Using nginx as ssl terminator in front of load balancer

tnine nginx-forum at nginx.us
Fri Mar 11 06:30:23 MSK 2011 

Hi all,
  We have an existing load balancer with haproxy, and we'd like to use
Nginx to act as our SSL decryption service.  We use chose haproxy over
nginx for load balancing because we need more TCP load balancing than
http balancing for our application.  I'm attempting to set up the
following request path through our systems.


HTTP --> haproxy --> jetty

HTTPS --> NGINX --> haproxy --> jetty.


Our application requires sticky session, and I'm using cookie entries in
the haproxy layer to "stick" the client to a back end system.  This is
working well with HTTP.  However, when using HTTPS, I find that we seem
to be getting randomly redirected to a new server.  I'm unsure if this
is due to nginx passing something incorrectly to haproxy due to my
configuration, or if haproxy is missing the cookie.  Here is my nginx
configuration file for ssl.

server {
  listen   443;
  
  ssl on;
  ssl_certificate    /etc/ssl/nginx.crt; 
  ssl_certificate_key    /etc/ssl/nginx.key;
  
  server_name  <%= node[:hostname] %>;

  access_log  <%= node[:nginx][:log_dir] %>/ssl.access.log;

  location / {
	
	 proxy_pass         http://127.0.0.1:8080/;
     proxy_redirect     off;

     proxy_set_header   Host             $host;
     proxy_set_header   X-Real-IP        $remote_addr;
     proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
  }
}

I'm using version nginx/0.7.67 on Ubuntu 10.10 server and configuring it
with chef.  Obviously the ruby variables are replaced with real paths. 


Whenever a client connects to nginx it correctly connects to haproxy and
my request is forwarded to a Jetty node.  My cookie is returned with
both my JSESSIONID and the node I'm attached to.  However, we use AJAX
validation.  As soon as a user exits a field, it's validated.  This
sends an AJAX http post to the server.  

Instead of getting a response from the post, I seem to be constantly
getting a redirect with a new JSESSIONID.  I'm by no means a guru with
ningx or haproxy, so I may have missed something obvious.  For clarity
I've also included my haproxy config.  Any ideas what what could be
causing this?  Firefox seems to work fine, however Chrome is always
redirecting the user.

haproxyconfig

listen logbookapp 0.0.0.0:80
  balance leastconn
  #Make sure the aviator app has been loaded
  option httpchk /aviator/home
  option httplog
  option forwardfor
  log global
  cookie SERVERID insert nocache indirect
  server ip-10-160-90-137 10.160.90.137:8080 cookie ip-10-160-90-137
weight 1 maxconn 300 check
  server ip-10-168-126-182 10.168.126.182:8080 cookie ip-10-168-126-182
weight 1 maxconn 300 check
  server ip-10-167-9-170 10.167.9.170:8080 cookie ip-10-167-9-170 weight
1 maxconn 300 check
  server deadbug 10.160.90.137:81 backup



Thanks,
Todd

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,182181,182181#msg-182181

More information about the nginx mailing list