Nginx as reverse proxy - proxy_ssl_x questions

Hello there.

Having a proxy directive like;

location / {
    proxy_pass http://10.10.10.4:4020;
    ...

I wonder when using proxy_pass http://... (not httpS),
are these directives effective, under the proxy_pass?

    proxy_ssl_name $host;
    proxy_ssl_server_name on;
    proxy_ssl_session_reuse off;

Or they would work ONLY if proxy_pass is pointed to an "https://"?

Best wishes,
Regards.
Mark.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20231118/6d28d6d7/attachment.htm>

Hello!

On Sat, Nov 18, 2023 at 01:54:21PM +0300, Mark wrote:

> Hello there.
> 
> Having a proxy directive like;
> 
> location / {
>     proxy_pass http://10.10.10.4:4020;
>     ...
> 
> I wonder when using proxy_pass http://... (not httpS),
> are these directives effective, under the proxy_pass?
> 
>     proxy_ssl_name $host;
>     proxy_ssl_server_name on;
>     proxy_ssl_session_reuse off;
> 
> Or they would work ONLY if proxy_pass is pointed to an "https://"?

The "proxy_ssl_*" directives define configuration for SSL 
proxying.  That is, corresponding values are only used when 
proxy_pass is used with the "https" scheme.

-- 
Maxim Dounin
http://mdounin.ru/

Hello Mr. Maxim, thank you very much for your reply.

Things are much clearer now, thanks!

One, last question;

I have implemented nginx as a reverse proxy with TLS termination in my
FreeBSD host machine, and another nginx instance running in my jail, in;
10.10.10.2.

So, the host machine does the reverse proxying and SSL.

Before I open my website to public and production (a Wordpress website),
could you please kindly have a look at my reverse proxy configuration here;

http://paste.nginx.org/b8

So that you might wish to add some suggestions, or perhaps I still have a
misconfigured/unneeded directive there?

Thanks once again,
Regards.
Mark.

Maxim Dounin <mdounin at mdounin.ru>, 19 Kas 2023 Paz, 03:05 tarihinde şunu
yazdı:

> Hello!
>
> On Sat, Nov 18, 2023 at 01:54:21PM +0300, Mark wrote:
>
> > Hello there.
> >
> > Having a proxy directive like;
> >
> > location / {
> >     proxy_pass http://10.10.10.4:4020;
> >     ...
> >
> > I wonder when using proxy_pass http://... (not httpS),
> > are these directives effective, under the proxy_pass?
> >
> >     proxy_ssl_name $host;
> >     proxy_ssl_server_name on;
> >     proxy_ssl_session_reuse off;
> >
> > Or they would work ONLY if proxy_pass is pointed to an "https://"?
>
> The "proxy_ssl_*" directives define configuration for SSL
> proxying.  That is, corresponding values are only used when
> proxy_pass is used with the "https" scheme.
>
> --
> Maxim Dounin
> http://mdounin.ru/
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20231119/4e6b3b7c/attachment.htm>

Hello!

On Sun, Nov 19, 2023 at 12:41:11PM +0300, Mark wrote:

> Hello Mr. Maxim, thank you very much for your reply.
> 
> Things are much clearer now, thanks!
> 
> One, last question;
> 
> I have implemented nginx as a reverse proxy with TLS termination in my
> FreeBSD host machine, and another nginx instance running in my jail, in;
> 10.10.10.2.
> 
> So, the host machine does the reverse proxying and SSL.
> 
> Before I open my website to public and production (a Wordpress website),
> could you please kindly have a look at my reverse proxy configuration here;
> 
> http://paste.nginx.org/b8
> 
> So that you might wish to add some suggestions, or perhaps I still have a
> misconfigured/unneeded directive there?

Here are some comments:

> proxy_cache_bypass $http_upgrade;

You don't need proxy_cache_bypass if you aren't using cache.

> proxy_buffering off;

I don't really recommend switching off buffering unless you have 
reasons to.  And if the reason is to avoid disk buffering, 
consider "proxy_max_temp_file_size 0;" instead, see 
http://nginx.org/r/proxy_max_temp_file_size for details.

> proxy_set_header Referer $scheme://$host;

This looks simply wrong.

> proxy_set_header X-Scheme https;
> proxy_set_header X-Forwarded-Proto https;
> proxy_set_header X-Scheme https;
> proxy_set_header X-Forwarded-Ssl on;

This looks a bit too many of custom headers to let backend know 
that https is being used.

> proxy_set_header Upgrade $http_upgrade;
> proxy_set_header Connection "upgrade";

This shouldn't be used unless you intentionally configuring 
WebSocket proxying.

> proxy_set_header Early-Data $ssl_early_data;

This is certainly not needed unless you are using TLSv1.3 Early 
Data (http://nginx.org/r/ssl_early_data), and you aren't.

Hope this helps.

-- 
Maxim Dounin
http://mdounin.ru/