NGINX: redirect only external traffic from HTTP to HTTPS?

by Seth   Last Updated August 14, 2019 01:00 AM

I am currently trying to redirect HTTP to HTTPS on my NGINX web server, however only for external connections. Internal connections such as a localhost should be able to access it via HTTP without being redirected. This is for the livenessProbe and readinessProbe for the Kubernetes (GKE) cluster this Docker container is running in. (And could be handy for development possibly.)

When I redirect ALL HTTP traffic to HTTPS, I believe the reason for the 400's is that I have ssl_verify_client on, and so HTTPS connections must come through the domain name which Cloudflare will catch and verify.

Is there a means to conditionally redirect just the external connections without affecting local network?

The following is how my nginx.conf currently looks like before any attempts to redirect to HTTPS:

worker_processes auto;

events {
    worker_connections 1024;
}

http {
    # Prevents XSS (Cross-Site-Scripting) and Clickjacking
    # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
    add_header Content-Security-Policy "default-src 'self' https://*.elypia.com https://*.fontawesome.com https://*.googleapis.com https://youtube.com https://discordapp.co https://gitab.co https://reddit.co https://twitch.t https://twitter.com; base-uri 'self'; manifest-src 'self'; script-src 'self' 'unsafe-inline' https://*.fontawesome.com; style-src 'self' 'unsafe-inline' https://*.googleapis.com; img-src 'self' https://*.elypia.com; connect-src 'self' https://*.elypia.com https://*.fontawesome.com https://haveibeenpwned.com; font-src https://*.gstatic.com; object-src 'none'; media-src 'self'; child-src https://discordapp.com; form-action 'self' https://*.elypia.com; frame-ancestors 'self'; upgrade-insecure-requests;" always;

    server {
        listen 80 default_server;
        listen [::]:80 ipv6only=on default_server;

        listen 443 ssl http2 default_server;
        listen [::]:443 ssl http2 ipv6only=on default_server;

        # Enables HTTPS
        ssl_certificate /etc/nginx/certs/cert.pem;
        ssl_certificate_key /etc/nginx/certs/key.pem;

        # Prevents connections to IP directly as you must connect through
        # Cloudflare in order to accept connections.
        ssl_verify_client on;
        ssl_client_certificate /etc/nginx/certs/ca.pem;

        # Due to the POODLE vulnerability in SSLv3, it is advised to not use SSLv3 in your SSL-enabled sites.
        # See: https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#using-sslv3-with-https
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

        root /usr/share/nginx/html;
        index index.html;
        include /etc/nginx/mime.types;

        gzip on;
        gzip_min_length 1000;
        gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;

        access_log off;

        location / {
            # Redirect to index.html instead of producing a 404 as we assume it's for
            # Angular, if it really us a 404, the web application will manage it.
            try_files $uri $uri/ /index.html;
        }
    }
}



Related Questions


Updated April 15, 2019 21:00 PM

Updated February 19, 2019 07:00 AM

Updated May 17, 2018 07:00 AM

Updated March 26, 2019 13:00 PM