Nginx as reverse proxy - proxy_ssl_x questions
Maxim Dounin
mdounin at mdounin.ru
Mon Nov 20 01:51:19 UTC 2023
Hello!
On Sun, Nov 19, 2023 at 12:41:11PM +0300, Mark wrote:
> Hello Mr. Maxim, thank you very much for your reply.
>
> Things are much clearer now, thanks!
>
> One, last question;
>
> I have implemented nginx as a reverse proxy with TLS termination in my
> FreeBSD host machine, and another nginx instance running in my jail, in;
> 10.10.10.2.
>
> So, the host machine does the reverse proxying and SSL.
>
> Before I open my website to public and production (a Wordpress website),
> could you please kindly have a look at my reverse proxy configuration here;
>
> http://paste.nginx.org/b8
>
> So that you might wish to add some suggestions, or perhaps I still have a
> misconfigured/unneeded directive there?
Here are some comments:
> proxy_cache_bypass $http_upgrade;
You don't need proxy_cache_bypass if you aren't using cache.
> proxy_buffering off;
I don't really recommend switching off buffering unless you have
reasons to. And if the reason is to avoid disk buffering,
consider "proxy_max_temp_file_size 0;" instead, see
http://nginx.org/r/proxy_max_temp_file_size for details.
> proxy_set_header Referer $scheme://$host;
This looks simply wrong.
> proxy_set_header X-Scheme https;
> proxy_set_header X-Forwarded-Proto https;
> proxy_set_header X-Scheme https;
> proxy_set_header X-Forwarded-Ssl on;
This looks a bit too many of custom headers to let backend know
that https is being used.
> proxy_set_header Upgrade $http_upgrade;
> proxy_set_header Connection "upgrade";
This shouldn't be used unless you intentionally configuring
WebSocket proxying.
> proxy_set_header Early-Data $ssl_early_data;
This is certainly not needed unless you are using TLSv1.3 Early
Data (http://nginx.org/r/ssl_early_data), and you aren't.
Hope this helps.
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx
mailing list