6

So I would like to proxy_pass requests to an https backend server, however, every time I try to reload nginx server with https:// configured backend I get the following error:

nginx: [emerg] https protocol requires SSL support

This is the nginx config 

server{ listen 8080; root /opt/nginx_1.17.0/nginx_ok/html; server_name www.frontedndomain.com; index index.php index.html; location /health-monitor/ { add_header Custom-Header test; } location ~* ^\/([a-z][a-z]\/)?abc\/?(.*)? { error_log /opt/nginx_1.17.0/nginx_ok/logs/proxy_error.log; add_header X-query-string $is_args$query_string; resolver 0.0.0.0; resolver_timeout 15s; proxy_pass https://backenddomain.com; proxy_ssl on; proxy_http_version 1.1; proxy_set_header Accept-Encoding ""; proxy_set_header Cache-Control no-cache; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header X-Real-IP $remote_addr; subs_filter_types *; } }

Originally I've built nginx for source and this is the output of nginx -V

nginx version: nginx/1.16.0 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC) configure arguments: --prefix=/opt/nginx_1.17.0/nginx_ok/ --sbin-path=/opt/nginx_1.17.0/nginx_ok/sbin/nginx --with-openssl=/opt/nginx_1.17.0/openssl-1.1.1c/ --add-module=/opt/nginx_1.17.0/ngx_http_substitutions_filter_module/ --with-zlib=/opt/nginx_1.17.0/zlib-1.2.11/

Can someone please outline what I'm missing from this config please. I would like to also forward a query string to the backend.

Improve this question
6
  • 1
    Why not just use prebuild version of nginx for your platform? Commented Aug 12, 2019 at 14:38
  • BTW, there is no proxy_ssl directive in ngx_http_proxy_module Commented Aug 12, 2019 at 14:40
  • nginx.org/en/docs/http/ngx_http_ssl_module.html Commented Aug 12, 2019 at 14:42
  • @AlexeyTen He's adding in that old third party nginx module ngx_http_substitutions_filter_module. It's not clear why, as there aren't any substitutions being done here. Commented Aug 13, 2019 at 3:33
  • 1
    This module is included in nginx-full or nginx-extras package in Debian/Ubuntu. Commented Aug 13, 2019 at 12:36

3 Answers 3

Reset to default
12

The issue was resolved by adding the following directive

proxy_ssl_server_name on;

This allowed for the request to be handled by the server specified in the certificate's SNI at the upstream endpoint.

Improve this answer
3
  • 2
    I can confirm this works. Commented Jan 29, 2020 at 21:13
  • 1
    Multiple hours of agony finally come to an end. Thank you! Commented Feb 14, 2021 at 22:04
  • Could you share the full nginx config? Does it go in the location block? Commented Aug 18, 2022 at 15:11
1

You are listening on a port 8080 with no SSL (http) and trying to proxy to an SSL enabled host on port 443 (https). if this worked it would essentially make encryption pointless as it would be encrypted only on your end and not while the packets are in transit to your client. The solution is to make sure you have certificates installed and ssl enabled for the port in question and that any proxy_pass does not forward from non-ssl enabled ports to ssl enabled ones.

Improve this answer
1
  • I understand your point and it's very valid, only in this case this reverse proxy is sitting behind a load balancer with SSL being terminated there. I will try changing the proxy to listen on port 443 and bind SSLs to check if it works, but still would rather have the reverse proxy listening on http port and proxying requests to an HTTPS backend. Commented Aug 13, 2019 at 7:39
1

I had the same problem because my DNS host provider has https and I dont need to encrypt my connection 2 times, as it would be slower.

It worked for me as follows: 

 upstream backend { server node_socket1:3000 weight=10 max_fails=3 fail_timeout=30s; server node_socket2:3000 weight=10 max_fails=3 fail_timeout=30s; } server { listen 80; server_name 0.0.0.0; root /var/www/public; location / { try_files $uri $uri/ https://backend; } location /socket.io/ { proxy_http_version 1.1; proxy_redirect off; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-NginX-Proxy true; proxy_pass https://backend/socket.io/; } }
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.