nginx proxy+tls termination nginx feedbacks?

K

kalleboy

Hello,

I have a host machine running nginx as proxy + TLS termination to the nginx instance running in jail IP address (proxy_pass http://10.1.1.3).

I'd be much grateful if someone with knowledge here give me feedbacks on my "location /" proxy configuration.

Is there anything completely unnecessary that I should remove?

Thank you.

Code: 
server {
listen 27.18.1.3:443 ssl;
http2 on;
server_name mysite.com www.mysite.com;

root /usr/local/www/mysite;

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

ssl_certificate /root/.acme.sh/....com_ecc/fullchain.cer;
ssl_certificate_key /root/.acme.sh/..._ecc/....key;
ssl_trusted_certificate /root/.acme.sh/...com_ecc/ca.cer;

add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

location / {
proxy_pass http://10.1.1.3;
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;

proxy_buffering off;
proxy_buffer_size 16k;
proxy_busy_buffers_size 24k;
proxy_buffers 64 4k;
proxy_headers_hash_bucket_size 128;
proxy_headers_hash_max_size 1024;

#What to do with these three ones?
#proxy_ssl_session_reuse off;
#proxy_intercept_errors off;
#proxy_ssl_server_name on;

proxy_hide_header Strict-Transport-Security;
proxy_set_header X-Scheme https;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Url-Scheme https;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Early-Data $ssl_early_data;
}

}
 
I

im

forums.FreeBSD.org

Nginx reverse proxy on host plus nginx in multiple host

Hi all, looked around about this topic, found a lot of articles but all confusing. Appreciate if someone can make it clear. It is about jails with internals IP in which are running different websites(let say WP with each having its own database and own php and own nginx inside reach jails), on a...
forums.FreeBSD.org forums.FreeBSD.org
This is my production example for the same case.
It works for me more than 10 years without any issues

If you have mix HTTP/HTTPS sites then may be useful to have this enabled:
Code: 
server {
    listen 1.2.3.4:443 ssl default_server;
    ssl_reject_handshake on;
    server_name default.server;
     }
It will reject HTTPS requests for hosts without configured HTTPS
 
You must log in or register to reply here.
Top