Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Reverse proxy https Server error 502

Posted on 2013-11-05
3
Medium Priority
?
4,258 Views
Last Modified: 2013-11-05
Hi,
I am testing the reverse proxy on windows 2008 r2 IIS 7.5
When using http everything works fine.
when adding https between the client and the reverse proxy, everything works fine.
but when I add https between the reverse proxy and the internal server,I get:

Server error
"502 - Web server received and invalid response while acting as a gateway or proxy server"

I have installed 2 different certificates at the proxy and at the server but I presume they work, Since I have no problems opening this https page from the reverse proxy...
(And I do not get certificate errors or warnings of any kind...)

I guess i missed something at the iis configuration...
I have written a simple URL rewrite rule which only points to
https://server_name/site_name/hello.html
(which works when I change it to http.)
I also tried it with\without "Enable SSL Offloading"
(I did not define a server-farm, dont know if its necessary)

What could be the problem? can I somehow debug the error and see what went wrong?
0
Comment
Question by:mashuf1976
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39623961
Is the certificate issued reflecting the public FQDN as the CN? (i.e. host.example.com)
Is your cert self-signed, or issued by a trusted CA?
Have you configured DNS to resolve to the public FQDN, on *both* the public and private side?  
This would require your internal DNS server(s) to have a zone for example.com, as opposed to using example.local -- After these prerequisites are met, you should be using the public FQDN (host.example.com) on either side.  

On the internal server to reverse proxy scenario, try modifying the %windir%\system32\drivers\etc\hosts file, on the internal server, to resolve the public FQDN to the private IP of the reverse proxy server, then connect using the public FQDN (i.e. host.example.com) rather than the local host name (i.e. host.domain.local)
0
 

Author Comment

by:mashuf1976
ID: 39624041
Thanks for your reply, this is a self-signed certificate.
The problem is that the reverse proxy is at the DMZ (which is exposed to the internet),
and therefor it could not be part of the domain  (in order to protect the company, and the AD server) -- which probably means it cannot have the same FQDN...

Is there a way to bypass this problem?
0
 
LVL 15

Accepted Solution

by:
Giovanni Heward earned 2000 total points
ID: 39624689
Is your DMZ (ideally) configured to use a private network address in conjunction with a PAT entry to translate to the public side?  Public:443/TCP <-> DMZ:443/TCP?  If so, this is how you'd configure it for use on the private side as well: Private:443/TCP <-> DMZ:443/TCP.  After the translation and access rules are in place, you'd create a public FQDN zone on the private AD/DNS server, which resolves (i.e. host.domain.com ) to the production private IP address (which is then translated to the DMZ zone.)

So on the private side, host.domain.com would resolve to 10.100.100.100 and on the public side, host.domain.com would resolve to 189.170.68.100.  Whereas the actual reverse proxy address is 192.168.1.100.  In this way the certificate can be issued to host.domain.com and work on both sides.  Make sense?  I think your issue is more relating to name resolution (and perhaps your server trusting the self-signed certificate) than anything else.

The other approach is the static hosts entry on the internal server communicating with the reverse proxy to reflect the public FQDN, once the translations and access rules are in place.

That being said, the quickest resolution may be to reissue your self-signed certificate to include both the private and public FQDN's ( i.e. host, host.domain.local, host.domain.com ).  I'll post more on this momentarily.
0

Featured Post

ATEN's HDBaseT Presentation at InfoComm 2017

Hear ATEN Product Manager YT Liang review HDBaseT technology, highlighting ATEN’s latest solutions as they relate to real-world applications during her presentation at the HDBaseT booth at InfoComm 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question