I am developing a web UI frontend in JS, for a backend API that is now using HTTPS. The following nginx config on my development machine was all I needed:
http {
include /etc/nginx/mime.types;
disable_symlinks off;
server {
disable_symlinks off;
listen 8080;
server_name localhost;
location /api/ {
proxy_pass http://www.my-api.com;
}
location /some-path/ {
disable_symlinks off;
root /var/www;
index index.html;
}
}
}
But now www.my-api.com
is an https endpoint.
What adjustments do I need to make to my nginx config, in order to forward my localhost requests to the HTTPS backend?
The config below listens on localhost port 8080 and redirects to https://www.my-api.com . Since the API is accessible on port 443, it should include the SSL certification check.
http {
include /etc/nginx/mime.types;
disable_symlinks off;
server {
disable_symlinks off;
listen 8080;
server_name localhost;
location /api/ {
proxy_pass https://www.my-api.com;
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
}
location /some-path/ {
disable_symlinks off;
root /var/www;
index index.html;
}
}
}
Below is the server section that works for me. @Jay Achar got me close, and to be honest there are a few things I should try in order to simplify the config. I added the following lines:-
ssl_client_certificate /etc/ssl/certs/ca-certificates.crt;
proxy_set_header X-SSL-CERT $ssl_client_escaped_cert;
proxy_ssl_server_name on;
I also found that I had the proxied host name incorrect. In my case the www.
on the front was not right. I suspect that the host's certificate doesn't match with www
in there. Perhaps just using @Jay Achar's answer with the correct remote host name would be all one would need.
The /etc/ssl/certs/ca-certificates.crt
comes from my openssl. I figured it would be suitable as client certificate to send to the proxied host.
The only other change I made to @Jay Achar's config was in the lines
proxy_set_header Host $proxy_host;
proxy_set_header X-Real-IP $upstream_addr;
Again, perhaps those changes were not necessary.
server {
disable_symlinks off;
listen 8080;
server_name pb.localhost;
ssl_client_certificate /etc/ssl/certs/ca-certificates.crt;
location /api {
proxy_pass https://my-api.com:443;
proxy_ssl_server_name on;
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-SSL-CERT $ssl_client_escaped_cert;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $proxy_host;
proxy_set_header X-Real-IP $upstream_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
}
location /some-path/ {
disable_symlinks off;
root /var/www;
index index.html;
}
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.