using nginx reverse proxy, to HTTPS Abyss server

 
Post new topic   Reply to topic    Aprelium Forum Index -> General Questions
View previous topic :: View next topic  
Author Message
Lawrence
-


Joined: 16 Jan 2003
Posts: 207
Location: Brisbane, AU

PostPosted: Tue Oct 03, 2017 2:33 am    Post subject: using nginx reverse proxy, to HTTPS Abyss server Reply with quote

I'm running a web app that only works with Linux, and it uses websockets which Abyss doesn't support. So I put the Linux box up front, and it uses a reverse proxy to send all other requests to the Abyss server, and this works fine.

But I want to transition all my domains to HTTPS, and I can't make this work no matter what I try. I spent hours on it and gave up several months ago, so I don't have a really fresh memory of what I tried, but I need to get it sorted out now, so I'm going to dive back in.

My question is: should this work? Can I use nginx to handle the HTTPS part and retrieve content from Abyss insecurely? This would simplify things greatly because having to manually sort out the Let's Encrypt certs for a dozen domains will suck.

To be clear:

Internet <-> my nginx box <-> Abyss server

Should it work? If so, can anyone assist with the implementation?
Back to top View user's profile Send private message Visit poster's website ICQ Number
pkSML
-


Joined: 29 May 2006
Posts: 952
Location: Michigan, USA

PostPosted: Tue Oct 10, 2017 4:04 am    Post subject: Reply with quote

Hello Lawrence. What you want to do would work. Nginx can handle SSL for you. You can make it reverse proxy the web content from Abyss in a non-secured fashion. (You could probably secure the connection between nginx and Abyss, but if they're on the same machine, that's kind of pointless :)

I had to set up nginx on a Debian box to troubleshoot a problem with Abyss.

Here is a condensed version of my default configuration file (/etc/nginx/sites-available/default):

Note: Abyss and nginx were running on the same machine for my setup. I proxied all domains on both ports 80 and 443 to Abyss.

Further note: If all your domains that need to be secured are covered in one certificate, this config would work wonderfully. If you have multiple certs to cover all your domains, you'll need to create a new server block for each cert and list all domains on that cert in that server block's server_name field ( ex: server_name example.org www.example.org; ). Hope that makes sense!

Code:
# Default server configuration

server {

#   listen 80;
   listen 80 default_server;
   # https://serverfault.com/questions/638367/do-you-need-separate-ipv4-and-ipv6-listen-directives-in-nginx
   listen [::]:80 default_server;
#       server_name *.example.org; #change to your website URL
        server_name _;
        location / {
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-Host $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_pass http://127.0.0.1:8080;
        }
}

server {
   listen 443 default_server;
   listen [::]:443 default_server;

   server_name _;

   #SET THESE FILES TO YOUR PATHS
   ssl_certificate     /etc/letsencrypt/live/yourdomain.net/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/yourdomain.net/privkey.pem;
   #IF YOU'RE NOT USING DIFFIE-HELMAN, COMMENT OUT THE LINE BELOW
   ssl_dhparam         /dh_2048.pem;

   ssl on;
   ssl_session_cache builtin:1000 shared:SSL:10m;
   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
   ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
   ssl_prefer_server_ciphers on;

        location / {
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-Host $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_pass https://127.0.0.1:4430;
        }

   # good info: https://michael.lustfield.net/nginx/getting-a-perfect-ssl-labs-score
   # more good info: https://scaron.info/blog/improve-your-nginx-ssl-configuration.html
   gzip off;
}

_________________
Stephen
Need a LitlURL?


http://CodeBin.yi.org
Back to top View user's profile Send private message Visit poster's website
Lawrence
-


Joined: 16 Jan 2003
Posts: 207
Location: Brisbane, AU

PostPosted: Wed Oct 11, 2017 2:27 am    Post subject: Reply with quote

That's awesome, thank you pkSML.

I tried to configure exactly this and all I got for my trouble was improper cert warnings in the browser. Definitely didn't get it quite right.

I'll slam this in and see how it goes. ^_^
Back to top View user's profile Send private message Visit poster's website ICQ Number
Lawrence
-


Joined: 16 Jan 2003
Posts: 207
Location: Brisbane, AU

PostPosted: Sun Nov 05, 2017 10:49 pm    Post subject: Reply with quote

Alright! I finally had some time to sink my teeth into this job, and I got it working after about four hours of beating my head against all kinds of tricky bits. Thanks again for your help. ^_^

My situation was different from yours, as I'm running Abyss on a different machine behind the nginx reverse proxy. My config includes a bit of leftover stuff from my all-sites non-HTTPS setup.

First, the non-HTTPs segment simply redirects all insecure requests to their HTTPS equivalents with a 301 redirect, except the .well-known directory, which certbot uses for the Let's Encrypt authentication.

Code:
server {
    listen 80;

    server_name example.com www.example.com;

    root /var/www/example;

    location /.well-known/acme-challenge { allow all; }
    location / { return 301 https://$host$request_uri; }
}


For the most part my HTTPS setup was the same as yours. Critically thought I had to add this line to it:

Code:
     proxy_set_header X-Forwarded-Proto https


Without this it wouldn't work.

And then Wordpress had a heap of trouble with endless redirect timeouts, until I followed these instructions. Turns out WP doesn't like switching to HTTPS when it's behind a reverse proxy, and even after I fixed all the hard-coded HTTP links in the code, I couldn't access the admin panel at all.

Code:
server {
  listen 443 ssl http2;

  server_name example.com www.example.com;

  #SET THESE FILES TO YOUR PATHS
  ssl_certificate     /etc/letsencrypt/live/---/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/---/privkey.pem;

  ssl on;

  ssl_protocols TLSv1.2;
  ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:10m;


  location / {
    proxy_pass_header Authorization;
    proxy_pass http://192.168.0.x;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    proxy_set_header X-Forwarded-Proto https;

    proxy_http_version 1.1;
    proxy_set_header Connection "";
    proxy_buffering off;
    client_max_body_size 0;
    proxy_read_timeout 36000s;
    proxy_redirect off;
    fastcgi_param REMOTE_ADDR $http_x_real_ip;
  }

  gzip on;
}
Back to top View user's profile Send private message Visit poster's website ICQ Number
allensmith
-


Joined: 25 Jan 2019
Posts: 1

PostPosted: Fri Jan 25, 2019 1:33 pm    Post subject: Reply with quote

nice information.
Back to top View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> General Questions All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB phpBB Group