Solved

nginx reverse proxy ssl IIS

Posted on 2014-10-28
12
1,192 Views
Last Modified: 2014-11-02
system 1
Centos 7
nginx
IP 192.168.1.101

System 2
SBS2011
192.168.1.2

System 3
Centos Web server

I have created a nginx machine to sit in front of two web servers (IIS and centos). Currently I have http sites sitting on both machines, and I have configured reverse proxy for the HTTP without issue.

What I am failing at is getting the nginx to reverse proxy to system 2 for the https for remote web workspace. (I could just direct port 443 at the router to the system 2 machine, as System 3 does not have any https sites, but it may in the future, so would like to get this working).

I have exported the SSL cert from System2 by following http://www.iborgelt.com/windows-home-server-behind-nginx-reverse-proxy/

Then have created a file in system 1 by:- nano /etc/nginx/conf.d/remote-Mydomain-proxySSL.conf
the file contains
	server {
	  listen 443;
	  server_name remote.mydomain.com.au;
	  ssl on;
	  ssl_certificate /etc/nginx/mydomain.pem;
	  ssl_certificate_key /etc/nginx/mydomain.key;
	  ssl_session_timeout 5m;
	  ssl_protocols SSLv3 TLSv1;
	  ssl_ciphers HIGH:!ADH:!MD5;
	  ssl_prefer_server_ciphers on;
	  location / {
		proxy_pass https://192.168.1.2:443;
		proxy_set_header host remote.mydomain.com.au;
	  }
	}

Open in new window


however at the browser I get
Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.
Error code: ERR_SSL_PROTOCOL_ERROR


I suspect that the SSL cert at system 1 is not loading correctly but when I restart nginx it does not seem to have an issue:-
[root@Nginx nginx]# service nginx restart
Redirecting to /bin/systemctl restart  nginx.service
[root@Nginx nginx]#


Any help would be appreciated.
Cheers
Andrew
0
Comment
Question by:Andrew Davis
  • 7
  • 5
12 Comments
 
LVL 58

Expert Comment

by:Gary
ID: 40409834
For a start remove SSLv3 - did you miss the big security alert?

Confused by what you mean when I restart nginx it does not seem to have an issue - either there is a problem or there isn't - care to explain more?
0
 
LVL 18

Author Comment

by:Andrew Davis
ID: 40409849
Confused by what you mean when I restart nginx it does not seem to have an issue - either there is a problem or there isn't - care to explain more?

What I mean is that when I started with HTTP proxy settings, if I made an error in the config file, when i tried to restart Nginx it would not start and tell me that it was unable to start. With the settings as they are, it starts without issue. Does not report an error.

I will try your suggestion above.

did you miss the big security alert?
Most probably as i am by no means a linux guru, and i know have exactly 2 days experiance with nginx.
I was originally going to use IIS ARR but decided that I wanted something that didnt require me configuring another Windows VM and figure as this is a set and forget, it is ideal for Linux/nginx :)

will let you know about the above in a few minutes.

Cheers.
0
 
LVL 58

Expert Comment

by:Gary
ID: 40409853
0
 
LVL 18

Author Comment

by:Andrew Davis
ID: 40409857
okay I changed
ssl_protocols SSLv3 TLSv1;
to
ssl_protocols TLSv1;

Open in new window


service nginx restart

No change to issue.

Also note, that in the browser (Chrome) at the error page i am not seeing any ssl cert information.

Cheers
Andrew
0
 
LVL 18

Author Comment

by:Andrew Davis
ID: 40409859
Thanks re the SSLv3 alert.
0
 
LVL 58

Expert Comment

by:Gary
ID: 40409861
Are you sure you copied the correct cert and key to the nginx server?
The error suggest it's an invalid cert

Maybe the .pem is not correctly formatted...if you open it does it look correct, maybe some formatting issues between Windows and Linux
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 18

Author Comment

by:Andrew Davis
ID: 40409872
i think you are probably correct. I got the keys from the pfx file, using  openSSL as per http://www.iborgelt.com/windows-home-server-behind-nginx-reverse-proxy/

but if i look at the files this is the content:-

mydomain.pem
Bag Attributes
    localKeyID: 01 00 00 00 
subject=/serialNumber=s/FilrOFyFEdN0KJbaq92Rkf9nCP5un1/OU=GT63064709/OU=See www.rapidssl.com/resources/cps (c)14/OU=Domain Control Validated - RapidSSL(R)/CN=remote.mydomain.com.au
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
-----BEGIN CERTIFICATE-----
MIIFMDCCBBigAwIBAgIDEuYgMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
.
I have cut out the cert code for the purposes of pasting to this forum
.
csAJa2IxYfaGBjBYXx5QNdT5ENXDBgazDw7MPquaPPLg1aFz
-----END CERTIFICATE-----
Bag Attributes
    friendlyName: GeoTrust Global CA
subject=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
-----BEGIN CERTIFICATE-----
MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
.
I have cut out the cert code for the purposes of pasting to this forum
.
5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw==
-----END CERTIFICATE-----
Bag Attributes: <Empty Attributes>
subject=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
-----BEGIN CERTIFICATE-----
MIID1TCCAr2gAwIBAgIDAjbRMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
.
I have cut out the cert code for the purposes of pasting to this forum
.
LEL2TxyJeN4mTvVvk0wVaydWTQBUbHq3tw==
-----END CERTIFICATE-----

