At least 3 reasons, may makes you using Nginx as a reverse proxy
First it can be stand in front of Varnish Cache as SSL Terminal as an alternative solution to Hitch.
“Hitch allow running Varnish behind TLS Layer on the front end side.
Varnish it self does not handle SSL traffic – That’s to keep Varnish in high performance – but just passes all HTTPS traffic straight to Backend.
The Second reason is to used it as Static files Cache Proxy, and the Third one is Gzip for static files too.
In this scenario, as including image Services stands and listen as..
Nginx(Port 80, 443) @ live IP address <=> Varnish (Port 81) @ local IP <=> Apache (Port 8080) @ local IP
Configure Nginx For all missions.
# Redirect http www to https no-www
server {
listen PublicIP:80;
server_name www.mydomain.com;
access_log off;
return 301 https://mydomain.com$request_uri;
}
# Redirect http no-www to https no-www
server {
listen PublicIP:80 default_server;
# listen [::]:80 default_server;
server_name mydomain.com;
access_log off;
return 301 https://$host$request_uri;
}
# Redirect http www to https no-www
server {
listen PublicIP:443 ssl;
server_name www.mydomain.com;
access_log off;
return 301 https://mydomain.com$request_uri;
}
server {
listen PublicIP:443 ssl default_server;
#listen [::]:443 ssl default_server ipv6only=on;
server_name mydomain.com;
# We capture the log, so we can feed it to analysis tools, e.g. Awstats
# This will be more comprehensive than what Apache captures, since Varnish
# will end up removing a lot of the traffic from Apache
#
# Replace this line with: 'access_log off' if logging ties up the disk
access_log /var/log/nginx/access-mydomain.com.log;
ssl on;
# Must contain the a bundle if it is a chained certificate. Order is important.
# cat example.com.crt bundle.crt > example.com.chained.crt
ssl_certificate /opt/ssl.crt/mydomain.com.bundle.crt;
ssl_certificate_key /opt/ssl.crt/mydomain.com.key;
# Test certificate
#ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
#ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
# Restrict to secure protocols, depending on whether you have visitors
# from older browsers
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Restrict ciphers to known secure ones
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
ssl_stapling on;
ssl_stapling_verify on;
# Caching SSL.
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 180m;
ssl_session_tickets on;
ssl_dhparam /opt/ssl.crt/dhparam.pem;
# Force Users/Visitors Browsers to use security layer.
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
#New Configuration for Gzip statics.
gzip on;
gzip_static on;
gzip_comp_level 9;
gzip_min_length 256;
gzip_proxied any;
gzip_vary on;
gzip_buffers 16 8k;
gzip_http_version 1.1;
proxy_http_version 1.1;
gzip_types
application/atom+xml
application/javascript
application/x-javascript
application/json
application/ld+json
application/manifest+json
application/rss+xml
application/vnd.geo+json
application/vnd.ms-fontobject
application/x-font-ttf
application/ttf
application/x-ttf
application/font-woff
application/x-font-opentype
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
font/ttf
font/x-woff
image/bmp
image/svg+xml
image/x-icon
text/cache-manifest
text/css
text/javascript
text/plain
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
# text/html is always compressed by gzip module
# To allow POST on static Files
error_page 405 =200 $uri$is_args$args;
location / {
# Pass traffic to Varnish at 127.0.0.1:81.
proxy_pass http://127.0.0.1:81;
proxy_read_timeout 320;
proxy_connect_timeout 320;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
# Forward Visitor Real-IP in X-Forwarded-For
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_buffers 8 24k;
proxy_buffer_size 2k;
}
#Caching Static Files.
location ~* \.(jpg|jpeg|png|gif|ico|css|js|pdf|ttf|woff|eot|bz2|gz|woff2|svg|bmp)$ {
# To allow POST on static pages
error_page 405 =200 $uri$is_args$args;
proxy_cache cache;
# Anything that doesn't response with a "HTTP (200|301|302) OK" is not cached.
proxy_cache_valid 200 301 302 1440m;
proxy_cache_key $host$uri$is_args$args;
#This Location Does not inherit the Proxy_Cache configuration so I repeat its confgs.
proxy_pass http://127.0.0.1:81;
proxy_read_timeout 320;
proxy_connect_timeout 320;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_buffers 8 24k;
proxy_buffer_size 2k;
access_log off;
log_not_found on;
# Caching at Client/Visitors browsers
expires 60d;
}
}
http {
~~~
# Here we cache requests to /tmp/cache, and we have defined a size-limit on that cache location of 1G
proxy_cache_path /tmp/cache levels=1:2 keys_zone=cache:60m max_size=1G;
~~~
}
Referencies
- https://2bits.com/articles/how-configure-varnish-cache-drupal-ssl-termination-using-pound-or-nginx.html
- https://tweaked.io/guide/nginx-proxying/