nginx reverse proxy to mongodb rest interface
I'm trying to set up a reverse proxy with HTTP auth that proxies MongoDB's REST interface. So far, I've got this:
server {
listen 80;
server_name tld.example.com;
charset utf-8;
access_log /home/jill/logs/nginx.access.log main;
# Redirect all HTTP traffic to HTTPS URL
rewrite ^(.*) https://tld.example.com$1 permanent;
}
server {
listen 443;
server_name tld.example.com;
ssl on;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 SSLv3;
ssl_ciphers HIGH:!ADH:!MD5:@STRENGTH;
ssl_session_cache shared:TLSSL:16m;
ssl_session_timeout 10m;
ssl_certificate /path/to/cert/tld.example.com.bundle.crt;
ssl_certificate_key /path/to/cert/tld.example.com.key;
gzip on;
gzip_vary on;
gzip_comp_level 6;
keepalive_timeout 300;
keepalive_requests 500;
location / {
proxy_pass https://127.0.0.1:28017;
proxy_redirect off;
proxy_max_temp_file_size 0;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
add_header Cache-Control no-cache;
}
auth_basic "Restricted area";
auth_basic_user_file /path/to/password/file;
}
This doesn't work (obviously), and results in a gateway timeout. I can otherwise access the REST interface locally from within the server with curl localhost:28017
and similar.
What am I doing wrong?
Solution 1:
Given the fact that curl localhost:28017
works, I assume the REST interface speaks HTTP and not HTTPS.
Change the following line
proxy_pass https://127.0.0.1:28017;
With this one
proxy_pass http://127.0.0.1:28017;
Solution 2:
To offer an alternative solution from the MongoDB side of things (if you wanted to use HTTPS end to end), you can enable SSL in MongoDB:
http://docs.mongodb.org/manual/administration/ssl/
You can also see my previous answer here regarding using SSL with MongoDB for some more details:
https://serverfault.com/a/376598/108132
Enabling SSL also enables it on the REST interface. Just to be sure I tested it using an SSL enabled build on the default ports:
curl -I -k https://127.0.0.1:28017
HTTP/1.0 200 OK
Content-Type: text/html;charset=utf-8
Connection: close
Content-Length: 21343
The -k is necessary because I am using a self-signed cert for my testing.