Hello! On Sun, Nov 19, 2023 at 12:41:11PM +0300, Mark wrote:
> Hello Mr. Maxim, thank you very much for your reply. > > Things are much clearer now, thanks! > > One, last question; > > I have implemented nginx as a reverse proxy with TLS termination in my > FreeBSD host machine, and another nginx instance running in my jail, in; > 10.10.10.2. > > So, the host machine does the reverse proxying and SSL. > > Before I open my website to public and production (a Wordpress website), > could you please kindly have a look at my reverse proxy configuration here; > > http://paste.nginx.org/b8 > > So that you might wish to add some suggestions, or perhaps I still have a > misconfigured/unneeded directive there? Here are some comments: > proxy_cache_bypass $http_upgrade; You don't need proxy_cache_bypass if you aren't using cache. > proxy_buffering off; I don't really recommend switching off buffering unless you have reasons to. And if the reason is to avoid disk buffering, consider "proxy_max_temp_file_size 0;" instead, see http://nginx.org/r/proxy_max_temp_file_size for details. > proxy_set_header Referer $scheme://$host; This looks simply wrong. > proxy_set_header X-Scheme https; > proxy_set_header X-Forwarded-Proto https; > proxy_set_header X-Scheme https; > proxy_set_header X-Forwarded-Ssl on; This looks a bit too many of custom headers to let backend know that https is being used. > proxy_set_header Upgrade $http_upgrade; > proxy_set_header Connection "upgrade"; This shouldn't be used unless you intentionally configuring WebSocket proxying. > proxy_set_header Early-Data $ssl_early_data; This is certainly not needed unless you are using TLSv1.3 Early Data (http://nginx.org/r/ssl_early_data), and you aren't. Hope this helps. -- Maxim Dounin http://mdounin.ru/ _______________________________________________ nginx mailing list nginx@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx
