
<div dir="ltr"><div><span style="font-size:12.8px;font-weight:bold;white-space:nowrap">Reinis Rozitis said:</span><span style="font-size:12.8px"><br></span></div><span style="font-size:12.8px"><div><span style="font-size:12.8px"><br></span></div>Also for secure backend connection you should enable proxy_ssl.</span><br style="font-size:12.8px"><br style="font-size:12.8px"><span style="font-size:12.8px">Reading </span><a href="https://www.nginx.com/resources/admin-guide/nginx-tcp-ssl-upstreams/" rel="noreferrer" target="_blank" style="font-size:12.8px">https://www.nginx.com/resources/admin-guide/nginx-tcp-ssl-upstreams/</a><span style="font-size:12.8px"> should probably be a good start.</span><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">=====================================</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">Is this a feature I can get without having to purchase nginx plus? If my nginx server has an SSL cert loaded that validates the hostnames for the backend servers and my backend servers also have the same cert and communications are going over port 443 why would I need to do anything else?</span></div><div><span style="font-size:12.8px"><br></span><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px"><br></span></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jul 27, 2016 at 12:16 PM, Brian Pugh <span dir="ltr"><<a href="mailto:project722@gmail.com" target="_blank">project722@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Ok. I was able to get it working by changing this:<div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">proxy_pass   </span><a href="http://ssl_test-resolve.cspire.net/" style="font-size:12.8px" target="_blank">http://ssl_myapplicationsite.net</a><span style="font-size:12.8px">;</span><br></div><div>    </div><div>to this:</div><div><br></div><div><span style="font-size:12.8px">proxy_pass   </span><a href="http://ssl_test-resolve.cspire.net/" style="font-size:12.8px" target="_blank"><b>https</b>://ssl_myapplicationsite.net</a><span style="font-size:12.8px">;</span><br></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px"><br></span></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jul 27, 2016 at 12:07 PM, Brian Pugh <span dir="ltr"><<a href="mailto:project722@gmail.com" target="_blank">project722@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Still not working. <div><br></div><div>Logs show:</div><div><br></div><div><div>2016/07/27 11:59:35 [warn] 28038#28038: *3 upstream server temporarily disabled while reading response header from upstream, client: 192.168.254.202, server: <a href="http://myapplicationsite.net" target="_blank">myapplicationsite.net</a>, request: "GET / HTTP/1.1", upstream: <b>"<a href="http://192.168.155.120:443/" target="_blank">http://192.168.155.120:443/</a>"</b>, host: "<a href="http://myapplicationsite.net" target="_blank">myapplicationsite.net</a>"</div></div><div><br></div><div>Why does it show http:// with :443 here? </div><div><br></div><div>Here is my updated config:</div><div><br></div><div><div>http {</div><div>    upstream <a href="http://mysiteapplication.net" target="_blank">mysiteapplication.net</a> {</div><span><div>        # Use ip hash for session persistance</div><div>        ip_hash;</div></span><div>        server backendappsite1:80;</div><div>        server backendsiteapp2:80;</div><div>        server backendsiteapp3:80;</div><span><div><br></div><div>        # The below only works on nginx plus</div><div>        #sticky route $route_cookie $route_uri;</div><div>}</div></span><div>   upstream <a href="http://ssl_mysiteapplication.net.net" target="_blank">ssl_mysiteapplication.net.net</a> {</div><span><div>        # Use ip hash for session persistance</div><div>        ip_hash;</div></span><div>        server backendappsite1:443;</div><div>        server backendappsite2:443;</div><div>        server backendappsite3:443;</div><span><div><br></div><div>        # The below only works on nginx plus</div><div>        #sticky route $route_cookie $route_uri;</div><div>}</div></span></div><div><br></div><div>Crasyangel - I am not sure where I am supposed to put this:</div><span><div><br></div><div><span style="font-size:12.8px">u.default_port = 80; in ngx_http_upstream_server</span><br></div><div><span style="font-size:12.8px"><br></span></div></span><div><span style="font-size:12.8px">I tried it inside my http upstream block and got a message about</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">unknown directive "u.default_port"</span><br></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">Here is my updated default.conf:</span></div><div><span style="font-size:12.8px"><br></span></div><div><span><div><span style="font-size:12.8px">server {</span></div><div><span style="font-size:12.8px">    listen       443 ssl;</span></div><div><span style="font-size:12.8px">    server_name  <a href="http://myapplicationsite.net" target="_blank">myapplicationsite.net</a>;</span></div><div><span style="font-size:12.8px">    keepalive_timeout 70;</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">    ssl_certificate     /appssl/fd.crt;</span></div><div><span style="font-size:12.8px">    ssl_certificate_key /appssl/lb.key;</span></div><div><span style="font-size:12.8px">    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;</span></div><div><span style="font-size:12.8px">    ssl_ciphers         HIGH:!aNULL:!MD5;</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">    location / {</span></div></span><div><span style="font-size:12.8px">        proxy_pass   <a href="http://ssl_test-resolve.cspire.net" target="_blank">http://ssl_test-resolve.cspire.net</a>;</span></div><div><span style="font-size:12.8px">        proxy_set_header HOST <a href="http://test-resolve.cspire.net" target="_blank">test-resolve.cspire.net</a>;</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">    }</span></div><div><span style="font-size:12.8px">    }</span></div><div style="font-size:12.8px"><br></div></div></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jul 27, 2016 at 11:18 AM, Reinis Rozitis <span dir="ltr"><<a href="mailto:r@roze.lv" target="_blank">r@roze.lv</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

