How to force ssl with Google Cloud Load Balancer and nginx as a web server

Question

We have 4 servers with php aplication and nginx behind Google Cloud HTTP(S) Load balancer. And I made servers to listen for both http and https connections. The issue is - I cannot force to use ssl. Here is nginx configuration:

server {
            listen 80;

            server_name domain.com;

            root /var/www/dev/public_html;
            index index.php index.html index.htm;

            port_in_redirect off;

            location / {
                    return 301 https://$server_name$request_uri;
            }

    }
    server {
        listen 443;

        ssl on;
        ssl_certificate /etc/nginx/ssl/ssl.crt;
        ssl_certificate_key /etc/nginx/ssl/ssl.key;
        ssl_prefer_server_ciphers on;

        root /var/www/production/public_html;
        index index.php index.html index.htm;

        server_name domain.com;

        location ~ /help {
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
            proxy_redirect off;
            proxy_next_upstream error;
        }

        location / {
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            fastcgi_pass unix:/run/php/php7.0-fpm.sock;
            fastcgi_index index.php;
            fastcgi_param   SCRIPT_FILENAME  $document_root/index.php;
            include fastcgi_params;
            proxy_buffering off;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header Referer "";
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_http_version 1.1;
        }
}

There are several more locations there, all with the similar configuration. And this config works without LB, on a single server. And doesn't work with LB. Please advise.

Thank you!

Answer 1

Use this config at web server:

        if ($http_x_forwarded_proto = "http") { return 301 https://$server_name$request_uri; }

Answer 2

There may be many things to check. Maybe - to look at SSL certificates for the HTTPS Load balancer - the documentation states that it "Requires at least one signed SSL certificate for the load balancer" - see Setting Up HTTP(S) Load Balancing and SSL Certificates