lukaszte Posted September 29, 2021 Share Posted September 29, 2021 Hi. How to configure prestashop 1.7 on nginx behind HAproxy with SSL termination? I have redirects loop http->https->http->... - when enabled http-request add-header X-Forwarded-Proto https if { ssl_fc } or I have mixed content (CSS and JS on http) - when disabled http-request add-header X-Forwarded-Proto https if { ssl_fc } At this moment prestashop have disabled SSL. It looks like Presta doesn't know that it work via https, is there any header I can set on HAProxy when is terminating https to inform Prestashop that HTTPS is used? Nginx configuration: server { listen 80; root /var/www/multistore; # Add index.php to the list if you are using PHP index index.html index.php index.htm index.nginx-debian.html; server_name mysite.tld; # Redirect 404 errors to prestashop error_page 404 /index.php?controller=404; # Gzip Settings, convert all types. gzip on; gzip_vary on; gzip_proxied any; gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; gzip_disable "MSIE [1-6]\.(?!.*SV1)"; # Cloudflare / Max CDN fix location ~* \.(eot|otf|ttf|woff(?:2)?)$ { add_header Access-Control-Allow-Origin *; } # Force pdf files to be downloaded location ~* \.pdf$ { add_header Content-Disposition Attachment; add_header X-Content-Type-Options nosniff; } # Force files in upload directory to be downloaded location ~ ^/upload/ { add_header Content-Disposition Attachment; add_header X-Content-Type-Options nosniff; } # Do not save logs for these location = /favicon.ico { auth_basic off; allow all; log_not_found off; access_log off; } location = /robots.txt { auth_basic off; allow all; log_not_found off; access_log off; } # [REQUIRED EDIT] if you are using multiple languages # rewrite ^/fr$ /fr/ redirect; # rewrite ^/fr/(.*) /$1; # Images rewrite ^/([0-9])(-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+.jpg$ /img/p/$1/$1$2$3.jpg last; rewrite ^/([0-9])([0-9])(-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+.jpg$ /img/p/$1/$2/$1$2$3$4.jpg last; rewrite ^/([0-9])([0-9])([0-9])(-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+.jpg$ /img/p/$1/$2/$3/$1$2$3$4$5.jpg last; rewrite ^/([0-9])([0-9])([0-9])([0-9])(-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+.jpg$ /img/p/$1/$2/$3/$4/$1$2$3$4$5$6.jpg last; rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])(-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+.jpg$ /img/p/$1/$2/$3/$4/$5/$1$2$3$4$5$6$7.jpg last; rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+.jpg$ /img/p/$1/$2/$3/$4/$5/$6/$1$2$3$4$5$6$7$8.jpg last; rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+.jpg$ /img/p/$1/$2/$3/$4/$5/$6/$7/$1$2$3$4$5$6$7$8$9.jpg last; rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+.jpg$ /img/p/$1/$2/$3/$4/$5/$6/$7/$8/$1$2$3$4$5$6$7$8$9$10.jpg last; rewrite ^/c/([0-9]+)(-[.*_a-zA-Z0-9-]*)(-[0-9]+)?/.+.jpg$ /img/c/$1$2$3.jpg last; rewrite ^/c/([a-zA-Z_-]+)(-[0-9]+)?/.+.jpg$ /img/c/$1$2.jpg last; # AlphaImageLoader for IE and fancybox rewrite ^images_ie/?([^/]+)\.(jpe?g|png|gif)$ js/jquery/plugins/fancybox/images/$1.$2 last; # Web service API rewrite ^/api/?(.*)$ /webservice/dispatcher.php?url=$1 last; # Installation sandbox rewrite ^(/install(?:-dev)?/sandbox)/(.*) /$1/test.php last; # without this line nginx seo url not working. try_files $uri $uri/ /index.php?$args; #admin folder location /adminsdsdfdtyuj/ { if (!-e $request_filename) { rewrite ^/.*$ /adminsdsdfdtyuj/index.php last; } } # File security # .htaccess .DS_Store .htpasswd etc location ~ /\. { deny all; } # Source code directories location ~ ^/(app|bin|cache|classes|config|controllers|docs|localization|override|src|tests|tests-legacy|tools|translations|travis-scripts|vendor|var)/ { deny all; } # vendor in modules directory location ~ ^/modules/.*/vendor/ { deny all; } # Prevent exposing other sensitive files location ~ \.(yml|log|tpl|twig|sass)$ { deny all; } # Prevent injection of php files location /upload { location ~ \.php$ { deny all; } } location /img { location ~ \.php$ { deny all; } } # pass PHP scripts to FastCGI server # location / { try_files $uri $uri/ /index.php?$args; proxy_buffer_size 128k; proxy_buffers 4 256k; proxy_busy_buffers_size 256k; } set $fpm_socket "unix:/var/run/php/php7.3-fpm-frontend.sock"; if ($uri ~* "^/adminsdsdfdtyuj/" ) { set $fpm_socket "unix:/var/run/php/php7.3-fpm-backend.sock"; } location ~ \.php$ { include fastcgi.conf; fastcgi_pass $fpm_socket; fastcgi_keep_conn on; fastcgi_read_timeout 600s; fastcgi_send_timeout 600s; client_max_body_size 20M; fastcgi_max_temp_file_size 0; fastcgi_temp_file_write_size 512k; # Verify that the file exists, redirect to index if not try_files $fastcgi_script_name /index.php$uri&$args =404; fastcgi_index index.php; # Environment variables for PHP fastcgi_split_path_info ^(.+\.php)(/.+)$; include fastcgi_params; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; # In case of long loading or 502 / 504 errors fastcgi_buffer_size 256k; fastcgi_buffers 256 16k; fastcgi_busy_buffers_size 256k; } # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # location ~ /\.ht { deny all; } location ~* ^.+\.(css|js|ogg|ogv|svg|svgz|eot|otf|woff|woff2|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ { access_log off; log_not_found off; expires max; add_header Pragma public; add_header Cache-Control "public, must-revalidate, proxy-revalidate"; } location ~* \.(pdf)$ { expires 30d; } } HAProxy configuration: frontend http_front bind :80 bind :443 ssl crt /etc/pki/tls/certs/ mode http http-request add-header X-CLIENT-IP %[src] http-request add-header X-REAL-IP %[src] http-request add-header X-Forwarded-Host %[req.hdr(host)] http-request add-header X-Forwarded-Server %[req.hdr(host)] http-request redirect scheme https code 301 unless { ssl_fc } default_backend http_back backend http_back balance roundrobin option httpclose redirect scheme https if !{ ssl_fc } http-request set-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto https if { ssl_fc } http-request set-header Strict-Transport-Security \ max-age=31536000;\ includeSubDomains;\ preload server backend1 192.168.0.1:80 check server backend2 192.168.0.2:80 check Link to comment Share on other sites More sharing options...
lukaszte Posted September 30, 2021 Author Share Posted September 30, 2021 And solved, the solution is to add this header in frontend section on haproxy: http-request add-header SSL on if { ssl_fc } So now section is looking like: frontend http_front bind :80 bind :443 ssl crt /etc/pki/tls/certs/ mode http http-request add-header X-CLIENT-IP %[src] http-request add-header X-REAL-IP %[src] http-request add-header X-Forwarded-Host %[req.hdr(host)] http-request add-header X-Forwarded-Server %[req.hdr(host)] http-request redirect scheme https code 301 unless { ssl_fc } http-request add-header SSL on if { ssl_fc } default_backend http_back Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now