Need SSL state to be visible behind a double nginx proxy

Nick Pearson nick.pearson at gmail.com
Thu Oct 30 23:29:47 MSK 2008 

I'm going to try tonight to get this working as you have suggested.  I'm
hoping that I'll be able to do it without using too many IPs, because then
I'll run into my original problem (the IP limit imposed by my hosting
provider).  I believe your solution of listening on the same IP on multiple
ports should work, though.  I'll just assign two listen ports on the
back-end nginx for each site -- one for http and one for https.  I imagine
it'll look something like this when I'm finished:

    ###  front-end nginx  ###

    # main nginx config
    http {
      upstream backend_server_http {
        server  10.10.1.1:2000;
      }
      upstream backend_server_https {
        server  10.10.1.1:2001;
      }
    }

    # front-end server (http) for domain.com
    server {
      listen  80;
      server_name  domain.com;
      location / {
        proxy_pass  http://backend_server_http;
      }
    }
    # front-end server (https) for domain.com
    server {
      listen  209.20.2.2:443;
      server_name  domain.com;
      ssl  on;
      location / {
        proxy_pass  http://backend_server_https;
      }
    }

    ###  back-end nginx  ###

    # main nginx config
    http {
      upstream app_servers {
        server  0.0.0.0:3000;
        server  0.0.0.0:3001;
      }
    }

    # back-end server (http) for domain.com
    server {
      listen  10.10.1.1:2000;
      server_name  domain.com;
      location / {
        proxy_pass  http://app_servers;
      }
    }
    # back-end server (https) for domain.com
    server {
      listen  10.10.1.1:2001;
      server_name  domain.com;
      location / {
        proxy_set_header  X_FORWARDED_PROTO  https;
        proxy_pass  http://app_servers;
      }
    }

I believe this is what you've described, and I also believe that it will
work.  Requests for http://domain.com will be proxied upstream to
backend_server_http (at 10.10.1.1:2000), which will proxy to the Rails app
servers with no X_FORWARDED_PROTO being set explicitly.  Requests for
https://domain.com will be proxied upstream to backend_server_https (at
10.10.1.1:2001), which will proxy to the Rails app servers with the
X_FORWARDED_PROTO header being set explicitly to https.

Thanks again for the suggestion.  I'll send an e-mail back to this list once
I've given this a try.

Nick


On Thu, Oct 30, 2008 at 2:05 PM, Rob Schultz <lists at ruby-forum.com> wrote:

> Hi,
>   I am not sure if you can use the port in the server_name directive. I
> think you need to add listen directives.
>
> Note i could be totally off on this but this is a very very simplistic
> view of what i was trying to accomplish
> http://pastie.org/private/xufufgttegqe9pc5qgea
>
> Basically demo'ing 3 different server configs with 2 being your
> "frontend" server's for doing SSL and then having 1 server listening on
> two ports and manually setting the protocal no the second when it is
> passed onto rails.
>
> V/r
> Rob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nginx.org/pipermail/nginx/attachments/20081030/e0b3de32/attachment.html>

More information about the nginx mailing list