Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Reverse proxy https Server error 502

Posted on 2013-11-05
3
Medium Priority
?
4,413 Views
Last Modified: 2013-11-05
Hi,
I am testing the reverse proxy on windows 2008 r2 IIS 7.5
When using http everything works fine.
when adding https between the client and the reverse proxy, everything works fine.
but when I add https between the reverse proxy and the internal server,I get:

Server error
"502 - Web server received and invalid response while acting as a gateway or proxy server"

I have installed 2 different certificates at the proxy and at the server but I presume they work, Since I have no problems opening this https page from the reverse proxy...
(And I do not get certificate errors or warnings of any kind...)

I guess i missed something at the iis configuration...
I have written a simple URL rewrite rule which only points to
https://server_name/site_name/hello.html
(which works when I change it to http.)
I also tried it with\without "Enable SSL Offloading"
(I did not define a server-farm, dont know if its necessary)

What could be the problem? can I somehow debug the error and see what went wrong?
0
Comment
Question by:mashuf1976
  • 2
3 Comments
 
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39623961
Is the certificate issued reflecting the public FQDN as the CN? (i.e. host.example.com)
Is your cert self-signed, or issued by a trusted CA?
Have you configured DNS to resolve to the public FQDN, on *both* the public and private side?  
This would require your internal DNS server(s) to have a zone for example.com, as opposed to using example.local -- After these prerequisites are met, you should be using the public FQDN (host.example.com) on either side.  

On the internal server to reverse proxy scenario, try modifying the %windir%\system32\drivers\etc\hosts file, on the internal server, to resolve the public FQDN to the private IP of the reverse proxy server, then connect using the public FQDN (i.e. host.example.com) rather than the local host name (i.e. host.domain.local)
0
 

Author Comment

by:mashuf1976
ID: 39624041
Thanks for your reply, this is a self-signed certificate.
The problem is that the reverse proxy is at the DMZ (which is exposed to the internet),
and therefor it could not be part of the domain  (in order to protect the company, and the AD server) -- which probably means it cannot have the same FQDN...

Is there a way to bypass this problem?
0
 
LVL 15

Accepted Solution

by:
Giovanni Heward earned 2000 total points
ID: 39624689
Is your DMZ (ideally) configured to use a private network address in conjunction with a PAT entry to translate to the public side?  Public:443/TCP <-> DMZ:443/TCP?  If so, this is how you'd configure it for use on the private side as well: Private:443/TCP <-> DMZ:443/TCP.  After the translation and access rules are in place, you'd create a public FQDN zone on the private AD/DNS server, which resolves (i.e. host.domain.com ) to the production private IP address (which is then translated to the DMZ zone.)

So on the private side, host.domain.com would resolve to 10.100.100.100 and on the public side, host.domain.com would resolve to 189.170.68.100.  Whereas the actual reverse proxy address is 192.168.1.100.  In this way the certificate can be issued to host.domain.com and work on both sides.  Make sense?  I think your issue is more relating to name resolution (and perhaps your server trusting the self-signed certificate) than anything else.

The other approach is the static hosts entry on the internal server communicating with the reverse proxy to reflect the public FQDN, once the translations and access rules are in place.

That being said, the quickest resolution may be to reissue your self-signed certificate to include both the private and public FQDN's ( i.e. host, host.domain.local, host.domain.com ).  I'll post more on this momentarily.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A common practice in small networks is making file sharing easy which works extremely well when intra-network security is not an issue. In essence, everyone, that is "Everyone", is given access to all of the shared files - often the entire C: drive …
Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question