Best IT Recipes

NGINX for reverse proxy and enable SSL (wss: //)?

I am so lost and new to creating NGINX on my own, but I want to be able to enable secure websites without an extra layer.

I don't want to enable SSL on the websocket server, but instead I want to use NGINX to add an SSL layer for everything.

Every web page out there says I can't do this, but I know I can! Thanks to who (I) can show me how!

+104
ssl proxy nginx tcp mod-proxy
Aug 24 '12 at 1:23
source share
7 answers

Just note that nginx now supports Websockets in release 1.3.13. Usage example:

location /websocket/ { proxy_pass โ€‹http://backend_host; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_read_timeout 86400; }

You can also check the nginx change log and the WebSocket proxy documentation.

+146
Feb 19 '13 at 23:58
source share

Donโ€™t be afraid, because the brave group of Ops programmers has decided the situation with the brand spanking the new nginx_tcp_proxy_module

Written in August 2012, so if you are from the future, you should do your homework.

The necessary conditions

It is assumed that you are using CentOS:

  • Delete the current instance of NGINX (suppose a dev server is used for this)
  • If possible, save the old NGINX configuration files so that they can be reused (including your init.d/nginx script)
  • yum install pcre pcre-devel openssl openssl-devel and any other necessary libraries for creating NGINX
  • Get nginx_tcp_proxy_module from GitHub here https://github.com/yaoweibin/nginx_tcp_proxy_module and remember the folder where you placed it (make sure it is not zipped)

Create your new NGINX

Again, CentOS suggests:

  • cd /usr/local/
  • wget 'http://nginx.org/download/nginx-1.2.1.tar.gz'
  • tar -xzvf nginx-1.2.1.tar.gz
  • cd nginx-1.2.1/
  • patch -p1 < /path/to/nginx_tcp_proxy_module/tcp.patch
  • ./configure --add-module=/path/to/nginx_tcp_proxy_module --with-http_ssl_module (you can add more modules if you need them)
  • make
  • make install

Additionally:

  • sudo /sbin/chkconfig nginx on

Configure Nginx

Remember to copy the old configuration files first if you want to reuse them.

Important: you will need to create the tcp {} directive at the highest level in your conf. Make sure it is not in your http {} directive.

The following configuration example shows one upstream web server and two proxies for SSL and Non-SSL.

 tcp { upstream websockets { ## webbit websocket server in background server 127.0.0.1:5501; ## server 127.0.0.1:5502; ## add another server if you like! check interval=3000 rise=2 fall=5 timeout=1000; } server { server_name _; listen 7070; timeout 43200000; websocket_connect_timeout 43200000; proxy_connect_timeout 43200000; so_keepalive on; tcp_nodelay on; websocket_pass websockets; websocket_buffer 1k; } server { server_name _; listen 7080; ssl on; ssl_certificate /path/to/cert.pem; ssl_certificate_key /path/to/key.key; timeout 43200000; websocket_connect_timeout 43200000; proxy_connect_timeout 43200000; so_keepalive on; tcp_nodelay on; websocket_pass websockets; websocket_buffer 1k; } }
+52
Aug 24 '12 at 1:23
source share

This worked for me:

 location / { # redirect all HTTP traffic to localhost:8080 proxy_pass http://localhost:8080; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # WebSocket support proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; }

- borrowed from: https://github.com/nicokaiser/nginx-websocket-proxy/blob/df67cd92f71bfcb513b343beaa89cb33ab09fb05/simple-wss.conf

+29
Aug 30 '16 at 0:07
source share

for .net core 2.0 Nginx with SSL

 location / { # redirect all HTTP traffic to localhost:8080 proxy_pass http://localhost:8080; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # WebSocket support proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; }

It worked for me

+16
Oct 10 '17 at 20:26
source share

For me, it came to setting the proxy_pass location. If necessary, change http://nodeserver to https://nodeserver and have a valid SSL certificate setting on the server side node. Thus, when I present an external node server, I only need to change the IP, and everything else will remain the same configuration.

I hope this helps someone along the way ... I kept looking at the problem ... sigh ...

 map $http_upgrade $connection_upgrade { default upgrade; '' close; } upstream nodeserver { server 127.0.0.1:8080; } server { listen 443 default_server ssl http2; listen [::]:443 default_server ssl http2 ipv6only=on; server_name mysite.com; ssl_certificate ssl/site.crt; ssl_certificate_key ssl/site.key; location /horizon { proxy_pass https://nodeserver; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_http_version 1.1; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_intercept_errors on; proxy_redirect off; proxy_cache_bypass $http_upgrade; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-NginX-Proxy true; proxy_ssl_session_reuse off; } }
+7
Aug 02 '17 at 9:11
source share

A nice, short Pankaj Malhotra article on how to do this with NGINX is available here .

The basic NGINX configuration is shown below:

 map $http_upgrade $connection_upgrade { default upgrade; '' close; } upstream appserver { server 192.168.100.10:9222; # appserver_ip:ws_port } server { listen 8888; // client_wss_port ssl on; ssl_certificate /path/to/crt; ssl_certificate_key /path/to/key; location / { proxy_pass http://appserver; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; } }
+4
Nov 06 '15 at 22:02
source share

Using nginx / 1.14.0

I have a websocket server running on port 8097 and users connect to wss through port 8098, nginx just decrypts the content and redirects it to the websocket server

So I have this configuration file (in my case /etc/nginx/conf.d/default.conf )

 server { listen 8098; ssl on; ssl_certificate /etc/ssl/certs/combined.pem; ssl_certificate_key /root/domain.key; location / { proxy_pass http://hostname:8097; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_read_timeout 86400; } }
0
Oct 06 '18 at 2:31 on
source share


More articles:


All Articles