Shulou(Shulou.com)06/02 Report--

This article mainly introduces "Nginx as a reverse proxy and HTTP protocol reverse proxy HTTPS service". In daily operation, I believe many people have doubts about Nginx as a reverse proxy and HTTP protocol reverse proxy HTTPS service. Xiaobian consulted all kinds of materials and sorted out a simple and useful method of operation. I hope it will be helpful to answer the doubts of "Nginx as a reverse proxy and reverse proxy HTTPS service with HTTP protocol". Next, please follow the editor to study!

Briefly record the problems and solutions encountered when Nginx is used as a reverse proxy and HTTP protocol is used to proxy HTTPS services based on Spring Security to downstream clients.

Background

There is a HTTPS Web application based on Spring Security and Spring MVC, which needs to provide services through Nginx as a reverse proxy.

The Nginx and Web applications are deployed on the same machine, and the IP is 10.115.6.165. The Web application listens on port 19026 using HTTPS protocol.

About Nginx, because we will need the more_set_headers instruction in the headers more module. Therefore, if it is a Windows environment, it is recommended to download it from http://nginx-win.ecsds.eu/ because its nginx is compiled into more modules. In the case of a Linux environment, also verify that the more_set_headers directive for the headers more module is available.

Nginx is a reverse proxy in the form of HTTP.

Run Ngnix with the following configuration to have Nginx reverse proxy the HTTPS service on port 9080 on port 19026 using the HTTP protocol.

Server {

Listen 9080

Server_name 10.115.6.165

Location / databoard/ {

Proxy_pass https://10.115.6.165:19026/databoard/;

Proxy_set_header Host $host

Proxy_set_header X-Real-IP $remote_addr

Proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for

Proxy_set_header REMOTE-HOST $remote_addr

Proxy_set_header X-Forwarded-Proto $scheme

Proxy_redirect off

}

}

But if we use a browser to access http://10.115.6.165:9080/databoard/login, we will find two problems shown in the following figure:

1) problems caused by redirect redirection used by back-end services

The browser address bar shows that it has been redirected to https://10.115.6.165/databoard/dataCmder. This is because the backend Web application executes the redirect redirect statement, and the redirected protocol and address are based on the web application context, and nginx forwards it to the browser without special processing, so the browser cannot access this address naturally. The solution is as follows:

Map $upstream_http_Location $location {

~ https://10.115.6.165/(?.*) http://10.115.6.165:9080/$param;

Default $upstream_http_Location

}

Server {

......

Location / databoard/ {

......

More_set_headers-s' 301 302''Location $location'

2) the problem that the browser cannot carry SessionID in the request due to the Secure attribute carried by Cookie.

Cookie with the Secure attribute means that if the browser does not use HTTPS to establish a link with the service, the value in this cookie will not be sent to the server with the request. To solve this problem, you need to remove the Secure attribute from cookie in Nginx and pass it to the browser. The solution is as follows:

Map $sent_http_set_cookie $resp_cookie {

~ * (?. +) Secure $CK_WITHOUT_SECURE

}

Server {

......

Location / databoard/ {

......

More_set_headers' Set-Cookie: $resp_cookie'

Complete related configuration map $upstream_http_Location $location {

~ https://10.115.6.165/(?.*) http://10.115.6.165:9080/$param;

Default $upstream_http_Location

}

Map $sent_http_set_cookie $resp_cookie {

~ * (?. +) Secure $CK_WITHOUT_SECURE

}

Server {

Listen 9080

Server_name 10.115.6.165

Location / databoard/ {

Proxy_pass https://10.115.6.165:19026/databoard/;

Proxy_set_header Host $host

Proxy_set_header X-Real-IP $remote_addr

Proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for

Proxy_set_header REMOTE-HOST $remote_addr

Proxy_set_header X-Forwarded-Proto $scheme

Proxy_redirect off

More_set_headers-s' 301 302''Location $location'

More_set_headers' Set-Cookie: $resp_cookie'

}

}

Nginx is a reverse proxy in the form of HTTPS.

If nginx provides reverse proxies to the outside world using the HTTPS protocol, it is easy to configure either layer 7 proxy or layer 4 proxy, as follows:

3) four-tier reverse proxy. Stream {

Upstream databoardServer {

Hash $remote_addr consistent

Server 10.115.6.165:19026 weight=5

}

Server {

Listen 9082

Proxy_connect_timeout 1s

Proxy_timeout 3s

Proxy_pass databoardServer

}

}

4) Seven-tier reverse proxy. Server {

Listen 443 ssl

Server_name 10.115.6.165

Ssl_certificate D:\\ tmp\\ opensslCrt\\ demoAppChain.crt

Ssl_certificate_key D:\\ tmp\\ opensslCrt\\ demoApp.key

Location / {

Proxy_pass https://10.115.6.165:19026;

Proxy_set_header Host $host

Proxy_set_header X-Real-IP $remote_addr

Proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for

Proxy_set_header Referer https://10.115.6.165;

}

}

About Spring Session Cookie Secure configuration

At that time, in order not to deal with Cookie on Nginx, I wanted to configure the Spring Web application directly so that Cookie would not have the Secure attribute. So directly modify the configuration application.properties as follows, but the Cookie returned to nginx still has the Secure attribute. (similarly, cookie's HttpOnly is determined by more than just a configuration.)

Server.session.cookie.secure=false

By tracking the Spring source code, it is found that as long as the application is running under the HTTPS protocol, it will make the generated Cookie Secure.

At this point, the study on "Nginx as a reverse proxy and reverse proxy HTTPS service with HTTP protocol" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.