nginx proxy based on host when using https

ssl https nginx proxy wildcard-subdomain
Angel Abad Cerdeira picture Angel Abad Cerdeira · Aug 19, 2013 · Viewed 24.7k times · Source

I need to use Nginx as an SSL proxy, which forwards traffic to different back ends depending on the subdomain.

I have seem everywhere that I should define multiple "server {" sections but that doesn't work correctly for SSL. Doing that I would always have the SSL being processed in the first virtual host as the server name is unknown until you process the https traffic.

Scenario:

  • One IP address
  • One SSL wildcard wildcard

  • Multiple backends which needs to be accessed like the following:

    https://one.mysite.com/ -> http://localhost:8080
https://two.mysite.com/ -> http://localhost:8090

Nginx says "if" is evil: http://wiki.nginx.org/IfIsEvil, but what else can I do?

I have tried this, but it doesn't work, I get an 500 error but nothing in the error logs.

    server {
    listen 443;
    server_name *.mysite.com;

    ssl on;
    ssl_certificate ssl/mysite.com.crt;
    ssl_certificate_key ssl/mysite.com.key;

    location / {
        if ($server_name ~ "one.mysite.com") {
            proxy_pass http://localhost:8080;
        }
        if ($server_name ~ "two.mysite.com") {
            proxy_pass http://localhost:8090;
        }
    }

Has anyone managed to accomplish this with Nginx? Any help/alternatives, link, would be much appreciated.

Answer

Angel Abad Cerdeira picture Angel Abad Cerdeira · Aug 20, 2013

I found the solution which is basically to define the SSL options and the SSL certificate outside the "server" block:

ssl_certificate ssl/mysite.com.crt;
ssl_certificate_key ssl/mysite.com.key;
ssl_session_timeout  5m;
ssl_protocols        SSLv3 TLSv1;
ssl_ciphers          ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+EXP;
ssl_prefer_server_ciphers   on;

server {
    listen 80;
    server_name *.mysite.com;
    rewrite ^ https://$host$request_uri? permanent;
}
server {
    listen 443 ssl;
    server_name one.mysite.com;

    ssl on;

    location / {
        proxy_pass http://localhost:8080;
    }
}
server {
    listen 443 ssl;
    server_name two.mysite.com;

    ssl on;

    location / {
        proxy_pass http://localhost:8090;
    }
}

Key things:

  • "ssl on;" is the only thing that needs to be within the "server" blocks that listen in https, you can put it outside too, but what will make the "server" blocks that listen in port 80 to use https protocol and not the expected http.
  • Because the "ssl_certificate", "ssl_ciphers: and other "ssl_*" are outside the "server" block, Nginx does the SSL offloading without a server_name. Which is what it should do, as the SSL decryption cannot happen based on any host name, as at this stage the URL is encrypted.
  • JAVA and curl don't fail to work now. There is no server_name - host miss match.

Related questions

Nginx does redirect, not proxy

I want to set up Nginx as a reverse proxy for a https service, because we have a special usecase where we need to "un-https" a connection: http://nginx_server:8080/myserver ==> https://mysecureservice But what happens is that the …

Read More
What does "SSL_CTX_use_PrivateKey_file" "problems getting password error" indicate in Nginx error log?

I'm trying to set up SSL on Nginx. It doesn't work, and I am getting the following error in the error log, which is getting passed up from the OpenSSL library which nginx was compiled with. I don't know what …

Read More
Configure NGINX + CloudFlare + SSL

SO... I have a node application running on a server on port 8080 and I am trying to enabled it to work over SSL using NGINX and CloudFlare. Note the following... My host is running Ubuntu 16.04 LTS I am currently using …

Read More