I've tried several configuration examples to get NGINX working as reverse proxy. Like to proxy an ip eg 1.2.3.4:8080/sitename to www.mydomain.com I get it working but the layoout is a mess.
Any suggestions how to get this working properly?
Please check the VirtualHostBase and VirtualHostRoot placement in the proxy_pass in your config.
For an example check the Plone documentation: http://docs.plone.org/manage/deploying/front-end/nginx.html#minimal-nginx-front-end-configuration-for-plone-on-ubuntu-debian-linux
Maybe post your configuration?
My site is running at 81.23.226.83:8080/linuxpro and my nginx configuration is like this:
upstream plone {
server 81.23.226.83:8080;
}
server {
listen 128.199.57.38:80;
listen [2a03:b0c0:2:d0::74:c000]:80;
server_name linuxpro.nl, www.linuxpro.nl;
server_name linuxpro.nl;
return 301 https://$server_name$request_uri;
}
server {
listen 128.199.57.38:443 spdy;
listen [2a03:b0c0:2:d0::74:c000]:443 spdy;
server_name www.linuxpro.nl, linuxpro.nl;
access_log /var/log/nginx/linuxpro.nl.access.log;
error_log /var/log/nginx/linuxpro.nl.error.log;
# Note that domain name spelling in VirtualHostBase URL matters
# -> this is what Plone sees as the "real" HTTP request URL.
# "Plone" in the URL is your site id (case sensitive)
location / {
proxy_pass http://plone/VirtualHostBase/http/linuxpro.nl:443/linuxpro/VirtualHostRoot/;
}
ssl on;
ssl_dhparam /etc/nginx/ssl/ssl-linuxpro.nl/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /etc/letsencrypt/live/linuxpro.nl/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/linuxpro.nl/privkey.pem;
}
you have some issues with repeated server_name directives on both blocks and the proxy_pass directive is pointing to http on port 443; also, don't use ssl on;:
something like this should work:
server {
listen 80;
server_name www.linuxpro.nl;
return 301 https://linuxpro.nl$request_uri;
}
server {
listen 443 ssl;
server_name linuxpro.nl;
ssl_certificate /etc/letsencrypt/live/linuxpro.nlfullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/linuxpro.nl/privkey.pem;
ssl_dhparam /etc/nginx/ssl/ssl-linuxpro.nldhparam.pem;
ssl_session_cache shared:SSL:5m;
location / {
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
proxy_pass http://plone/VirtualHostBase/https/linuxpro.nl:443/linuxpro/VirtualHostRoot/;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_ignore_headers Expires;
}
}Amazing, thank you! I had to correct some minor details (eg. path to ssl cert) but besided that it's working
I use this configuration now which results in a working site and an A+ rating on ssllabs
upstream plone {
server 81.23.226.83:8080;
}
server {
listen 128.199.57.38:80;
listen [2a03:b0c0:2:d0::74:c000]:80;
server_name www.linuxpro.nl, linuxpro.nl;
return 301 https://www.linuxpro.nl$request_uri;
}
server {
listen 128.199.57.38:443 spdy;
listen [2a03:b0c0:2:d0::74:c000]:443 spdy;
server_name www.linuxpro.nl;
access_log /var/log/nginx/linuxpro.nl_access.log;
error_log /var/log/nginx/linuxpro.nl_error.log;
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:5m;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_dhparam /etc/nginx/ssl/ssl-linuxpro.nl/dhparam.pem;
ssl_certificate /etc/letsencrypt/live/linuxpro.nl/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/linuxpro.nl/privkey.pem;
location / {
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
proxy_pass http://plone/VirtualHostBase/https/linuxpro.nl:443/linuxpro/VirtualHostRoot/;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_ignore_headers Expires;
}
}
1 Like