Hello!

On Sun, Nov 19, 2023 at 12:41:11PM +0300, Mark wrote:

> Hello Mr. Maxim, thank you very much for your reply.
>
> Things are much clearer now, thanks!
>
> One, last question;
>
> I have implemented nginx as a reverse proxy with TLS termination in my
> FreeBSD host machine, and another nginx instance running in my jail, in;
> 10.10.10.2.
>
> So, the host machine does the reverse proxying and SSL.
>
> Before I open my website to public and production (a Wordpress website),
> could you please kindly have a look at my reverse proxy configuration here;
>
> http://paste.nginx.org/b8
>
> So that you might wish to add some suggestions, or perhaps I still have a
> misconfigured/unneeded directive there?

Here are some comments:

> proxy_cache_bypass $http_upgrade;

You don't need proxy_cache_bypass if you aren't using cache.

> proxy_buffering off;

I don't really recommend switching off buffering unless you have
reasons to. And if the reason is to avoid disk buffering,
consider "proxy_max_temp_file_size 0;" instead, see
http://nginx.org/r/proxy_max_temp_file_size for details.

> proxy_set_header Referer $scheme://$host;

This looks simply wrong.

> proxy_set_header X-Scheme https;
> proxy_set_header X-Forwarded-Proto https;
> proxy_set_header X-Scheme https;
> proxy_set_header X-Forwarded-Ssl on;

This looks a bit too many of custom headers to let backend know
that https is being used.

> proxy_set_header Upgrade $http_upgrade;
> proxy_set_header Connection "upgrade";

This shouldn't be used unless you intentionally configuring
WebSocket proxying.

> proxy_set_header Early-Data $ssl_early_data;

This is certainly not needed unless you are using TLSv1.3 Early
Data (http://nginx.org/r/ssl_early_data), and you aren't.

Hope this helps.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx