[BlueOnyx:26973] Re: Bug report on 5211R

Taco Scargo taco at blueonyx.nl
Fri May 10 19:16:59 -05 2024 

Hi Michael,

Thanks for the extensive explanation. I will then see what is needed to have Apache proxy towards an https site.

Best regards,

Taco

> On 11 May 2024, at 01:47, Michael Stauber via Blueonyx <blueonyx at mail.blueonyx.it> wrote:
> 
> Hi Taco,
> 
>> I however don’t understand why you are unable to use nginx to proxy an https site.
>> That is quite standard functionality afaik.
>> Why configure apache as SSL proxy If you have nginx?
>> I am fairly sure you can just enable (if it is not even enabled by default) proxying to an https site.
> 
> On a "factory default" BlueOnyx we have Apache running and Nginx stopped. The Vsites are only configured in Apache for HTTP *and* HTTPS.
> 
> Therefore Apache exclusively binds to ports 80/TCP and 443/TCP on all IPs.
> 
> When you enable "Nginx as SSL-Proxy", then Apache is reconfigured to *only* do HTTP. So it drops all bindings to port 443/TCP. And Nginx is then configured to bind to port 443/TCP on all IPs and only and gets configs to proxy all HTTPS requests to port 80/TCP and serve them via HTTP/2 over HTTPS to the client.
> 
> We at the most only use Nginx as a proxy and it doesn't serve real Vsites directly.
> 
> The thing is that Apache sure has some quirks. If you use PHP as DSO, then Apache won't let you do HTTP/2. And of course proxy via HTTPS is also extra complicated and not really practical.
> 
> Historically all BlueOnyx versions up to (and including) 5210R allowed to use the following implementations of PHP on a per Vsite basis:
> 
> - PHP Disabled
> - DSO
> - DSO + mod_ruid2
> - suPHP
> - PHP-FPM
> 
> But like said: As long as DSO is enabled, you can't do HTTP/2 and this sure is a drawback. HTTP/2 is sort of a must have these days.
> 
> Therefore on 5211R from day one on I dropped DSO support and 5211R only provides these PHP implementations on a per Vsite level:
> 
> - PHP Disabled
> - suPHP
> - PHP-FPM
> 
> This allows us to use HTTP/2 in Apache for both HTTP and HTTPS and we no longer need the Nginx SSL proxy to be able to do HTTP/2. But the feature is still present if someone wants to use it for whatever reason.
> 
> We *could* now theoretically switch entirely from Apache to Nginx. Because the main reason we couldn't before was that we kinda also wanted to retain DSO for as long as feasible and Nginx doesn't provide that. It can do suPHP and PHP-FPM, though.
> 
> However, there are some more things that Nginx can't (easily or at all) do. Stuff like .htaccess files, which many people use. And some other odd Apache modules which Nginx doesn't have out of the box.
> 
> The (optional) "Nginx as SSL-Proxy" feature being a proxy for HTTP-Apache sure is a crutch, but on 5210R it allows us to provide HTTP/2, DSO support and other Apache-only features seamlessly. Such as .htaccess and a few other odds and sods related to Apache modules.
> 
> However: *If* Nginx is enabled and doing SSL-Proxy? Then you can easily drop in some Nginx configs of your own to do whatever you want. As long as you only listen to port 443 and don't touch port 80, which Apache still has exclusive rights to. I also have some extra configs in my own Nginx servers here and there that serve special needs. Just drop your own configs into /etc/nginx/conf/ and make sure they have a *.conf ending and Nginx will include them whenever it is restarted.
> 
> -- 
> With best regards
> 
> Michael Stauber
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list