Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Right way to proxy a ssl server? #217

Closed
pablokbs opened this issue Dec 30, 2013 · 2 comments
Closed

Right way to proxy a ssl server? #217

pablokbs opened this issue Dec 30, 2013 · 2 comments

Comments

@pablokbs
Copy link
Contributor

Hi, I can not make this to work, I have 1 nginx server with 2 upstreams (HTTP and HTTPS) ... the HTTP proxy works good, but I can not make the HTTPS proxy to work, it's like is not getting the upstream servers like the HTTP one.

Its seems like this #5 should add support to my request.

Let me know if I can help.
@pablokbs
Copy link
Contributor Author 


## class for an nginx proxy for example domain

 class nginx::proxy::example {

        include nginx

        $my_config = {
                'ip_hash'       => '',
                'keepalive'     => '20',
        }

        nginx::resource::upstream { 'example.com':
                ensure  => present,
                members => [
                        '10.0.5.112',
                        '10.0.4.112',
                ],

        upstream_cfg_prepend => $my_config,

        }


       nginx::resource::vhost { 'example.com': 
               server_name => ['example.com', '*.example.com'],
               ensure  => present,
               proxy   => 'http://example.com',
       }

        nginx::resource::vhost { 'example.com':
                server_name => ['example.com', '*.example.com'],
                ensure  => present,
                ssl     => true,
                ssl_cert => '/tmp/example.com.combined.crt',
                ssl_key => '/tmp/example.com.key',
                proxy   => 'example.com',
                require => File['/tmp/example.com.combined.crt', '/tmp/example.com.key']
        }

        file { 'example.com.key':
                ensure  => present,
                path    => '/tmp/example.com.key',
                source  => 'puppet:///modules/apache/ssl/example.com.key',
        }

        file { 'example.com.combined.crt':
                ensure  => present,
                path    => '/tmp/example.com.combined.crt',
                source  => 'puppet:///modules/apache/ssl/example.com.combined.crt',
        }

 }

@pablokbs
Copy link
Contributor Author

Ok, I've found the way to make it work, you have to declare 2 upstream resources, one for https and one for http:

class nginx::proxy::example {

        include nginx


        $my_config = {
                'ip_hash'       => '',
                'keepalive'     => '20',
        }

        nginx::resource::upstream { 'example.com':
                ensure  => present,
                members => [
                        '10.0.5.112',
                        '10.0.4.112',
                ],

        upstream_cfg_prepend => $my_config,

        }

        nginx::resource::upstream { 'ssl-example.com':
                ensure  => present,
                members => [
                        '10.0.5.112:443',
                        '10.0.4.112:443',
                ],

        upstream_cfg_prepend => $my_config,

        }


        nginx::resource::vhost { 'example.com': 
                server_name => ['example.com', '*.example.com'],
                ensure  => present,
                proxy   => 'http://example.com',
        }

        nginx::resource::vhost { 'ssl-example.com':
                server_name => ['example.com', '*.example.com'],
                ensure  => present,
                ssl     => true,
                ssl_cert => '/tmp/example.com.combined.crt',
                ssl_key => '/tmp/example.com.key',
                proxy   => 'https://ssl-example.com',
                require => File['/tmp/example.com.combined.crt', '/tmp/example.com.key']
        }

        file { 'example.com.key':
                ensure  => present,
                path    => '/tmp/example.com.key',
                source  => 'puppet:///modules/apache/ssl/example.com.key',
        }

        file { 'example.com.combined.crt':
                ensure  => present,
                path    => '/tmp/example.com.combined.crt',
                source  => 'puppet:///modules/apache/ssl/example.com.combined.crt',
        }

}

But, this recipe creates the following vhost

server {
  listen                *:80;

  server_name           example.com *.example.com;

  access_log            /var/log/nginx/example.com.access.log;
  error_log             /var/log/nginx/example.com.error.log;

  location / {
    proxy_pass          http://example.com;
    proxy_read_timeout  90;
  }

}

server {
  listen                *:80;

  server_name           example.com *.example.com;

  access_log            /var/log/nginx/ssl-example.com.access.log;
  error_log             /var/log/nginx/ssl-example.com.error.log;

  location / {
    proxy_pass          https://ssl-example.com;
    proxy_read_timeout  90;
  }

}

server {
  listen       *:443 ssl;

  server_name  example.com *.example.com;

  ssl on;

  ssl_certificate           /etc/nginx/ssl-example.com.crt;
  ssl_certificate_key       /etc/nginx/ssl-example.com.key;
  ssl_session_cache         shared:SSL:10m;
  ssl_session_timeout       5m;
  ssl_protocols             SSLv3 TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers               HIGH:!aNULL:!MD5;
  ssl_prefer_server_ciphers on;

  access_log            /var/log/nginx/ssl-ssl-example.com.access.log;
  error_log             /var/log/nginx/ssl-ssl-example.com.error.log;



  location / {
    proxy_pass          https://ssl-example.com;
    proxy_read_timeout  90;
  }

}

Notice that I have 2 servers declarations for HTTP, as the second resource::vhost I've declared (the one with https) re-declares the first one, actually this configuration works, but I think it's not right.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pablokbs @wyardley