puppet-nginx icon indicating copy to clipboard operation
puppet-nginx copied to clipboard

Published 20 hours ago verified publisher icon voxpupuli

Q: How to setup simple HTTPS reverse proxy with HTTP -> HTTPS redirect

Open dhs-rec opened this issue 2 years ago • 1 comments

I would like to migrate some SSL reverse proxy setups from Apache to NGinx. In my current setup I use the following (quite simple) apache::vhost resources:

# Redirect HTTP to HTTPS
apache::vhost { 'my_site':
  docroot         => false,
  port            => 80,
  redirect_status => 'permanent',
  redirect_dest   => "https://${facts['networking']['fqdn']}/",
  servername      => $facts['networking']['fqdn'],
}

# HTTPS reverse proxy
apache::vhost { 'my_site_ssl':
  allow_encoded_slashes => 'nodecode',
  docroot               => false,
  port                  => 443,
  proxy_pass            => [
  { 'path'         => '/',
      'url'          => 'http://localhost:8080/',
      'reverse_urls' => ['http://localhost:8080/'],
      'keywords'     => ['nocanon'],
    },
  ],
  proxy_preserve_host   => true,
  request_headers       => [
    "set X-Forwarded-Proto \"${proto}\"",
  ],
  servername            => $facts['networking']['fqdn'],
  ssl                   => $ssl,
  ssl_cert              => $cert,
  ssl_chain             => $chain,
  ssl_key               => $key,
  require               => $require,
}

I've read the documentation for this module back and forth but I can't figure out how I would achieve the same with this module. Could someone point me in the right direction, please (and maybe add it to the docs)?

dhs-rec avatar Aug 18 '22 10:08 dhs-rec

Setting ssl_redirect => true in nginx::resource::server should do the trick. With this nginx module you don't need to add additional resource to handle SSL redirect as one would need to do with apache module.

nginx::resource::server { 'mydoimain':
  ensure          => present,
  www_root        => '/var/www/nginx-default',
  ssl             => true,
  ssl_redirect    => true,
  ssl_cert        => 'puppet:///modules/sslkey/whildcard_mydomain.crt',
  ssl_client_cert => 'puppet:///modules/sslkey/whildcard_mydomain.crt',
  ssl_key         => 'puppet:///modules/sslkey/whildcard_mydomain.key',
}

alexskr avatar Aug 18 '22 15:08 alexskr

[Sorry for the late reply]

Can't believe it's that simple. Thanks a lot.

However, I've got another question: Let's say I've got a service running on localhost which listens on different ports (or multiple services running on the same host, doesn't really matter), for example:

  • 80 -> 443 (SSL redirect)
  • 443 (SSL) -> localhost:8080 (Service 1)
  • 9081 (SSL) -> localhost:8081 (Service 2)
  • 9082 (SSL) -> localhost:8082 (Service 3)
  • ...

I currently do this using multiple ::server resources (one for each service), like so:

    nginx::resource::server { 'service 1':
      ensure       => present,
      index_files  => [],
      server_name  => [$facts['networking']['fqdn']],
      ssl          => true,
      ssl_redirect => true,
      ssl_cert     => $chain,
      ssl_key      => $key,
      ssl_port     => 443,
      require      => Class['certificates'],
      proxy        => 'http://localhost:8080',
    }

with different ssl_port and ssl_redirect => false for the other services, but this also creates a plain HTTP server on port 80 for each created server.

I believe I need to create an ::upstream resource together with a ::server resource, but I can't figure it out. Any hint would be appreciated.

dhs-rec avatar Oct 06 '22 06:10 dhs-rec