NGINX: redirect only external traffic from HTTP to HTTPS?

Question

I am currently trying to redirect HTTP to HTTPS on my NGINX web server, however only for external connections. Internal connections such as a localhost should be able to access it via HTTP without being redirected. This is for the livenessProbe and readinessProbe for the Kubernetes (GKE) cluster this Docker container is running in. (And could be handy for development possibly.)

When I redirect ALL HTTP traffic to HTTPS, I believe the reason for the 400's is that I have ssl_verify_client on, and so HTTPS connections must come through the domain name which Cloudflare will catch and verify.

Is there a means to conditionally redirect just the external connections without affecting local network?

The following is how my nginx.conf currently looks like before any attempts to redirect to HTTPS:

worker_processes auto;

events {
    worker_connections 1024;
}

http {
    # Prevents XSS (Cross-Site-Scripting) and Clickjacking
    # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
    add_header Content-Security-Policy "default-src 'self' https://*.elypia.com https://*.fontawesome.com https://*.googleapis.com https://youtube.com https://discordapp.co https://gitab.co https://reddit.co https://twitch.t https://twitter.com; base-uri 'self'; manifest-src 'self'; script-src 'self' 'unsafe-inline' https://*.fontawesome.com; style-src 'self' 'unsafe-inline' https://*.googleapis.com; img-src 'self' https://*.elypia.com; connect-src 'self' https://*.elypia.com https://*.fontawesome.com https://haveibeenpwned.com; font-src https://*.gstatic.com; object-src 'none'; media-src 'self'; child-src https://discordapp.com; form-action 'self' https://*.elypia.com; frame-ancestors 'self'; upgrade-insecure-requests;" always;

    server {
        listen 80 default_server;
        listen [::]:80 ipv6only=on default_server;

        listen 443 ssl http2 default_server;
        listen [::]:443 ssl http2 ipv6only=on default_server;

        # Enables HTTPS
        ssl_certificate /etc/nginx/certs/cert.pem;
        ssl_certificate_key /etc/nginx/certs/key.pem;

        # Prevents connections to IP directly as you must connect through
        # Cloudflare in order to accept connections.
        ssl_verify_client on;
        ssl_client_certificate /etc/nginx/certs/ca.pem;

        # Due to the POODLE vulnerability in SSLv3, it is advised to not use SSLv3 in your SSL-enabled sites.
        # See: https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#using-sslv3-with-https
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

        root /usr/share/nginx/html;
        index index.html;
        include /etc/nginx/mime.types;

        gzip on;
        gzip_min_length 1000;
        gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;

        access_log off;

        location / {
            # Redirect to index.html instead of producing a 404 as we assume it's for
            # Angular, if it really us a 404, the web application will manage it.
            try_files $uri $uri/ /index.html;
        }
    }
}

Answer 1

Regarding your question, I've found this interesting StackOverflow question asking a very similar set up as this. On the accepted answer, there are the config.conf and the yaml files used for this set up.

Answer 2

I would suggest something like this:

server {
    listen 80 default_server;
    listen [::]:80 ipv6only=on default_server;

    # redirect to https
}

server {
    listen 127.0.0.1:80; # For kubernetes
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 ipv6only=on default_server;

    # ...
}

So connections to port 80 to any IP except 127.0.0.1 would be processed by default server and connection to 127.0.0.1:80 would be processed by main server.