How to configure Http, Https, WS, and WSS in Nginx

Written in front

In today's Internet field, Nginx is one of the most widely used proxy servers. Many large companies use Nginx as a proxy server in their business systems. Therefore, we need to understand Nginx's configurations for Http, Https, WS, and WSS. Come, come, learn Nginx with Binghe, make progress together, and become bald together~~

Nginx Configuration Http

First, let's talk about how to configure Http in Nginx. Configuring Http in Nginx is one of the most commonly used functions of Nginx. Configure the corresponding information in nginx.conf as shown below.

upstream message {
  server localhost:8080 max_fails=3;
}

server {
 listen 80;
 server_name localhost;

 location / {
  root html;
  index index.html index.htm;
  #Allow cros cross-domain access add_header 'Access-Control-Allow-Origin' '*';
  #proxy_redirect default;
  #The timeout for connecting to the proxy server. Please note that this timeout cannot exceed 75 seconds. When a server fails, it will be forwarded to another server after 10 seconds.
  proxy_connect_timeout 10;
 }
 
  location /message {
    proxy_pass http://message;
    proxy_set_header Host $host:$server_port;
 }
}

At this point, accessing http://localhost/message will be forwarded to http://localhost:8080/message.

Nginx Configuration Https

If the business has high security requirements for the website, you may configure Https in Nginx. The specific configuration information can be referred to as follows.

upstream message {
  server localhost:8080 max_fails=3;
}

server {
 listen 443 ssl;
 server_name localhost;
 ssl_certificate /usr/local/nginx-1.17.8/conf/keys/binghe.pem;
 ssl_certificate_key /usr/local/nginx-1.17.8/conf/keys/binghe.key;
 ssl_session_timeout 20m;
 ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_prefer_server_ciphers on;
 ssl_verify_client off;
 location / {
  root html;
  index index.html index.htm;
  #Allow cros cross-domain access add_header 'Access-Control-Allow-Origin' '*';
  #The timeout for connecting to the proxy server. Please note that this timeout cannot exceed 75 seconds. When a server fails, it will be forwarded to another server after 10 seconds.
  proxy_connect_timeout 10;
 }
 
  location /message {
    proxy_pass http://message;
    proxy_set_header Host $host:$server_port;
 }
}

At this time, accessing https://localhost/message will be forwarded to http://localhost:8080/message.

Nginx configuration WS

The full name of WS is WebSocket. It is also relatively simple to configure WebSocket in Nginx. You only need to make corresponding configurations in the nginx.conf file. This method is simple but effective and can horizontally scale the service capabilities of the WebSocket server.

In order to facilitate better understanding for my friends, here, I will focus on Nginx configuration WS.

First, display the configuration file directly, as shown below (if you use it, just copy it and change the ip and port)

map $http_upgrade $connection_upgrade { 
 default upgrade; 
 '' close; 
} 
upstream wsbackend{ 
 server ip1:port1; 
 server ip2:port2; 
 keepalive 1000;
} 
 
server { 
 listen 20038; 
 location /{ 
  proxy_http_version 1.1; 
  proxy_pass http://wsbackend; 
  proxy_redirect off; 
  proxy_set_header Host $host; 
  proxy_set_header X-Real-IP $remote_addr; 
  proxy_read_timeout 3600s; 
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
  proxy_set_header Upgrade $http_upgrade; 
  proxy_set_header Connection $connection_upgrade; 
 } 
}

Next, we will analyze the specific meanings of the above configurations respectively.

first:

map $http_upgrade $connection_upgrade { 
 default upgrade; 
 '' close; 
} 

It means:

• If $http_upgrade is not '' (empty), then $connection_upgrade is upgrade.
• If $http_upgrade is '' (empty), then $connection_upgrade is close.

Secondly:

upstream wsbackend{ 
 server ip1:port1; 
 server ip2:port2; 
 keepalive 1000; 
} 

It represents nginx load balancing:

Two servers (ip1:port1) and (ip2:port2).

keepalive 1000 indicates the idle connections maintained by the upstream server in each nginx process. When there are too many idle connections, the least used idle connection will be closed. Of course, this does not limit the total number of connections. It can be imagined as the size of the idle connection pool. The set value should be what the upstream server can bear.

at last:

server { 
 listen 20038; 
 location /{ 
  proxy_http_version 1.1; 
  proxy_pass http://wsbackend; 
  proxy_redirect off;
  proxy_set_header Host $host; 
  proxy_set_header X-Real-IP $remote_addr; 
  proxy_read_timeout 3600s; 
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
  proxy_set_header Upgrade $http_upgrade; 
  proxy_set_header Connection $connection_upgrade; 
 } 
} 

Represents the configuration of the listening server

• listen 20038 indicates the port that nginx listens on
• locations / indicates the listening path (/ indicates all paths, universal matching, equivalent to default)
• proxt_http_version 1.1 means the HTTP protocol version sent by the reverse proxy is 1.1, HTTP1.1 supports long connections
• proxy_pass http://wsbackend; represents the uri of the reverse proxy, where you can use load balancing variables
• proxy_redirect off; means do not replace the path. In fact, if it is /, it doesn’t matter whether it is / or not, because the default is to replace the path after proxy_pass.
• proxy_set_header Host $host; means the request header remains unchanged during transmission. $host is a built-in variable of nginx, which indicates the current request header. proxy_set_header means setting the request header
• proxy_set_header X-Real-IP $remote_addr; indicates the source IP or the current client IP when transferring
• proxy_read_timeout 3600s; The connection will be closed only after the interval between two requests to the table exceeds 3600s. The default is 60s, which is the culprit of automatic closure.
• proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; means that the X-Forwarded-For header does not change
• proxy_set_header Upgrade $http_upgrade; means setting Upgrade unchanged
• proxy_set_header Connection $connection_upgrade; means if $http_upgrade is upgrade, the request is upgrade(websocket), if not, close the connection

At this point, access to ws://localhost:20038 will be forwarded to ip1:port1 and ip2:port2.

Nginx configuration WSS

WSS stands for WebSocket + Https, in layman's terms, it is secure WebSocket. Next, let's see how to configure WSS. When configuring WS, the configuration details are described in detail. I will not go into details here.

map $http_upgrade $connection_upgrade { 
 default upgrade; 
 '' close; 
} 
upstream wsbackend{ 
 server ip1:port1; 
 server ip2:port2; 
 keepalive 1000; 
} 
server{
 listen 20038 ssl;
 server_name localhost;
 ssl_certificate /usr/local/nginx-1.17.8/conf/keys/binghe.com.pem;
 ssl_certificate_key /usr/local/nginx-1.17.8/conf/keys/binghe.com.key;
 ssl_session_timeout 20m;
 ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_prefer_server_ciphers on;
 ssl_verify_client off;
 location /{
   proxy_http_version 1.1;
   proxy_pass http://wsbackend;
   proxy_redirect off; 
   proxy_set_header Host $host; 
   proxy_set_header X-Real-IP $remote_addr; 
   proxy_read_timeout 3600s; 
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
   proxy_set_header Upgrade $http_upgrade; 
   proxy_set_header Connection $connection_upgrade; 
 }
}

At this point, access to wss://localhost:20038 will be forwarded to ip1:port1 and ip2:port2.

This concludes this article on how to configure Http, Https, WS, and WSS with Nginx. For more information about how to configure Http, Https, WS, and WSS with Nginx, please search for previous articles on 123WORDPRESS.COM or continue browsing the following related articles. I hope you will support 123WORDPRESS.COM in the future!