listen proxy_protocol and rewrite redirect scheme

Francis Daly francis at daoine.org
Sun Sep 25 08:35:53 UTC 2016


On Thu, Sep 22, 2016 at 07:57:17AM -0400, adrhc wrote:

Hi there,

> I'm just a bit surprised that "port_in_redirect off" does not also
> work. But that's ok -- I'm often surprised.
> There's a "if" in src/http/ngx_http_header_filter_module.c which changes
> port's value from 443 to 0 when on ssl + port initially 443 so
> https://adrhc.go.ro/ffp_0.7_armv5 would redirect to http when
> port_in_redirect is off.

Ah, right, that makes sense.

As it happens, that is only necessary because your extra patch cares
about when port=443. Potentially, a fuller solution to the "use https
redirects even though this is http" question would not care about "port",
and so "port_in_redirect" would not matter then.

But as I said: what you have works for you, and is therefore good as-is.

> "... but I don't know what is the set of conditions under which you would
> want this ssl-rewrite to happen, and how you would go about configuring
> that."
> I'm not sure I understand what you mean (my bad english); the entire setup
> is one allowing me to access my home server through the corporate firewall
> wile not breaking what I already have (my web sites):

My intention was: *if* there were to be some directive or variable in
nginx that could be set to get nginx to use https redirects even though
nginx believes that the connection is over http; *then* how and where
would that directive or variable be set?

Until the "then" has a clear answer, the "if" will not happen.

But also: it does not matter right now. You have an adequate solution for
you; if someone else has the same problem and wants a fuller solution,
they can worry about it then.

> "It looks like nobody else has had that particular use case ..."
> This seems odd for me; I'm sure I'm not the only guy starving for open ports
> to internet (only 80 and 443 allowed) :D

Possibly other people came up with different solutions, or did not use
nginx in the same way that you are using it.

Anyway - it is good that you found a solution, and thanks for having
shared it.

Cheers,

	f
-- 
Francis Daly        francis at daoine.org



More information about the nginx mailing list