Invalid ports added in redirects on AWS EC2 nginx
ron ramos
nhadie at gmail.com
Mon Jun 2 16:08:17 UTC 2014
how about binding it to another port like 8080. so elb will receive request
as https port 443 and send it to ec2 instance via http port 8080. will that
help?
regards,
nhadie
On 2 Jun 2014 01:48, "allang" <nginx-forum at nginx.us> wrote:
> On AWS, I'm trying to migrate a PHP Symfony app running on nginx. I want to
> be able to test the app by directly talking to the EC2 server and via an
> Elastic Load Balancer (ELB -the public route in).
>
> I've setup the ELB to decrypt all the SSL traffic and pass this on to my
> EC2
> server via port 80, as well as pass port 80 directly onto my EC2 server via
> port 80.
>
> Initially this caused infinite redirects in my app but I researched and
> then
> fixed this by adding
>
> fastcgi_param HTTPS $https;
> with some custom logic that looks at $http_x_forwarded_proto to figure out
> when its actually via SSL.
>
> There remains one issue I can't solve. When a user logs into the Symfony
> app, if they come via the ELB, the form POST eventually returns a redirect
> back to https://elb.mysite.com:80/dashboard instead of
> https://elb.mysite.com/dashboard which gives the user an error of "SSL
> connection error".
>
> I've tried setting
>
> fastcgi_param SERVER_PORT $fastcgi_port;
> to force it away from 80 and I've also added the
>
> port_in_redirect off
> directive but both make no difference.
>
> The only way I've found to fix this is to alter the ELB 443 listener to
> pass
> traffic via https. The EC2 server has a self certified SSL certificate
> configured. But this means the EC2 server is wasting capacity performing
> this unnecessary 2nd decryption.
>
> Any help very much appreciated. Maybe there is a separate way within nginx
> of telling POST requests to not apply port numbers?
>
> Nginx vhost config:
> server {
> port_in_redirect off;
>
> listen 80;
> listen 443 ssl;
>
> ssl_certificate /etc/nginx/ssl/mysite.com/self-ssl.crt;
> ssl_certificate_key /etc/nginx/ssl/mysite.com/self-ssl.key;
>
> # Determine if HTTPS being used either locally or via ELB
> set $fastcgi_https off;
> set $fastcgi_port 80;
> if ( $http_x_forwarded_proto = 'https' ) {
> # ELB is using https
> set $fastcgi_https on;
> # set $fastcgi_port 443;
> }
> if ( $https = 'on' ) {
> # Local connection is using https
> set $fastcgi_https on;
> # set $fastcgi_port 443;
> }
>
> server_name *.mysite.com
> my-mysite-com-1234.eu-west-1.elb.amazonaws.com;
>
> access_log /var/log/nginx/access.log;
> error_log /var/log/nginx/error.log error;
>
> rewrite ^/app\.php/?(.*)$ /$1 permanent;
>
> location / {
> port_in_redirect off;
> root /var/www/vhosts/mysite.com/web;
> index app.php index.php index.html index.html;
> try_files $uri @rewriteapp;
> }
>
> location ~* \.(jpg|jpeg|gif|png)$ {
> root /var/www/vhosts/mysite.com/web;
> access_log off;
> log_not_found off;
> expires 30d;
> }
>
> location ~* \.(css|js)$ {
> root /var/www/vhosts/mysite.com/web;
> access_log off;
> log_not_found off;
> expires 2h;
> }
>
> location @rewriteapp {
> rewrite ^(.*)$ /app.php/$1 last;
> }
>
> location ~ ^/(app|app_dev|config)\.php(/|$) {
> port_in_redirect off;
> fastcgi_pass 127.0.0.1:9000;
> fastcgi_split_path_info ^(.+\.php)(/.*)$;
> fastcgi_param HTTPS $fastcgi_https;
> # fastcgi_param SERVER_PORT $fastcgi_port;
> #fastcgi_index index.php;
> fastcgi_param SCRIPT_FILENAME
> /var/www/vhosts/mysite.com/web$fastcgi_script_name;
> include fastcgi_params;
> }
> }
>
> Posted at Nginx Forum:
> http://forum.nginx.org/read.php?2,250545,250545#msg-250545
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20140603/cf4afd44/attachment-0001.html>
More information about the nginx
mailing list