Terminate TLS on NGINX then proxy to http://127.0.0.1:8080?

Hi,
I am running HestiaCP v1.6.0
on ubuntu 20.04 dedicated sever.

It runs several wordpress websites.

It seems that HestiaCP is running Nginx as a reverse proxy in front of
the Apache webserver.

Since both nginx and Apache are on the same host and the host is secure, it’s a waste of resources to encrypt and decrypt using HTTPS between nginx and Apache. Can I just have nginx terminate the TLS and reverse proxy it to http://127.0.0.1:8080 using just plain HTTP

That way I don’t need the certificates for the apache.

So - I could create custom templates :

First the port 80 one on nginx - just forcing HTTPS

server {
    listen      %ip%:%proxy_port%;
    server_name %domain_idn% %alias_idn%;

    include %home%/%user%/conf/web/%domain%/nginx.forcessl.conf*;

 //// THE LINE ABOVE uses a 301 redirect to https so everything below is ignored  //// 

    location / {
        proxy_pass      http://%ip%:%web_port%;
        location ~* ^.+\.(%proxy_extensions%)$ {
            root           %docroot%;
            access_log     /var/log/%web_system%/domains/%domain%.log combined;
            access_log     /var/log/%web_system%/domains/%domain%.bytes bytes;
            expires        max;
            try_files      $uri @fallback;
        }
    }

    location /error/ {
        alias   %home%/%user%/web/%domain%/document_errors/;
    }

    location @fallback {
        proxy_pass      http://%ip%:%web_port%;
    }

    location ~ /\.(?!well-known\/|file) {
       deny all;
       return 404;
    }

    include %home%/%user%/conf/web/%domain%/nginx.conf_*;
}

Now for the port 443 on nginx - a custom template using SL certificates

server {
    listen      %ip%:%proxy_ssl_port% ssl http2;
    server_name %domain_idn% %alias_idn%;
    ssl_certificate      /etc/letsencrypt/live/%domain%/cert.pem;
    ssl_certificate_key  /etc/letsencrypt/live/%domain%/privkey.pem;
    ssl_stapling on;
    ssl_stapling_verify on;
    error_log  /var/log/%web_system%/domains/%domain%.error.log error;

    include %home%/%user%/conf/web/%domain%/nginx.hsts.conf*;

    location / {
        proxy_pass      http://127.0.0.1:8080;
        location ~* ^.+\.(%proxy_extensions%)$ {
            root           %sdocroot%;
            access_log     /var/log/%web_system%/domains/%domain%.log combined;
            access_log     /var/log/%web_system%/domains/%domain%.bytes bytes;
            expires        max;
            try_files      $uri @fallback;
        }
    }

    location /error/ {
        alias   %home%/%user%/web/%domain%/document_errors/;
    }

    location @fallback {
        proxy_pass      https://%ip%:%web_ssl_port%;
    }

    location ~ /\.(?!well-known\/|file) {
       deny all;
       return 404;
    }

    proxy_hide_header Upgrade;

    include %home%/%user%/conf/web/%domain%/nginx.ssl.conf_*;
}

And a custom template for apache2

<VirtualHost 127.0.0.1:8080>

    ServerName %domain_idn%
    %alias_string%
    ServerAdmin %email%
    DocumentRoot %docroot%
    ScriptAlias /cgi-bin/ %home%/%user%/web/%domain%/cgi-bin/
    Alias /vstats/ %home%/%user%/web/%domain%/stats/
    Alias /error/ %home%/%user%/web/%domain%/document_errors/
    #SuexecUserGroup %user% %group%
    CustomLog /var/log/%web_system%/domains/%domain%.bytes bytes
    CustomLog /var/log/%web_system%/domains/%domain%.log combined
    ErrorLog /var/log/%web_system%/domains/%domain%.error.log

    IncludeOptional %home%/%user%/conf/web/%domain%/apache2.forcessl.conf*

    <Directory %home%/%user%/web/%domain%/stats>
        AllowOverride All
    </Directory>
    <Directory %sdocroot%>
        AllowOverride All
        Options +Includes -Indexes +ExecCGI
    </Directory>

    <FilesMatch \.php$>
        SetHandler "proxy:%backend_lsnr%|fcgi://localhost"
    </FilesMatch>
    SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0

    IncludeOptional %home%/%user%/conf/web/%domain%/%web_system%.conf_*
    IncludeOptional /etc/apache2/conf.d/*.inc
</VirtualHost>

Does seem practical ?
It would mean less work/time encrypting/decrypting between servers
on the same host.

Thanks

As already written: if you hunt for performance, I suggest to use nginx + fpm (without apache2). Still you can use adjusted templates like you want to have :slight_smile:

I’m not sure but I think I may need the apache to run the wordpress websites

Maybe the nginx + fpm would do the same job ?

Is that what the “Backend Template PHP-FPM” is about ?

You’ll have a preset custom template for wordpress, just try it out.

Sorry for being being slow,
but where is that setup?

I am looking at the advanced tab …

This only counts for nginx only setups.

Felix made the point …

So, since wordpress uses .htaccess I don’t think I can go the “only nginx” route.

So back to my question and the suggested templates …

I’m sorry but that is wrong. The template for wordpress on nginx only stacks basicly contains the .htaccess content - all the needed rules and configs. I just can repeat myself, install bginx only or migrate the system to it and you’ll see.

Is there any tutorial on how to migrate to nginx only.

Run the following script: hestiacp/migrate_ngnix_apache_nginx-php-fpm.sh at main · hestiacp/hestiacp · GitHub

Thanks for that,

  • Not a very long script !!

I will have to check first that it won’t stop various programs from operating.
It is possible some of them make use of apache2.