non-secured fashion. (You could probably secure the connection between nginx and Abyss, but if they're on the same machine, that's kind of pointless :)

I had to set up nginx on a Debian box to troubleshoot a problem with Abyss.

Here is a condensed version of my default configuration file (/etc/nginx/sites-available/default):

Note: Abyss and nginx were running on the same machine for my setup. I proxied all domains on both ports 80 and 443 to Abyss.

Further note: If all your domains that need to be secured are covered in one certificate, this config would work wonderfully. If you have multiple certs to cover all your domains, you'll need to create a new server block for each cert and list all domains on that cert in that server block's server_name field ( ex: server_name example.org www.example.org; ). Hope that makes sense!

Code:
# Default server configuration

server {

#   listen 80;
   listen 80 default_server;
   # https://serverfault.com/questions/638367/do-you-need-separate-ipv4-and-ipv6-listen-directives-in-nginx
   listen [::]:80 default_server;
#       server_name *.example.org; #change to your website URL
        server_name _;
        location / {
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-Host $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_pass http://127.0.0.1:8080;
        }
}

server {
   listen 443 default_server;
   listen [::]:443 default_server;

   server_name _;

   #SET THESE FILES TO YOUR PATHS
   ssl_certificate     /etc/letsencrypt/live/yourdomain.net/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/yourdomain.net/privkey.pem;
   #IF YOU'RE NOT USING DIFFIE-HELMAN, COMMENT OUT THE LINE BELOW
   ssl_dhparam         /dh_2048.pem;

   ssl on;
   ssl_session_cache builtin:1000 shared:SSL:10m;
   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
   ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
   ssl_prefer_server_ciphers on;

        location / {
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-Host $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_pass https://127.0.0.1:4430;
        }

   # good info: https://michael.lustfield.net/nginx/getting-a-perfect-ssl-labs-score
   # more good info: https://scaron.info/blog/improve-your-nginx-ssl-configuration.html
   gzip off;
}

_________________
Stephen
Need a LitlURL?


http://CodeBin.yi.org
Back to top View user's profile Send private message Visit poster's website
Lawrence
-


Joined: 16 Jan 2003
Posts: 205
Location: Brisbane, AU

PostPosted: Wed Oct 11, 2017 2:27 am    Post subject: Reply with quote

That's awesome, thank you pkSML.

I tried to configure exactly this and all I got for my trouble was improper cert warnings in the browser. Definitely didn't get it quite right.

I'll slam this in and see how it goes. ^_^
Back to top View user's profile Send private message Visit poster's website ICQ Number
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> General Questions All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB phpBB Group