Solved

Reverse proxy https Server error 502

Posted on 2013-11-05
3
3,778 Views
Last Modified: 2013-11-05
Hi,
I am testing the reverse proxy on windows 2008 r2 IIS 7.5
When using http everything works fine.
when adding https between the client and the reverse proxy, everything works fine.
but when I add https between the reverse proxy and the internal server,I get:

Server error
"502 - Web server received and invalid response while acting as a gateway or proxy server"

I have installed 2 different certificates at the proxy and at the server but I presume they work, Since I have no problems opening this https page from the reverse proxy...
(And I do not get certificate errors or warnings of any kind...)

I guess i missed something at the iis configuration...
I have written a simple URL rewrite rule which only points to
https://server_name/site_name/hello.html
(which works when I change it to http.)
I also tried it with\without "Enable SSL Offloading"
(I did not define a server-farm, dont know if its necessary)

What could be the problem? can I somehow debug the error and see what went wrong?
0
Comment
Question by:mashuf1976
  • 2
3 Comments
 
LVL 14

Expert Comment

by:Giovanni Heward
ID: 39623961
Is the certificate issued reflecting the public FQDN as the CN? (i.e. host.example.com)
Is your cert self-signed, or issued by a trusted CA?
Have you configured DNS to resolve to the public FQDN, on *both* the public and private side?  
This would require your internal DNS server(s) to have a zone for example.com, as opposed to using example.local -- After these prerequisites are met, you should be using the public FQDN (host.example.com) on either side.  

On the internal server to reverse proxy scenario, try modifying the %windir%\system32\drivers\etc\hosts file, on the internal server, to resolve the public FQDN to the private IP of the reverse proxy server, then connect using the public FQDN (i.e. host.example.com) rather than the local host name (i.e. host.domain.local)
0
 

Author Comment

by:mashuf1976
ID: 39624041
Thanks for your reply, this is a self-signed certificate.
The problem is that the reverse proxy is at the DMZ (which is exposed to the internet),
and therefor it could not be part of the domain  (in order to protect the company, and the AD server) -- which probably means it cannot have the same FQDN...

Is there a way to bypass this problem?
0
 
LVL 14

Accepted Solution

by:
Giovanni Heward earned 500 total points
ID: 39624689
Is your DMZ (ideally) configured to use a private network address in conjunction with a PAT entry to translate to the public side?  Public:443/TCP <-> DMZ:443/TCP?  If so, this is how you'd configure it for use on the private side as well: Private:443/TCP <-> DMZ:443/TCP.  After the translation and access rules are in place, you'd create a public FQDN zone on the private AD/DNS server, which resolves (i.e. host.domain.com ) to the production private IP address (which is then translated to the DMZ zone.)

So on the private side, host.domain.com would resolve to 10.100.100.100 and on the public side, host.domain.com would resolve to 189.170.68.100.  Whereas the actual reverse proxy address is 192.168.1.100.  In this way the certificate can be issued to host.domain.com and work on both sides.  Make sense?  I think your issue is more relating to name resolution (and perhaps your server trusting the self-signed certificate) than anything else.

The other approach is the static hosts entry on the internal server communicating with the reverse proxy to reflect the public FQDN, once the translations and access rules are in place.

That being said, the quickest resolution may be to reissue your self-signed certificate to include both the private and public FQDN's ( i.e. host, host.domain.local, host.domain.com ).  I'll post more on this momentarily.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Preface There are many applications where some computing systems need have their system clocks running synchronized within a small margin and eventually need to be in sync with the global time. There are different solutions for this, i.e. the W3…
This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now