I'm trying to chain proxies. The first one for SSL, next one - for dispatching to the servers.
The first one (secure-gateway-nginx) just unwraps SSL and passes to the gateway-nginx:
server {
listen 443 ssl;
server_name secure-gateway-nginx;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
location / {
proxy_pass http://gateway-nginx.default.svc.cluster.local/;
}
}
The second one (gateway-nginx) dispatches to the central-broker-mqtt and the app servers:
server {
listen 80;
server_name gateway-nginx;
location /mqtt {
proxy_pass http://central-broker-mqtt.default.svc.cluster.local/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_connect_timeout 1;
}
location /app {
proxy_pass http://app.default.svc.cluster.local/;
}
}
The problem is that the websockets for mqtt don't work. The proxy_set_header Upgrade $http_upgrade; line is meaningless since $http_upgrade turns out empty for example.
The direct dispatch from the SSL termination to mqtt works fine:
server {
listen 443 ssl;
server_name secure-gateway-nginx;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
location /mqtt {
proxy_pass http://central-broker-mqtt.default.svc.cluster.local/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_connect_timeout 1;
}
location / {
proxy_pass http://gateway-nginx.default.svc.cluster.local/;
}
}
But I'd like to keep the nginx that does SSL just for SSL. How to do that?
EDIT:
This appears to work:
server {
listen 443 ssl;
server_name secure-gateway-nginx;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
location / {
proxy_pass http://gateway-nginx.default.svc.cluster.local/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_connect_timeout 1;
}
}
Will it have any side effects?