Open in new window


and
mydomain.key
Bag Attributes
    Microsoft Local Key set: <No Values>
    localKeyID: 01 00 00 00 
    friendlyName: lr-2a298745-cf96-47c2-a98a-4047857eba2b
    Microsoft CSP Name: Microsoft Enhanced Cryptographic Provider v1.0
Key Attributes
    X509v3 Key Usage: 10 
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC5kfarVJxxA5h0
.
I have cut out the cert code for the purposes of pasting to this forum
.
CQg4lcOyN5Xbnq/8RStSaZp221/HsEa+nxx1ACcyO9RlcHUtIt+sPiQEwOrrnJqC
uJmS81tOGOWh+uculcv80Yc=
-----END PRIVATE KEY-----

Open in new window


I suspect that everything above the
-----BEGIN
should be removed, but i will wait for your experienced input.

Cheers
0
 
LVL 58

Expert Comment

by:Gary
ID: 40409879
mydomain.pem is not valid and neither is your key file

This is what a .pem and key file should look like
http://ospkibook.sourceforge.net/docs/OSPKI-2.4.7/OSPKI-html/sample-ca-cert.htm
0
 
LVL 58

Assisted Solution

by:Gary
Gary earned 500 total points
ID: 40409883
All this bit
Bag Attributes

Is invalid in the file
0
 
LVL 18

Author Comment

by:Andrew Davis
ID: 40409890
Thats what I thought, but i never looked in the file that open ssl created.

so now i have modified the mydomain.pem file to
-----BEGIN CERTIFICATE-----
MIIFMDCCBBigAwIBAgIDEuYgMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
.
Lines removed for forum post
.
TAF7QBIm7s2L0euZl4XxWHmxfjTPqlYqJhFMDzRRV50z1b6j5rtF9aGfabruv0Us
csAJa2IxYfaGBjBYXx5QNdT5ENXDBgazDw7MPquaPPLg1aFz
-----END CERTIFICATE-----

Open in new window


and mydomain.key to
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC5kfarVJxxA5h0
.
Lines removed for forum post
.
CQg4lcOyN5Xbnq/8RStSaZp221/HsEa+nxx1ACcyO9RlcHUtIt+sPiQEwOrrnJqC
uJmS81tOGOWh+uculcv80Yc=
-----END PRIVATE KEY-----

Open in new window


restarted nginx
Still the same issue...

wondering in centos/nginx/openssl is there a way that i can create self signed files for testing?

cheers
0
 
LVL 18

Accepted Solution

by:
Andrew Davis earned 0 total points
ID: 40410031
just a quick update i got it to work with
# HTTPS server
	#
	server {
		listen       443 ssl;
		server_name  remote.mydomain.com.au:443;

		ssl_certificate      /etc/nginx/mydomain.pem;
		ssl_certificate_key  /etc/nginx/mydomain.key;

		ssl_session_cache shared:SSL:1m;
		ssl_session_timeout  5m;

		ssl_ciphers  HIGH:!aNULL:!MD5;
		ssl_prefer_server_ciphers   on;

		location / {
			proxy_pass https://192.168.1.2/;
		}
	}

Open in new window


however now rpc/https does not work. This is how our exchange client talks to the exchange server.
on trying to connect it asks for username and password, and loops at that.

I am looking into it at the moment, but if you have any ideas that would be great.

Cheers
Andrew
0
 
LVL 18

Author Closing Comment

by:Andrew Davis
ID: 40417988
Thanks for your help and time Gary.

i have split the award between both of us, as you did get me to look at my certs. in the end (after i corrected my cert layout) it turned out that my certs were fine, and once i used the SSL example that comes with nginx it worked fine. Although it now appears that it wont support RPC/HTTP so may have to think about moving to something like HAproxy, but thats for another day :)

Cheers
Andrew
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
vmware horizon certificate question 2 25
Running Jira on Raspberry PI 2? 3 264
SSH over http/https 8 109
SSL https .net web site force redirect 3 36
If your site has a few sections that need to be secure when data is transmitted between the server and local computer, such as a /order/ section for ordering or /customer/ which contains customer data, etc it would of course be recommended to secure…
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: http://www.codetwo.com/backup-for-office-365/ (http://www.codetwo.com/ba…
Many functions in Excel can make decisions. The most simple of these is the IF function: it returns a value depending on whether a condition you describe is true or false. Once you get the hang of using the IF function, you will find it easier to us…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now