help with https to http and WSS to WS reverse proxy conf

[Michael Williams]

Hi All,

Can someone with fresh eye please review this config and tell me why
requests are infinite redirection to https?

I'm trying to forward inbound requests on port 443 either to the localhost
port 80 or the localhost port 25565, depending if it is a request for a WSS
or for HTTP (files)
Many thanks!

map $http_upgrade $connection_upgrade {

    default upgrade;

    '' close;

}


upstream to-websocket {

    server localhost:25565;

}


server_tokens off;


# SSL requirements. We use Certbot and LetsEncrypt

#ssl_certificate /etc/letsencrypt/live/-myFQDN-/fullchain.pem; # managed by
Certbot

#ssl_certificate_key /etc/letsencrypt/live/-myFQDN-/privkey.pem; # managed
by Certbot

#include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

#ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

#ssl_session_cache shared:SSL:1m;


#ssl_session_timeout 5m;

#ssl_ciphers HIGH:!aNULL:!MD5;

#ssl_prefer_server_ciphers on;


server {

#   first redirect to https

    if ($scheme = "http") {

        return 301 https://$host$request_uri;

    }


#   Now webserver

#   Port 80 shouldn't be accesed from outside

    listen 80 default_server;

    listen [::]:80 default_server;

    server_name -myFQDN- www.-myFQDN-;

    return 404; # managed by Certbot

    root /var/www/html;

}


server {

    root /var/www/html;

    index  index.html index.htm;

    server_name -myFQDN-;


#   Proxy our outside https to local http

    listen [::]:443 ssl ipv6only=on; # managed by Certbot

    listen 443 ssl; # managed by Certbot

    ssl_certificate /etc/letsencrypt/live/-myFQDN-/fullchain.pem; # managed
by Certbot

    ssl_certificate_key /etc/letsencrypt/live/-myFQDN-/privkey.pem; #
managed by Certbot

    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


    location / {

        try_files /nonexistent @$http_upgrade;

    }

    location @websocket {

        proxy_http_version 1.1;

        proxy_set_header Upgrade $http_upgrade;

        proxy_set_header Connection $connection_upgrade;

        proxy_set_header X-Real-IP $remote_addr;

        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_set_header Host -myFQDN-;

        proxy_set_header Referer https://-myFQDN-;

        proxy_set_header Referrer https://-myFQDN-;

#       proxy_pass http://localhost:25565;

        proxy_pass http://to-websocket;

    }


    location @ {

        proxy_set_header X-Real-IP $remote_addr;

        proxy_set_header Host -myFQDN-;

        proxy_set_header Referer https://-myFQDN-;

        proxy_set_header Referrer https://-myFQDN-;

        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_pass http://localhost:80;

    }

}


[image: linkedin]
<https://www.linkedin.com/in/michael-glenn-williams-45ab23228/>

_______________________________________________
nginx mailing list -- nginx@nginx.org
To unsubscribe send an email to nginx-le...@nginx.org