: "<a href="http://myapplicationsite.net" rel="noreferrer" target="_blank">myapplicationsite.net</a>"<br>

2016/07/27 10:54:05 [warn] 27491#27491: *3 upstream server temporarily disabled while connecting to upstream, client: 192.168.254.202, server:<br>

<a href="http://myapplicationsite.net" rel="noreferrer" target="_blank">myapplicationsite.net</a>, request: "GET / HTTP/1.1", upstream: "<a href="http://192.168.155.120:80/" rel="noreferrer" target="_blank">http://192.168.155.120:80/</a>", host: "<a href="http://myapplicationsite.net" rel="noreferrer" target="_blank">myapplicationsite.net</a>"<br>

</blockquote>

<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

Why is it trying to connect to my servers over port 80? I need to pass it over on 443. How can I accomplish this? Even if I change the proxy pass to https in the logs it still trys<br>

</blockquote>

<br></span>

As you don't specify the port in upstream {} block nginx uses the default which is 80 ( <a href="http://nginx.org/en/docs/http/ngx_http_upstream_module.html#server" rel="noreferrer" target="_blank">http://nginx.org/en/docs/http/ngx_http_upstream_module.html#server</a> )<br>

<br>

Also for secure backend connection you should enable proxy_ssl.<br>

<br>

Reading <a href="https://www.nginx.com/resources/admin-guide/nginx-tcp-ssl-upstreams/" rel="noreferrer" target="_blank">https://www.nginx.com/resources/admin-guide/nginx-tcp-ssl-upstreams/</a> should probably be a good start.<span><font color="#888888"><br>

<br>

<br>

rr</font></span><div><div><br>

<br>

<br>

<br>

<br>

On Wed, Jul 27, 2016 at 10:42 AM, Reinis Rozitis <<a href="mailto:r@roze.lv" target="_blank">r@roze.lv</a>> wrote:<br>

Can anyone give me an example config of what it would look like in both nginx.conf and default.conf using the names/info I have provided?<br>

<br>

It seems you have taken the default configuration example but if you use nginx as a balancer without serving any .php (or other) files you actually don't need those *.php etc locations  - a single location / {} will do the job (means all requests go to backends).<br>

<br>

For example:<br>

<br>

<br>

http {<br>

  upstream <a href="http://myappliationsite.net" rel="noreferrer" target="_blank">myappliationsite.net</a> {<br>

      ip_hash;<br>

      server <a href="http://backendappsite1.net" rel="noreferrer" target="_blank">backendappsite1.net</a>;<br>

      server <a href="http://backendappsite2.net" rel="noreferrer" target="_blank">backendappsite2.net</a>;<br>

      server <a href="http://backendappsite3.net" rel="noreferrer" target="_blank">backendappsite3.net</a>;<br>

  }<br>

<br>

server {<br>

  listen       80;<br>

  listen       443 ssl;<br>

<br>

 server_name <a href="http://myappliationsite.net" rel="noreferrer" target="_blank">myappliationsite.net</a>;<br>

<br>

location / {<br>

   proxy_pass   <a href="http://myappliationsite.net" rel="noreferrer" target="_blank">http://myappliationsite.net</a>;<br>

   proxy_set_header HOST <a href="http://myappliationsite.net" rel="noreferrer" target="_blank">myappliationsite.net</a>;<br>

}<br>

}<br>

<br>

<br>

<br>

_______________________________________________<br>

nginx mailing list<br>

<a href="mailto:nginx@nginx.org" target="_blank">nginx@nginx.org</a><br>

<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a><br>

<br>

<br>

<br>

<br>

<br>

<br>

<br>

_______________________________________________<br>

nginx mailing list<br>

<a href="mailto:nginx@nginx.org" target="_blank">nginx@nginx.org</a><br>

<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a> <br>

_______________________________________________<br>

nginx mailing list<br>

<a href="mailto:nginx@nginx.org" target="_blank">nginx@nginx.org</a><br>

<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a><br>

</div></div></blockquote></div><br></div>

</div></div></blockquote></div><br></div>

</div></div></blockquote></div><br></div>