Force HTTPS when using AWS ELB and nginx

You only have to setup the SSL certificate on Amazon ELB instead of every EC2 instance that behind ELB, normally you only receive HTTP traffic from Amazon ELB that serves both HTTP and HTTPS endpoints. The problem is that forcing HTTPS will result in a redirect loop when nginx only listens 80 port. A solution is forwarding HTTPS requests to another port, like 1443, in Amazon ELB.

Amazon ELB

Listeners configurations:

HTTP 80 >> HTTP 80
HTTPS 443 >> HTTP 1443

and health check target port should be HTTP:1443 instead of HTTP:80 or HTTPS:443.

nginx

in /etc/nginx/sites-available/your_website.conf

server {
    listen 80;
    server_name yahoo.streetvoice.com;
    rewrite ^ https://$host$request_uri? permanent;
}

server {
    listen 1443;
    server_name yahoo.streetvoice.com;

    ...
}

ref:
http://serverfault.com/questions/619971/redirect-all-http-requests-behind-amazon-elb-to-https-without-using-if
http://scottwb.com/blog/2013/10/28/always-on-https-with-nginx-behind-an-elb/

nginx as load balancer

WSGI using uWSGI and nginx on Ubuntu
https://library.linode.com/web-servers/nginx/python-uwsgi/ubuntu-12.04-precise-pangolin

HTTP 负载均衡模块(HTTP Upstream)
http://www.howtocn.org/nginx:nginx%E6%A8%A1%E5%9D%97%E5%8F%82%E8%80%83%E6%89%8B%E5%86%8C%E4%B8%AD%E6%96%87%E7%89%88:standardhttpmodules:httpupstream

nginx 負載平衡的策略
http://wenku.baidu.com/view/175894c708a1284ac850438a.html

Nginx 模块推荐 Session 粘连
http://www.php-oa.com/2012/03/15/nginx-sticky-upstream-check.html

使用 nginx sticky 实现基于 cookie 的负载均衡
http://www.ttlsa.com/nginx/nginx-modules-nginx-sticky-module/

ref:
http://blog.csdn.net/ydt619/article/details/5954632
http://www.wubin.org.cn/?action=show&id=78

svcn-web1 自己當 nginx load balancer

upstream django_cluster {
    ip_hash;
    # or
    least_conn;
    server 100.100.100.70:8000 weight=3; # svtw-web1
    server 100.100.100.71:8000 weight=4; # svtw-web2
    server 100.100.100.72:8000 weight=4; # svtw-web3
    ...
}

server {
    listen  80;
    server_name  streetvoice.cn;
    charset  utf-8;
    client_max_body_size  75M;

    location /asset  {
        alias /data/storage/asset;
        access_log off;
    }

    location / {
        real_ip_header      X-Forwarded-For;
        set_real_ip_from    10.0.0.0/8;
        proxy_set_header    Host $http_host;
        proxy_redirect      off;
        proxy_read_timeout  120;
        include             /etc/nginx/uwsgi_params;
        uwsgi_pass          django_cluster;
    }
}

weight 默認為 1
max_fails 默認為 1
fail_timeout 默認為 10s

基本上默認的配置就夠了

意思是那台機器發生 max_fails 次錯誤的話
在 fail_timeout 內會被標成不可用

ref:
http://nginx.org/en/docs/http/ngx_http_upstream_module.html#server

Compile nginx with sticky-module on Ubuntu 12.04

# 先移除用 apt-get 安裝的 nginx
$ sudo apt-get autoremove nginx

開始編譯

$ sudo su root

$ cd /usr/src/
$ apt-get source nginx

$ cd nginx-1.6.0/debian/modules
$ wget https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng/get/1.2.5.tar.gz
$ tar zxvf 1.2.5.tar.gz
$ mv nginx-goodies-nginx-sticky-module-ng-bd312d586752/ nginx-goodies-nginx-sticky-module-ng/

$ vim /usr/src/nginx-1.6.0/debian/rules
# 在 full_configure_flags 底下加上:
# --add-module=$(MODULESDIR)/ngx_http_substitutions_filter_module \
# --add-module=$(MODULESDIR)/nginx-goodies-nginx-sticky-module-ng

$ cd /usr/src/nginx-1.6.0/
$ aptitude build-dep nginx
$ aptitude install liblua5.1-0-dev init-system-helpers
$ dpkg-buildpackage -b

$ cd /usr/src
$ dpkg -i nginx-common_1.6.0-1+precise0_all.deb
$ dpkg -i nginx-full_1.6.0-1+precise0_amd64.deb

# 驗證一下
$ nginx -V

ref:
http://gravitronic.com/compiling-the-nginx-sticky-session-module-in-ubuntu/