Prevent nginx from redirecting traffic from https to http when used as a reverse proxy
Posted
by
Chris Pratt
on Server Fault
See other posts from Server Fault
or by Chris Pratt
Published on 2012-03-23T21:08:43Z
Indexed on
2012/03/23
23:31 UTC
Read the original article
Hit count: 308
Here's my abbreviated nginx vhost conf:
upstream gunicorn {
server 127.0.0.1:8080 fail_timeout=0;
}
server {
listen 80;
listen 443 ssl;
server_name domain.com ~^.+\.domain\.com$;
location / {
try_files $uri @proxy;
}
location @proxy {
proxy_pass_header Server;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_connect_timeout 10;
proxy_read_timeout 120;
proxy_pass http://gunicorn;
}
}
The same server needs to serve both HTTP and HTTPS, however, when the upstream issues a redirect (for instance, after a form is processed), all HTTPS requests are redirected to HTTP. The only thing I have found that will correct this issue is changing proxy_redirect
to the following:
proxy_redirect http:// https://;
That works wonderfully for requests coming from HTTPS, but if a redirect is issued over HTTP it also redirects that to HTTPS, which is a problem.
Out of desperation, I tried:
if ($scheme = 'https') {
proxy_redirect http:// https://;
}
But nginx complains that proxy_redirect
isn't allowed here.
The only other option I can think of is to define the two servers separately and set proxy_redirect
only on the SSL one, but then I would have duplicate the rest of the conf (there's a lot in the server
directive that I omitted for simplicity sake). I know I could also use an include
directive to factor out the redundancy, but I really want to keep just one conf file without any dependencies.
So, first, is there something I'm missing that will negate the problem entirely? Or, second, if not, is there any other way (besides including an external file) to factor out the redundant config information so that I can separate out the HTTP and HTTPS versions of the server config?
© Server Fault or respective owner