Jump to content

prestashop 1.7 on nginx behind HAproxy with SSL termination


Recommended Posts

Hi.
How to configure prestashop 1.7 on nginx behind HAproxy with SSL termination?
I have redirects loop http->https->http->... - when enabled http-request add-header X-Forwarded-Proto https if { ssl_fc }
or I have mixed content (CSS and JS on http) - when disabled http-request add-header X-Forwarded-Proto https if { ssl_fc }
At this moment prestashop have disabled SSL.
It looks like Presta doesn't know that it work via https, is there any header I can set on HAProxy when is terminating https to inform Prestashop that HTTPS is used?

Nginx configuration:  

server {

    listen 80;
    root /var/www/multistore;


    # Add index.php to the list if you are using PHP
    index index.html index.php index.htm index.nginx-debian.html;

    server_name mysite.tld;



    # Redirect 404 errors to prestashop
    error_page 404 /index.php?controller=404;

    # Gzip Settings, convert all types.
    gzip on;
    gzip_vary on;
    gzip_proxied any;

    gzip_types
        application/atom+xml
        application/javascript
        application/json
        application/ld+json
        application/manifest+json
        application/rss+xml
        application/vnd.geo+json
        application/vnd.ms-fontobject
        application/x-font-ttf
        application/x-web-app-manifest+json
        application/xhtml+xml
        application/xml
        font/opentype
        image/bmp
        image/svg+xml
        image/x-icon
        text/cache-manifest
        text/css
        text/plain
        text/vcard
        text/vnd.rim.location.xloc
        text/vtt
        text/x-component
        text/x-cross-domain-policy;

    gzip_disable "MSIE [1-6]\.(?!.*SV1)";

    # Cloudflare / Max CDN fix
    location ~* \.(eot|otf|ttf|woff(?:2)?)$ {
        add_header Access-Control-Allow-Origin *;
    }

    # Force pdf files to be downloaded
    location ~* \.pdf$ {
        add_header Content-Disposition Attachment;
        add_header X-Content-Type-Options nosniff;
    }

    # Force files in upload directory to be downloaded
    location ~ ^/upload/ {
        add_header Content-Disposition Attachment;
        add_header X-Content-Type-Options nosniff;
    }

    # Do not save logs for these
    location = /favicon.ico {
        auth_basic off;
        allow all;
        log_not_found off;
        access_log off;
    }

    location = /robots.txt {
        auth_basic off;
        allow all;
        log_not_found off;
        access_log off;
    }

    # [REQUIRED EDIT] if you are using multiple languages
    # rewrite ^/fr$ /fr/ redirect;
    # rewrite ^/fr/(.*) /$1;

    # Images
    rewrite ^/([0-9])(-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+.jpg$ /img/p/$1/$1$2$3.jpg last;
    rewrite ^/([0-9])([0-9])(-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+.jpg$ /img/p/$1/$2/$1$2$3$4.jpg last;
    rewrite ^/([0-9])([0-9])([0-9])(-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+.jpg$ /img/p/$1/$2/$3/$1$2$3$4$5.jpg last;
    rewrite ^/([0-9])([0-9])([0-9])([0-9])(-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+.jpg$ /img/p/$1/$2/$3/$4/$1$2$3$4$5$6.jpg last;
    rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])(-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+.jpg$ /img/p/$1/$2/$3/$4/$5/$1$2$3$4$5$6$7.jpg last;
    rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+.jpg$ /img/p/$1/$2/$3/$4/$5/$6/$1$2$3$4$5$6$7$8.jpg last;
    rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+.jpg$ /img/p/$1/$2/$3/$4/$5/$6/$7/$1$2$3$4$5$6$7$8$9.jpg last;
    rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+.jpg$ /img/p/$1/$2/$3/$4/$5/$6/$7/$8/$1$2$3$4$5$6$7$8$9$10.jpg last;
    rewrite ^/c/([0-9]+)(-[.*_a-zA-Z0-9-]*)(-[0-9]+)?/.+.jpg$ /img/c/$1$2$3.jpg last;
    rewrite ^/c/([a-zA-Z_-]+)(-[0-9]+)?/.+.jpg$ /img/c/$1$2.jpg last;

    # AlphaImageLoader for IE and fancybox
    rewrite ^images_ie/?([^/]+)\.(jpe?g|png|gif)$ js/jquery/plugins/fancybox/images/$1.$2 last;

