Upgrading plain HTTP to HTTPS using STARTTLS

Server NGINX
1

Hello,

I consider switching from Apache to Nginx (or using it as a reverse
proxy to
the Apache), but need to upgrade plain HTTP connections to HTTPS using
the
scheme defined in RFC 2817. Reason for this is a client software running
on
WiFi Captive Portals, which inserts an “Upgrade: TLS/1.x” request
together
with custom headers just in front of the encrypted request from a
guest’s
browser to our login server. In order for this scheme to work, the
connection used for this kind of “ID request” to determine the hotspot
in
use and the remaining communication must not change over the upgrade,
therefore redirection to the standard HTTPS port of the login server
will
not work.

So, I wonder how I can configure Nginx to get the same effect of
Apache’s
“SSLEngine: optional” setting? I did read the docs about the “starttls”
setting in Nginx, but couldn’t find an example on how exactly to use
this in
a server block to achieve an upgrade to TLS.

Is it possible at all to configure Nginx this way? And if so, can I
forward
custom headers such as “X-HotspotID” if Nginx would be used as a proxy?

Thanx in advance!

Posted at Nginx Forum:

2

Hello!

On Sun, Aug 16, 2015 at 10:29:56AM -0400, lbc wrote:

therefore redirection to the standard HTTPS port of the login server will
not work.

So, I wonder how I can configure Nginx to get the same effect of Apache’s
“SSLEngine: optional” setting? I did read the docs about the “starttls”
setting in Nginx, but couldn’t find an example on how exactly to use this in
a server block to achieve an upgrade to TLS.

The “starttls” directive is only available in mail proxy module,
not for http. There is no support for RFC 2817 in nginx, as it’s
not something used by known browsers.

Connections with Upgrade requests can be proxied to other servers
though, so you can use nginx as a reverse proxy for such
connections. Such approach is mostly used to proxy WebSocket
connections, see WebSocket proxying for
configuration details.

Is it possible at all to configure Nginx this way? And if so, can I forward
custom headers such as “X-HotspotID” if Nginx would be used as a proxy?

You can add arbitrary headers to requests nginx forwards to
upstream servers, see Module ngx_http_proxy_module. You
can also add response headers, see Module ngx_http_headers_module.


Maxim D.
http://nginx.org/

3

Dear Maxim,

thank you very much for the speedy answer!

Glad to here that the websocket approach could help. Will try this,
since
Nginx just rocks. :slight_smile:

Have a nice day and best wishes,

Stefan (lbc)

Posted at Nginx Forum: