I am trying to setup SSL termination to an apache webserver running several virtualhosts, through nginx. Here is the configuration I have so far (for one of the virtual servers):
server {
server_name www.example.com example.com;
listen 80;
return 301 https://$server_name$request_uri;
}
server {
server_name www.example.com example.com;
location / {
add_header Front-End-Https on;
add_header Cache-Control "public, must-revalidate";
proxy_pass http://www.example.ch;
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $server_name;
proxy_redirect http://www.example.com.ch https://example.com;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /usr/local/etc/letsencrypt/live/www.example/fullchain.pem; # managed by Certbot
ssl_certificate_key /usr/local/etc/letsencrypt/live/www.example/privkey.pem; # managed by Certbot
include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
sub_filter_types *;
sub_filter_once off;
sub_filter_last_modified on;
sub_filter "http://www.example.com" "https://www.example.com";
}
Note, that the public DNS resolves the example.com ip to my public ip, but from the inside of my network (where proxy and webservers reside) my DNS server resolves those names to the servers private LAN addresses.
This actually works when I fetch any page or file with wget: when I use the http url, it gets 301 redirected and fetches the resources over https. I can see the resulting html pages have all http links to www.example.com or example.com, rewritten to https. If I comment/uncomment the sub_filter lines, I can observe how html gets rewritten or not, so I know this works.
Also, if I fetch anything with a browser (tested chrome, safary, firefox), it gets redirected over https and is successful.
What does NOT work: any html page fetched by a browser is NOT rewritten (when I look at “show page source” I can see all the original links with http. Not https.
This makes no sense to me, it’s as if nginx decides to not rewrite html when a browser fetches a page.
I even tried to specify a user agent with wget to spoof various browsers. No problem, page gets rewritten.
But fetching a page with an actual browser gets a non-rewritten html.
Obviously this causes the site to not work because browsers refuse to load some resources from http when the main page has been loaded over https.
What am I doing wrong here, how do the browsers get the non-rewritten html ?
brainstorm is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.