Dear nginx-users,
I´ve read on several articles, it´s not recommend to redirect https to http concerning "man in the middle attacks" etc.
So I didn´t dig to find a solution to do this anyway.
But there´s a way to avoid certificate warnings?
I´d like to configure nginx with an active wildcard-certificate, but using an old or selfsigned certificate on all endpoints (upstream servers). This would avoid renewing a certificate on endpoints, but to have anyway a crypted communication between nginx and upstream servers. Or I didn´t consider other arguments?
Any comments on this are welcome!
Thanks and best regards
Tom
Below you will find my config:
#user nobody;
#worker_processes 5;
worker_processes auto;
pid /usr/local/nginx/sbin/demo.pid;
events {
#worker_connections 1024;
worker_connections 16384;
}
http {
include mime.types;
default_type application/octet-stream;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Queue-Start "t=${msec}000";
#logging
log_format main '[$time_local] Client: $remote_addr - Server: $server_name to Webserver: $upstream_addr - Request: $request - UpstreamResponse: $upstream_response_time msec';
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log info;
client_max_body_size 20M;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 75;
#gzip on;
upstream webserver {
sticky name=login-demo;
#sticky name=login-demo expires=30m;
server test1.local:80;
server test2.local:80;
}
upstream swebserver {
name=slogin-demo;
#sticky name=slogin-demo expires=30m;
server test1.local:443;
server test1.local:443;
}
geo $maintenance {
default 0; #0 = using upstream webserver; 1 = using maintenance mode
}
server {
#listen localhost:80;
listen 10.x.x.x:80;
#server_name localhost;
server_name test.de *.test.de;
root /usr/local/nginx/html/;
location / {
if ($maintenance) {
return 503;
}
proxy_pass http://webserver;
}
error_page 503 @maintenance;
if (-f $document_root/wartung) {
return 503;
}
location @maintenance {
#rewrite ^(.*)$ /50x.html break;
rewrite (favicon\.ico|logo\.png|styles\.css)$ /$1 break;
rewrite ^(.*)$ /index.html break;
}
}
server {
#listen localhost:443 ssl;
listen 10.x.x.x:443 ssl;
#server_name localhost;
server_name test.de *.test.de;
root /usr/local/nginx/html/;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_protocols SSLv3 TLSv1;
ssl_certificate /usr/local/nginx/keys/test.crt;
ssl_certificate_key /usr/local/nginx/keys/test.key;
location / {
if ($maintenance) {
return 503;
}
proxy_pass https://swebserver;
}
error_page 503 @maintenance;
if (-f $document_root/wartung) {
return 503;
}
location @maintenance {
#rewrite ^(.*)$ /50x.html break;
rewrite (favicon\.ico|logo\.png|styles\.css)$ /$1 break;
rewrite ^(.*)$ /index.html break;
}
}
}