Proxy pass and SSL certificates

Thu May 10 08:11:41 UTC 2018

Hello Meph,

Not, exactly this has SSL.
Here's a suggestion configuration:

nginx.conf:
------------------------------------------------------------------------------------------------------
user nginx;
worker_processes auto;
error_log /var/log/nginx/cloudssl.diakont.it.error.log;
events {
    worker_connections 1024;
}

http  {
		log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

		access_log   /var/log/nginx/cloudssl.diakont.it.access.log main;

		sendfile            on;
		tcp_nopush          on;
		tcp_nodelay         on;
		keepalive_timeout   65;
		types_hash_max_size 2048;

		upstream cloud {
				server 10.39.0.52;
				}

		upstream cloud_ssl {
					server 10.39.0.52:443;
					}

		server {
				listen 80 default_server;
				listen [::]:80 default_server;
				server_name cloud.diakont.it cloud.diakont.srl;
				return 301 https://$server_name$request_uri;
				}

		server {
				listen 443 ssl default_server;
				listen [::]:443 ssl default_server;
				server_name cloud.diakont.it;

				#HTTPS-and-SSL

				proxy_ssl_verify        on;
				proxy_ssl_verify_depth  2;
				proxy_ssl_session_reuse on;
				proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
				proxy_ssl_trusted_certificate <PATH-OF-CA-CERTIFICATE>;

				include snippets/cloud.diakont.it.conf;
				include snippets/ssl-params.conf;

				location / {
							proxy_set_header X-Real-IP $remote_addr;
							proxy_set_header X-Forwarded-Proto $scheme;
							proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
							proxy_set_header Upgrade $http_upgrade;
							proxy_set_header Connection 'upgrade';
							proxy_set_header Host $host;
							proxy_pass https://cloud_ssl/;
							}
				}
}
------------------------------------------------------------------------------------------------------

cloud.diakont.it.conf:
------------------------------------------------------------------------------------------------------
ssl_certificate #PATH OF PUBLIC CERTIFICATE FROM SDP GATEWAY#;
ssl_certificate_key #PATH OF PRIVATE KEY FROM SDP GATEWAY#;
ssl_trusted_certificate #PATH OF PUBLIC CA CERTIFICATE#;
------------------------------------------------------------------------------------------------------

ssl-params.conf:
------------------------------------------------------------------------------------------------------
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers
'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';	
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;

#this resolver and resolver_timeout maybe be comment 
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 10s;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
------------------------------------------------------------------------------------------------------

Test this configuration and tell me :)
Best regards,
Goce Joncheski

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,279665,279741#msg-279741