In this exemple of configuration, if the first server fail (proxy_connect_timeout) one time (max_fails), the second server will be used for 60s (fail_timeout).
The SSL certificate need to be configure on the ReverseProxy server AND the proxyied servers. You can use the same certificate and configurations on all servers.
To test the configuration you can change your host file to simulate the correct domain name.
Use the following tool to configure SSL with optimal configuration. https://mozilla.github.io/server-side-tls/ssl-config-generator/
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
upstream backend {
server x.x.x.x:443 fail_timeout=60s max_fails=1;
server x.x.x.x:443 backup;
}
server {
listen 443 ssl;
server_name lifehistory.ca www.lifehistory.ca;
ssl_certificate /home/ubuntu/cert.pem;
ssl_certificate_key /home/ubuntu/privkey.pem;
location / {
proxy_pass https://backend;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 5s;
proxy_send_timeout 5s;
proxy_read_timeout 5s;
#optional config
proxy_ssl_name "lifehistory.ca";
proxy_ssl_server_name on;
}
}
}