What will nginx reverse-proxy do with ‘proxy_redirect’ to https when a backend has invalid https certificate

browsernginxreverse-proxywebserver

I have a strange situation with my nginx acting as reverse proxy. When my backend website is responding to a user (user's browser) request through nginx reverse-proxy, the user will obtain http protocol in 302 FOUND redirects instead of https protocol.

I came to situation where two things on the nginx reverse-proxy will help me solve this situation with wrong protocol in the redirects:

add_header Content-Security-Policy "upgrade-insecure-requests";

proxy_redirect http:// https://;

However the approach is very different with these commands.

I would prefer to use the first CSP option because it seems to be the best way how to solve this. However I am not totally sure what happens when using the second 'proxy_redirect' option.

To be more specific my backend is listening on HTTP (80) and also on HTTPS (443). However the HTTPS (TLS) certificate on my backend is expired. In the nginx reverse proxy config, I am using HTTP protocol for the 'proxy_pass' to backend.

When I use 'proxy_redirect' in this situation it seems like the nginx reverse-proxy fails to create TLS handshake. However instead of terminating the 'proxy_pass' connection it continues to communicate on HTTP protocol. At least that is what I see in the backend's web server logs. From the user perspective the 302 FOUND redirects are now set to HTTPS which seems to be fine. The website seems to be working without any issue. There are no errors in the nginx reverse-proxy nor console.

So is this behavior in the nginx reverse-proxy normal? Which option should I implement when I don't want to use valid HTTPS connection to the backend? Will nginx reverse-proxy behave the same way with the 'proxy_redirect' option when HTTPS certificate is totally missing from the backend?

Best Answer

So I checked the nginx documentation: https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_redirect

The statement of the "proxy_redirect" directive is clear:

Sets the text that should be changed in the “Location” and “Refresh” header fields of a proxied server response.

From my understanding the proxied server response in this case is the response from backend webserver. This means that "proxy_pass" directive on protocol HTTP on port 80 has no direct relation with "proxy_redirect" directive and vice versa.

This means that in this case I can freely use "proxy_redirect" directive as the solution to my problem. The first CSP approach is also available but the job of overwriting "Location" header from http to https relies on the users' browsers in this case. I think the better solution is to set this responsibility to nginx with the "proxy_redirect" directive. If something will go wrong I think it's better to rely on proper nginx settings than on multiple different browsers.

Related Solutions

Nginx reverse proxy to Synology DSM, no URL base

The location blocks have nothing similar, so combining them with a regex is a bit time consuming and complicated.

Instead, we can just route all the requests to the DSM.

There are three methods to have multiple DSM servers without clashing.

Method #1: Virtual Hosts

You will need to configure your DNS to point your chosen virtual host at the NGINX server.

http {
    #DSM 1 Standard DSM setup
    upstream dsm1 {
        server 1.1.1.1:5000;
    }
    #DSM 2 - DSM has different Port, same IP Address
    upstream dsm2 {
        server 1.1.1.1:6000;
    }
    #DSM 3 - DSM has different IP Address
    upstream dsm3 {
        server 2.1.1.1:5000;
    }
    #DSM 1 Standard DSM setup
    server {
        listen       80;
        server_name dsm1.mydomain.com;
        location / {
            include proxy_headers;
            proxy_pass http://dsm1/;
    }
    #DSM 2 - DSM has different Port, same IP Address
    server {
        listen       80;
        server_name dsm2.mydomain.com;
        location / {
            include proxy_headers;
            proxy_pass http://dsm2/;
    }
    #DSM 3 - DSM has different IP Address
    server {
        listen       80;
        server_name dsm3.mydomain.com;
        location / {
            include proxy_headers;
            proxy_pass http://dsm3/;
    }

Method #2, Different NGINX ports

Each server can be accessed on it's own port on the NGINX server

http {
    #DSM 1 Standard DSM setup
    upstream dsm1 {
        server 1.1.1.1:5000;
    }
    #DSM 2 - DSM has different Port, same IP Address
    upstream dsm2 {
        server 1.1.1.1:6000;
    }
    #DSM 3 - DSM has different IP Address
    upstream dsm3 {
        server 2.1.1.1:5000;
    }
    #DSM 1 Standard DSM setup
    server {
        listen       80;
        location / {
            include proxy_headers;
            proxy_pass http://dsm1/;
    }
    #DSM 2 This DSM server is available on another port (8081). Access using http://nginx_ip:8081
    server {
        listen       81;
        location / {
            include proxy_headers;
            proxy_pass http://dsm1/;
    }
}

Method #3: Rewrites

Each server can be accessed via a sub-url on the NGINX server. May not work depending on the DSM webpage configuration, and whether or not it has relative instead of absolute URLs.

http {
    #DSM 1
    upstream dsm1 {
      server 1.1.1.1:5000
    }
    #DSM 2
    upstream dsm2 {
      server: 1.1.1.2:5000
    }
    server {
      listen 80;
      location /dsm1/(?<dsmurl>.*) {
        include proxy_headers;
        proxy_pass http://dsm1/$dsmurl
      }
      location /dsm2/(?<dsmurl>.*) {
        include proxy_headers;
        proxy_pass http://dsm2/$dsmurl
      }
     }
}

Jenkins using JNLP behind nginx SSL reverse proxy

(Expanded based on feedback on comments)

That server is configured to require protocol version TLSv1.2 (only), and ciphersuites using at least one of AES-GCM or 256-bit AES, with either DHE or ECDHE key exchange (for which OpenSSL and thus nginx uses variant spellings EDH and EECDH in some cases including this one).

JSSE client in Oracle or OpenJDK JDK7 does not offer TLSv1.2 or 1.1 by default (don't know for IBM, which has its own crypto providers) but they are implemented and can be enabled; for (Https)URLConnection this can be done with system property https.protocols. (Or by overlaying its socket factory, but the system property is usually easier.) But JDK7 does not implement GCM, and Oracle versions (but NOT OpenJDK ones) prohibit 256-bit symmetric encryption unless you install the "JCE Unlimited Strength Jurisdiction Policy Files" from the Oracle website; see https://stackoverflow.com/a/33712287/2868801 and possibly https://stackoverflow.com/questions/30350120/sslhandshakeexception-while-connecting-to-a-https-site

In contrast JDK8 (Oracle and OpenJDK) offers TLSv1.2 and 1.1 by default, and implements GCM, so it can connect without the Unlimited Strength policy.

Both 7 and 8 support DHE and ECDHE key exchange. But for anyone else in a similar situation with JDK6: ECDHE does not work unless you add a third-party provider for ECC primitives like bcprov from http://www.BouncyCastle.org

Best Answer

Related Solutions

Nginx reverse proxy to Synology DSM, no URL base

Jenkins using JNLP behind nginx SSL reverse proxy

Related Question