Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Reverse proxy https Server error 502

Posted on 2013-11-05
3
Medium Priority
?
4,346 Views
Last Modified: 2013-11-05
Hi,
I am testing the reverse proxy on windows 2008 r2 IIS 7.5
When using http everything works fine.
when adding https between the client and the reverse proxy, everything works fine.
but when I add https between the reverse proxy and the internal server,I get:

Server error
"502 - Web server received and invalid response while acting as a gateway or proxy server"

I have installed 2 different certificates at the proxy and at the server but I presume they work, Since I have no problems opening this https page from the reverse proxy...
(And I do not get certificate errors or warnings of any kind...)

I guess i missed something at the iis configuration...
I have written a simple URL rewrite rule which only points to
https://server_name/site_name/hello.html
(which works when I change it to http.)
I also tried it with\without "Enable SSL Offloading"
(I did not define a server-farm, dont know if its necessary)

What could be the problem? can I somehow debug the error and see what went wrong?
0
Comment
Question by:mashuf1976
  • 2
3 Comments
 
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39623961
Is the certificate issued reflecting the public FQDN as the CN? (i.e. host.example.com)
Is your cert self-signed, or issued by a trusted CA?
Have you configured DNS to resolve to the public FQDN, on *both* the public and private side?  
This would require your internal DNS server(s) to have a zone for example.com, as opposed to using example.local -- After these prerequisites are met, you should be using the public FQDN (host.example.com) on either side.  

On the internal server to reverse proxy scenario, try modifying the %windir%\system32\drivers\etc\hosts file, on the internal server, to resolve the public FQDN to the private IP of the reverse proxy server, then connect using the public FQDN (i.e. host.example.com) rather than the local host name (i.e. host.domain.local)
0
 

Author Comment

by:mashuf1976
ID: 39624041
Thanks for your reply, this is a self-signed certificate.
The problem is that the reverse proxy is at the DMZ (which is exposed to the internet),
and therefor it could not be part of the domain  (in order to protect the company, and the AD server) -- which probably means it cannot have the same FQDN...

Is there a way to bypass this problem?
0
 
LVL 15

Accepted Solution

by:
Giovanni Heward earned 2000 total points
ID: 39624689
Is your DMZ (ideally) configured to use a private network address in conjunction with a PAT entry to translate to the public side?  Public:443/TCP <-> DMZ:443/TCP?  If so, this is how you'd configure it for use on the private side as well: Private:443/TCP <-> DMZ:443/TCP.  After the translation and access rules are in place, you'd create a public FQDN zone on the private AD/DNS server, which resolves (i.e. host.domain.com ) to the production private IP address (which is then translated to the DMZ zone.)

So on the private side, host.domain.com would resolve to 10.100.100.100 and on the public side, host.domain.com would resolve to 189.170.68.100.  Whereas the actual reverse proxy address is 192.168.1.100.  In this way the certificate can be issued to host.domain.com and work on both sides.  Make sense?  I think your issue is more relating to name resolution (and perhaps your server trusting the self-signed certificate) than anything else.

The other approach is the static hosts entry on the internal server communicating with the reverse proxy to reflect the public FQDN, once the translations and access rules are in place.

That being said, the quickest resolution may be to reissue your self-signed certificate to include both the private and public FQDN's ( i.e. host, host.domain.local, host.domain.com ).  I'll post more on this momentarily.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question