Welcome! Log In Create A New Profile

Advanced

Re: Upgrading plain HTTP to HTTPS using STARTTLS

Maxim Dounin
August 17, 2015 07:02AM
Hello!

On Sun, Aug 16, 2015 at 10:29:56AM -0400, lbc wrote:

> Hello,
>
> I consider switching from Apache to Nginx (or using it as a reverse proxy to
> the Apache), but need to upgrade plain HTTP connections to HTTPS using the
> scheme defined in RFC 2817. Reason for this is a client software running on
> WiFi Captive Portals, which inserts an "Upgrade: TLS/1.x" request together
> with custom headers just in front of the encrypted request from a guest's
> browser to our login server. In order for this scheme to work, the
> connection used for this kind of "ID request" to determine the hotspot in
> use and the remaining communication must not change over the upgrade,
> therefore redirection to the standard HTTPS port of the login server will
> not work.
>
> So, I wonder how I can configure Nginx to get the same effect of Apache's
> "SSLEngine: optional" setting? I did read the docs about the "starttls"
> setting in Nginx, but couldn't find an example on how exactly to use this in
> a server block to achieve an upgrade to TLS.

The "starttls" directive is only available in mail proxy module,
not for http. There is no support for RFC 2817 in nginx, as it's
not something used by known browsers.

Connections with Upgrade requests can be proxied to other servers
though, so you can use nginx as a reverse proxy for such
connections. Such approach is mostly used to proxy WebSocket
connections, see http://nginx.org/en/docs/http/websocket.html for
configuration details.

> Is it possible at all to configure Nginx this way? And if so, can I forward
> custom headers such as "X-HotspotID" if Nginx would be used as a proxy?

You can add arbitrary headers to requests nginx forwards to
upstream servers, see http://nginx.org/r/proxy_set_header. You
can also add response headers, see http://nginx.org/r/add_header.

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Upgrading plain HTTP to HTTPS using STARTTLS

lbc August 16, 2015 10:29AM

Re: Upgrading plain HTTP to HTTPS using STARTTLS

Maxim Dounin August 17, 2015 07:02AM

Re: Upgrading plain HTTP to HTTPS using STARTTLS

lbc August 17, 2015 11:18AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 231
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready