[BlueOnyx:26971] Re: Bug report on 5211R

Michael Stauber mstauber at blueonyx.it
Fri May 10 18:47:30 -05 2024 

Hi Taco,

> I however don’t understand why you are unable to use nginx to proxy an https site.
> That is quite standard functionality afaik.
> Why configure apache as SSL proxy If you have nginx?
> I am fairly sure you can just enable (if it is not even enabled by default) proxying to an https site.

On a "factory default" BlueOnyx we have Apache running and Nginx 
stopped. The Vsites are only configured in Apache for HTTP *and* HTTPS.

Therefore Apache exclusively binds to ports 80/TCP and 443/TCP on all IPs.

When you enable "Nginx as SSL-Proxy", then Apache is reconfigured to 
*only* do HTTP. So it drops all bindings to port 443/TCP. And Nginx is 
then configured to bind to port 443/TCP on all IPs and only and gets 
configs to proxy all HTTPS requests to port 80/TCP and serve them via 
HTTP/2 over HTTPS to the client.

We at the most only use Nginx as a proxy and it doesn't serve real 
Vsites directly.

The thing is that Apache sure has some quirks. If you use PHP as DSO, 
then Apache won't let you do HTTP/2. And of course proxy via HTTPS is 
also extra complicated and not really practical.

Historically all BlueOnyx versions up to (and including) 5210R allowed 
to use the following implementations of PHP on a per Vsite basis:

- PHP Disabled
- DSO
- DSO + mod_ruid2
- suPHP
- PHP-FPM

But like said: As long as DSO is enabled, you can't do HTTP/2 and this 
sure is a drawback. HTTP/2 is sort of a must have these days.

Therefore on 5211R from day one on I dropped DSO support and 5211R only 
provides these PHP implementations on a per Vsite level:

- PHP Disabled
- suPHP
- PHP-FPM

This allows us to use HTTP/2 in Apache for both HTTP and HTTPS and we no 
longer need the Nginx SSL proxy to be able to do HTTP/2. But the feature 
is still present if someone wants to use it for whatever reason.

We *could* now theoretically switch entirely from Apache to Nginx. 
Because the main reason we couldn't before was that we kinda also wanted 
to retain DSO for as long as feasible and Nginx doesn't provide that. It 
can do suPHP and PHP-FPM, though.

However, there are some more things that Nginx can't (easily or at all) 
do. Stuff like .htaccess files, which many people use. And some other 
odd Apache modules which Nginx doesn't have out of the box.

The (optional) "Nginx as SSL-Proxy" feature being a proxy for 
HTTP-Apache sure is a crutch, but on 5210R it allows us to provide 
HTTP/2, DSO support and other Apache-only features seamlessly. Such as 
.htaccess and a few other odds and sods related to Apache modules.

However: *If* Nginx is enabled and doing SSL-Proxy? Then you can easily 
drop in some Nginx configs of your own to do whatever you want. As long 
as you only listen to port 443 and don't touch port 80, which Apache 
still has exclusive rights to. I also have some extra configs in my own 
Nginx servers here and there that serve special needs. Just drop your 
own configs into /etc/nginx/conf/ and make sure they have a *.conf 
ending and Nginx will include them whenever it is restarted.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list