Skip to main content

Nginx Proxy With SSL and Http2

in category Linux Support -> Servers -> Nginx Proxy With SSL and Http2. Updated at Tue, 22 Nov 2022 17:07:13 EST

A working proxy configuration for nginx on a linux based web server.

Below is a working Nginx proxy config. This proxy runs a node.js app on port 9888. Just the basics in here and you can see how much stuff from the original file is commented out.

This nginx.conf file is the base for other virtual host files.


#user  nobody;
worker_processes  1;
#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;
#pid        logs/nginx.pid;
include /usr/local/etc/nginx/modules-enabled/*.conf;
events {
    worker_connections  1024;
}
http {
    include       mime.types;
    default_type  application/octet-stream;
    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';
    #access_log  logs/access.log  main;
    sendfile        on;
    tcp_nopush     on;
    tcp_nodelay on;
    #keepalive_timeout  0;
    keepalive_timeout  65;
    types_hash_max_size 2048;
    # server_tokens off;
    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;
    #gzip  on;
	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
	##
	# Virtual Host Configs
	##
	include /usr/local/etc/nginx/conf.d/*.conf;
	include /usr/local/etc/nginx/sites-enabled/*;
}

A Virtual Host SSL Proxy

This is the config file that runs the node.js app. Other virtual hosts run alongside this proxy. Some of those are also proxy apps, using a different high port. Others are just regular websites without any proxy.


##
# root@dev5:/etc/nginx/sites-available # cat node-ssl
#
# This is a working proxy for the node app.
# /static/ is declared as a separate location.
##
error_log  /var/log/nginx/node-error.log;
server {
     listen 80 default_server;
    # listen [::]:80 default_server;
    # listen 80;
    # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
    return 301 https://$host$request_uri;
}
    # HTTPS server
    #
    server {
        listen 443 ssl http2;
        # fqdn example
        # server_name technilogical.com  www.technilogical.com;
        server_name node.localnet;
        ssl_certificate       /etc/ssl/localnet_com.crt;
        ssl_certificate_key   /etc/ssl/private/localnet_com.key;
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
        ssl_prefer_server_ciphers on;
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m; 
        
        access_log /var/log/nginx/my-ssl.log;
        
      location / {
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Host $host; 
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
        proxy_pass https://127.0.0.1:9888/;
       } 
       
      location /static {
        root /var/www/nodeapp;
        expires 3d;
       }
       
    }

The Build

Below is the build.

$ nginx -V
nginx version: nginx/1.22.1
built with OpenSSL
TLS SNI support enabled
configure arguments: --prefix=/usr/local/etc/nginx --with-cc-opt='-I /usr/local/include' --with-ld-opt='-L /usr/local/lib' --conf-path=/usr/local/etc/nginx/nginx.conf --sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --user=www --group=www --modules-path=/usr/local/libexec/nginx --with-file-aio --http-client-body-temp-path=/var/tmp/nginx/client_body_temp --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp --http-proxy-temp-path=/var/tmp/nginx/proxy_temp --http-scgi-temp-path=/var/tmp/nginx/scgi_temp --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi_temp --http-log-path=/var/log/nginx/access.log --with-http_v2_module --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-pcre --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --without-mail_imap_module --without-mail_pop3_module --without-mail_smtp_module --with-mail_ssl_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-threads --with-mail=dynamic --with-stream=dynamic

And only 1 dynamic module is enabled, mod-stream.conf

It works!

Keywords
nginx web server. proxy setup for nginx, reverse proxy, http_proxy, http proxy