Forum Discussion
Nimbostratushttp to https not working with nginx
Hi,
I have a problem about F5 iRule, i set the irule on F5 "
when_HTTP_REQUEST {
HTTP::host [HTTP::host]:443;
}but when i changed my database from apache to nginx, https is not working. we run nginx as load balance before and set
proxy_set_header Host $host:443;Could anyone give me any suggestions, please?
Maybe you don't even need iRules. If I understand correctly you want the client side to be HTTP and the server side HTTPS?
How does your virtual server look like? Can you share the output of:
tmsh list /ltm virtual
ispy_344504Please following the configuration :
destination x.x.x.x:httpsip-protocol tcp mask 255.255.255.255 pool lt-test-pool profiles { clientssl-xxxx { context clientside } clientssl-xxxx { context clientside } http { } tcp-lan-optimized { context serverside } tcp-wan-optimized { context clientside } web_acceleration_2 { } } rules { _http_header } source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled vlans { external-1 internal-20 } vlans-enabled vs-index 40}
I notice that you don't use any serverssl profiles. So you're basically doing SSL offloading now. When SSL offloading, I don't understand your iRules which are pointing to HTTPS. When SSL offloading I would expect your pool members to be listening on port 80. Can you tell us more about your setup?
- ispy_344504
Hi Niels van Sluis, You're right, we don't use any serverssl profile, our pool members only listening on port 80, so we need irules to insert host:443, and we'll get the https web. when we changed the web service from apache to nginx, and it's not working. we're wondering if we need to change irules?
The following configuration is our web service and it works well.
destination x.x.x.x:httpsip-protocol tcp mask 255.255.255.255 pool ltgm_web_pool profiles { clientssl-xxxx { context clientside } clientssl-xxxx { context clientside } http { } http2 { } oneconnect { } tcp-lan-optimized { context serverside } tcp-wan-optimized { context clientside } wan-optimized-compression { } } rules { _http_header } source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled vlans { external-1 internal-20 } vlans-enabled vs-index 63}
Why do you think you need to insert this particular Host header? It makes no sense to me.
JGCumulonimbus
What is your nginx virtual server configuration for this? For that'll give us some clue.
- ispy_344504
Hi Jie
we need host header because we don't use any https on nginx and apache, so we need to insert host:443 on F5, it works for apache server but nginx.
Hi Jie This is what we nginx configuration
server { listen *:80; server_name x.x.x.x access_log /var/log/nginx/xxx_log main; error_log /var/log/nginx/xxx.err_log error; access_log off; proxy_hide_header X-Powered-By; include 001-share_conf/aio-thread; include 001-share_conf/ad-rewrite; location ~ \.php$ { root /home/xxx; include 001-share_conf/fastcgi; include 001-share_conf/uuid/lt/bck-lt/uuid; include fastcgi.conf; } +++++deny access to .htaccess files location ~ /\.ht { deny all; } error_page 404 /404.html; redirect server error pages to the static page /50x.html error_page 500 502 503 504 /50x.html; location = /50x.html { root /etc/nginx/html; } } - JG
What was your Apache configuration then?
Daniel_VarelaEmployee
If you virtual server is listening on port 443 (with clientssl profile) and your ngix server is listening on port 80 then you should configure your pool members on port 80, as simple as that.
The irule does not make any sense to be honest, injecting the port and the end of the hostname is not going to make that request going to the port you need. you pool member configuration will do that.
- ispy_344504
hi Jie
Thank you for your help.
This is Apache configuration :
ServerName www.xxx.com:80 ServerAlias xxxx.com yyyyy.com www.zzzz.com DocumentRoot /home/xxx ErrorLog logs/www.xxx.err_log CustomLog /var/log/httpd/www.xxx.acs_log combinedio Include /etc/httpd/conf.d/001-share_conf/aa-directory-parameter Include /etc/httpd/conf.d/001-share_conf/ad-rewrite Include /etc/httpd/conf.d/001-share_conf/xxx/uuid
