Last active
July 2, 2024 09:43
-
-
Save cpswan/966b9c6c88230e0c4ffc to your computer and use it in GitHub Desktop.
Using nginx to proxy to an AWS ELB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
daemon off; | |
worker_processes 1; | |
events { worker_connections 1024; } | |
http{ | |
sendfile on; | |
server { | |
### server port and name ### | |
listen 80; | |
server_name nginx; | |
resolver 8.8.8.8 valid=10s; | |
resolver_timeout 10s; | |
### log files ### | |
access_log logs/access.log; | |
error_log logs/error.log; | |
location / { | |
set $awsilb "internal-ILB-name-123456789.us-east-1.elb.amazonaws.com"; | |
proxy_pass http://$awsilb; | |
### force timeouts if one of backend is died ## | |
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; | |
### Set headers #### | |
proxy_set_header Accept-Encoding ""; | |
proxy_set_header Host $host; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
### Most PHP, Python, Rails, Java App can use this header ### | |
#proxy_set_header X-Forwarded-Proto https;## | |
#This is better## | |
proxy_set_header X-Forwarded-Proto $scheme; | |
add_header Front-End-Https on; | |
### By default we don't want to redirect it #### | |
proxy_redirect off; | |
} | |
} | |
server { | |
### server port and name ### | |
listen 443; | |
ssl on; | |
server_name nginx.ssl; | |
resolver 8.8.8.8 valid=10s; | |
resolver_timeout 10s; | |
### SSL log files ### | |
access_log logs/ssl-access.log; | |
error_log logs/ssl-error.log; | |
### SSL cert files ### | |
ssl_certificate ssl/ssl.crt; | |
ssl_certificate_key ssl/ssl.key; | |
### Add SSL specific settings here ### | |
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; | |
ssl_ciphers RC4:HIGH:!aNULL:!MD5; | |
ssl_prefer_server_ciphers on; | |
keepalive_timeout 60; | |
ssl_session_cache shared:SSL:10m; | |
ssl_session_timeout 10m; | |
### We want full access to SSL via backend ### | |
location / { | |
set $awsilb "internal-ILB-name-123456789.us-east-1.elb.amazonaws.com"; | |
proxy_pass http://$awsilb; | |
### force timeouts if one of backend is died ## | |
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; | |
### Set headers #### | |
proxy_set_header Accept-Encoding ""; | |
proxy_set_header Host $host; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
### Most PHP, Python, Rails, Java App can use this header ### | |
#proxy_set_header X-Forwarded-Proto https;## | |
#This is better## | |
proxy_set_header X-Forwarded-Proto $scheme; | |
add_header Front-End-Https on; | |
### By default we don't want to redirect it #### | |
proxy_redirect off; | |
} | |
} | |
} |
AWS Certificate Manager SSL certificates can only be used directly on integrated AWS services which support them like the ELB. There is no way to retrieve an AWS SSL keypair nor add it to an EC2 instance.
aws acm get-certificate
seems to indicate otherwise...
aws acm get-certificate
seems to indicate otherwise...
Did you try to execute the command you have quoted? Do it.
X-Forwarded-Proto
will be overridden by ELB.
Some time ALB return status code 303
. And I must change proxy_redirect default;
to fix it.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Could you please confirm whether it is possible to integrate certificate from AWS managed certificate? Or it should be a certificate from CA authority