How do I configure localhost nginx to proxy https remote backend

Question

I am developing a web UI frontend in JS, for a backend API that is now using HTTPS. The following nginx config on my development machine was all I needed:

http {
  include /etc/nginx/mime.types;
  disable_symlinks off;

  server {
    disable_symlinks off;
    listen 8080;
    server_name localhost;

    location /api/ {
        proxy_pass                http://www.my-api.com;
    }

    location /some-path/ {
      disable_symlinks off;
      root /var/www;
      index index.html;
    }
  }

}

But now www.my-api.com is an https endpoint.

What adjustments do I need to make to my nginx config, in order to forward my localhost requests to the HTTPS backend?

Answer 1

The config below listens on localhost port 8080 and redirects to https://www.my-api.com . Since the API is accessible on port 443, it should include the SSL certification check.

http {
  include /etc/nginx/mime.types;
  disable_symlinks off;

  server {
    disable_symlinks off;
    listen 8080;
    server_name localhost;

    location /api/ {
        proxy_pass                https://www.my-api.com;
        proxy_http_version  1.1;
        proxy_cache_bypass  $http_upgrade;

        proxy_set_header Upgrade           $http_upgrade;
        proxy_set_header Connection        "upgrade";
        proxy_set_header Host              $host;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host  $host;
        proxy_set_header X-Forwarded-Port  $server_port;
    }

    location /some-path/ {
      disable_symlinks off;
      root /var/www;
      index index.html;
    }
  }

}

Answer 2

Below is the server section that works for me. @Jay Achar got me close, and to be honest there are a few things I should try in order to simplify the config. I added the following lines:-

    ssl_client_certificate /etc/ssl/certs/ca-certificates.crt;
proxy_set_header X-SSL-CERT $ssl_client_escaped_cert;
proxy_ssl_server_name on;

I also found that I had the proxied host name incorrect. In my case the www. on the front was not right. I suspect that the host's certificate doesn't match with www in there. Perhaps just using @Jay Achar's answer with the correct remote host name would be all one would need.

The /etc/ssl/certs/ca-certificates.crt comes from my openssl. I figured it would be suitable as client certificate to send to the proxied host.

The only other change I made to @Jay Achar's config was in the lines

  proxy_set_header Host              $proxy_host;
  proxy_set_header X-Real-IP         $upstream_addr;

Again, perhaps those changes were not necessary.

    server {
        disable_symlinks off;
        listen 8080;
        server_name pb.localhost;
        
        ssl_client_certificate /etc/ssl/certs/ca-certificates.crt;
        location /api {
            proxy_pass  https://my-api.com:443;

            proxy_ssl_server_name on;
                proxy_http_version  1.1;
                proxy_cache_bypass  $http_upgrade;

            proxy_set_header X-SSL-CERT $ssl_client_escaped_cert;
                proxy_set_header Upgrade           $http_upgrade;
                proxy_set_header Connection        "upgrade";
                proxy_set_header Host              $proxy_host;
                proxy_set_header X-Real-IP         $upstream_addr;
                proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Forwarded-Host  $host;
                proxy_set_header X-Forwarded-Port  $server_port;
        }

        location /some-path/ {
            disable_symlinks off;
            root /var/www;
            index index.html;
        }
    }