location blocks, and if conditions in server context

Lucas Rolff lucas at lucasrolff.com
Thu Mar 8 08:57:29 UTC 2018


Hi Francis,

I indeed thought about having a separate server {} block in case there’s the http to https redirect for a specific domain.
Since it depends on the domain, I can’t make a general one to match everything.

>    Or: you use $sslproxy_protocol. Where does that come from?

$sslproxy_protocol is a simple map doing:

map $https $sslproxy _protocol {
    default "http";
    SSL     "https";
    on      "https";
}

Best Regards,
Lucas Rolff

On 08/03/2018, 09.44, "nginx on behalf of Francis Daly" <nginx-bounces at nginx.org on behalf of francis at daoine.org> wrote:

    On Wed, Mar 07, 2018 at 04:55:15PM +0000, Lucas Rolff wrote:
    
    Hi there,
    
    > This means I have something like:
    > 
    > 1: location ~* /.well-known
    > 2: if condition doing redirect if protocol is http
    > 3: location /
    > 4: location /api
    > 5: location /test
    > 
    > All my templates include 1 to 3, and *might* have additional locations.
    
    > My issue is – because of this if condition that does the redirect to https – it also applies to my location ~* /.well-known – thus causing a redirect, and I want to prevent this, since it breaks the Let’s Encrypt validation (they do not accept 301 redirects).
    
    > Is there a smart way without adding too much complexity, which is still super-fast (I know if is evil) ?
    
    As phrased, I think the short answer to your question is "no".
    
    However...
    
    You optionally redirect things from http to https. Is that "you want
    to redirect *everything* from http to https, apart from the letsencrypt
    thing"? If so, you could potentially have just one
    
      server {
        listen 80;
        location / { return 301 https://$host$uri; }
        location /.well-known/ { proxy_pass http://letsencrypt.validation.backend.com; }
      }
    
    and a bunch of
    
      server {
        listen 443;
      }
    
    blocks.
    
    Or: you use $sslproxy_protocol. Where does that come from?
    
    If it is a thing that you create to decide whether or not to redirect
    to https, then could you include a check for whether the request starts
    with /.well-known/, and if so set it to something other than "http"?
    
    	f
    -- 
    Francis Daly        francis at daoine.org
    _______________________________________________
    nginx mailing list
    nginx at nginx.org
    http://mailman.nginx.org/mailman/listinfo/nginx



More information about the nginx mailing list