Http2 enable or disable per virtual host

Rafa_F · February 16, 2016, 7:16am

Hi the ngx_http_v2_module could not switch enable or disable per virtual
host.

The following code, http.domainname.com is enabled http2.

I would like to enable only the http2 of http2.domainname.com.

            server {
                    listen 443 ssl http2;
                    server_name http2.domainname.com;
                    ssl_prefer_server_ciphers on;
                    ssl_ciphers AESGCM:HIGH:!aNULL:!MD5;
                    ssl on;
                    ssl_certificate cert.pem;
                    ssl_certificate_key key.pem;
            }

            server {
                    listen 443 ssl;
                    server_name http.domainname.com;
                    ssl_prefer_server_ciphers on;
                    ssl_ciphers AESGCM:HIGH:!aNULL:!MD5;
                    ssl on;
                    ssl_certificate cert.pem;
                    ssl_certificate_key key.pem;
            }

Posted at Nginx Forum:

matrixmatrix · February 16, 2016, 7:48am

Hey guys!

StackOverflow didn’t do anything this time, so I decided to visit here
and try asking my question here!

A bit of backstory:
I have had a fatal server crash. 464 days of uptime with unapplied
updates from an OS upgrade, kernel patches and more. When I did do a
reboot…it all exploded right into my face So I reinstalled.

Now that I have learned this lesson, I decided to begin deploying things
in containers - just raw Virtual Box VMs now, as I haven’t gotten used
to Docker or Vagrant. But using a VM with NAT allows me to forward
ports.

One of the VMs is your typical web-server setup; MySQL, PHP5 (FPM) and
Nginx (1.8.x). So I have my main server - the VM host - listening on 80
and 443 and forwarded the VM’s ports as 11080 and 11443. Forwarding
regular HTTP works flawlessly by just proxy_pass’ing to the other port.
No problem here.

But how do I work out a reverse-proxy for HTTPS traffic? Mainly, I have
another VM that runs OwnCloud. I want to forward my host’s 443 port to
the VM’s exposed 12443 port so that OwnCloud stops complaining about
being opened via raw HTTP.

Since I am re-using configuration a lot, I have created a basic_proxy
file, and a regular sites-enabled/ file. You can see them here:

gist.github.com

https://gist.github.com/IngwiePhoenix/19631bd07af62d23b8f3

basic_proxy

# Proxy
# Really basic, does HTTP stuffles.
# @var $REMOTE_PORT : Remote HTTP port
location / {
    proxy_pass http://127.0.0.1:$REMOTE_PORT;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
}

cloud.ingwie.me

# Removed my IP and domain for obvious reasons.
server {
    listen 80;
    server_name cloud.example.com;

    # Proxy
    set $REMOTE_PORT 12080;
    include basic_proxy;
}

https://gist.github.com/IngwiePhoenix/19631bd07af62d23b8f3
<basic_proxy · GitHub
https://gist.github.com/IngwiePhoenix/19631bd07af62d23b8f3>

Would be cool if I could keep with this approach to simply forward
traffic to my various VMs, but keeping my config reusable!

Kind regards,
Ingwie.

matrixmatrix · February 16, 2016, 2:15pm

I have similar setups with freebsd jails… usually one the jails is a
‘frontend proxy server’ which I’m guessing is what you’re aiming at but
with linux containers…

Make sure the firewall allow traffic from the frontend to backends which
could be other nginx servers or just php-fpm it self depending on the
setup, but all you really need is to use proxy_pass.

Since you want HTTPS you need to have the certificates config in the
frontend, regardless if the connection to the backends is also encrypted
or
not.

A simple example assuming one VM(LXC) as php-fpm running you could just
setup the frontend as you would normally do just use:

fastcgi_pass CONTAINER_IP:FPM_PORT

Another scenario is ofc you have nginx running in the LXC container
which
is already “fastcgi_passing” to php, in this case you would use
proxy_pass
to the backend niginx, IE:

server {
listen IP:443;
server_name expemple.org;

    ssl on;
    ssl_certificate /usr/local/etc/nginx/ssl/site.crt;
    ssl_certificate_key /usr/local/etc/nginx/ssl/site.key;

    location / {
            proxy_pass http://lxc_nginx;
    }

}

upstream lxc_nginx {
server 10.221.186.23:80; <<<< — Note that in this case the
connection from frontend to the nginx container is not encrypted, but
you
can use 443 here as long as the backup as the proper ssl config
(ssl_certificate and key)
}

Melhores Cumprimentos // Best Regards

Miguel C.
IT - Sys Admin & Developer

On Tue, Feb 16, 2016 at 6:47 AM, Kevin “Ingwie Phoenix” Ingwersen <

matrixmatrix · February 16, 2016, 2:16pm

On Tue, Feb 16, 2016 at 1:14 PM, Miguel C [email protected]
wrote:

matrixmatrix · February 16, 2016, 2:19pm

On Tuesday 16 February 2016 01:16:09 matrixmatrix wrote:

Hi the ngx_http_v2_module could not switch enable or disable per virtual
host.

Yes, that’s expected behavior.

                    ssl_certificate cert.pem;
                    ssl_certificate_key key.pem;
            }

You need a separate IP in this case.

wbr, Valentin V. Bartenev