    # Web service API
    rewrite ^/api/?(.*)$ /webservice/dispatcher.php?url=$1 last;

    # Installation sandbox
    rewrite ^(/install(?:-dev)?/sandbox)/(.*) /$1/test.php last;
    
    # without this line nginx seo url not working.
    try_files $uri $uri/ /index.php?$args;
     
    #admin folder
    location /adminsdsdfdtyuj/ {
        if (!-e $request_filename) {
            rewrite ^/.*$ /adminsdsdfdtyuj/index.php last;
        }
    }


    # File security
    # .htaccess .DS_Store .htpasswd etc
    location ~ /\. {
        deny all;
    }
    # Source code directories
    location ~ ^/(app|bin|cache|classes|config|controllers|docs|localization|override|src|tests|tests-legacy|tools|translations|travis-scripts|vendor|var)/ {
        deny all;
    }
    # vendor in modules directory
    location ~ ^/modules/.*/vendor/ {
        deny all;
    }
    # Prevent exposing other sensitive files
    location ~ \.(yml|log|tpl|twig|sass)$ {
        deny all;
    }

    # Prevent injection of php files
    location /upload {
        location ~ \.php$ {
            deny all;
        }
    }
    location /img {
        location ~ \.php$ {
            deny all;
        }
    }

    # pass PHP scripts to FastCGI server
    #
   location / {
    try_files $uri $uri/ /index.php?$args;
    proxy_buffer_size 128k;
    proxy_buffers 4 256k;
    proxy_busy_buffers_size 256k;

} 
set $fpm_socket "unix:/var/run/php/php7.3-fpm-frontend.sock";


    if ($uri ~* "^/adminsdsdfdtyuj/" ) {
        set $fpm_socket "unix:/var/run/php/php7.3-fpm-backend.sock";
    }

    location ~ \.php$ {

        include fastcgi.conf;
        fastcgi_pass $fpm_socket;

        fastcgi_keep_conn on;
        fastcgi_read_timeout 600s;
        fastcgi_send_timeout 600s;
        client_max_body_size 20M;
        fastcgi_max_temp_file_size 0;
        fastcgi_temp_file_write_size 512k;

        # Verify that the file exists, redirect to index if not
        try_files $fastcgi_script_name /index.php$uri&$args =404;

        fastcgi_index index.php;

        # Environment variables for PHP
        fastcgi_split_path_info ^(.+\.php)(/.+)$;

        include fastcgi_params;

        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;


        # In case of long loading or 502 / 504 errors
         fastcgi_buffer_size 256k;
         fastcgi_buffers 256 16k;
         fastcgi_busy_buffers_size 256k;
    }
    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    location ~ /\.ht {
        deny all;
    }
 location ~* ^.+\.(css|js|ogg|ogv|svg|svgz|eot|otf|woff|woff2|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
                access_log off;
                log_not_found off;
                expires max;
                add_header Pragma public;
                add_header Cache-Control "public, must-revalidate, proxy-revalidate";
        }

        location ~* \.(pdf)$ {
                expires 30d;
        }
}

HAProxy configuration:

frontend http_front
   bind :80
   bind :443 ssl crt /etc/pki/tls/certs/  
   mode http
   http-request add-header X-CLIENT-IP %[src]
   http-request add-header X-REAL-IP %[src]
   http-request add-header X-Forwarded-Host %[req.hdr(host)]
   http-request add-header X-Forwarded-Server %[req.hdr(host)]
   http-request redirect scheme https code 301 unless { ssl_fc }
   default_backend http_back

backend http_back
   balance roundrobin
   option httpclose
   redirect scheme https if !{ ssl_fc }
   http-request set-header X-Forwarded-Port %[dst_port]
   http-request add-header X-Forwarded-Proto https if { ssl_fc }
   http-request set-header Strict-Transport-Security \ max-age=31536000;\ includeSubDomains;\ preload
   server backend1 192.168.0.1:80 check
   server backend2 192.168.0.2:80 check

 

INFRA.png

Link to comment
Share on other sites

And solved, the solution is to add this header in frontend section on haproxy:

http-request add-header SSL on if { ssl_fc }

So now section is looking like:

frontend http_front
   bind :80
   bind :443 ssl crt /etc/pki/tls/certs/  
   mode http
   http-request add-header X-CLIENT-IP %[src]
   http-request add-header X-REAL-IP %[src]
   http-request add-header X-Forwarded-Host %[req.hdr(host)]
   http-request add-header X-Forwarded-Server %[req.hdr(host)]
   http-request redirect scheme https code 301 unless { ssl_fc }
   http-request add-header SSL on if { ssl_fc }
   default_backend http_back

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...