Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1797
  • Last Modified:

nginx reverse proxy ssl IIS

system 1
Centos 7
nginx
IP 192.168.1.101

System 2
SBS2011
192.168.1.2

System 3
Centos Web server

I have created a nginx machine to sit in front of two web servers (IIS and centos). Currently I have http sites sitting on both machines, and I have configured reverse proxy for the HTTP without issue.

What I am failing at is getting the nginx to reverse proxy to system 2 for the https for remote web workspace. (I could just direct port 443 at the router to the system 2 machine, as System 3 does not have any https sites, but it may in the future, so would like to get this working).

I have exported the SSL cert from System2 by following http://www.iborgelt.com/windows-home-server-behind-nginx-reverse-proxy/

Then have created a file in system 1 by:- nano /etc/nginx/conf.d/remote-Mydomain-proxySSL.conf
the file contains
	server {
	  listen 443;
	  server_name remote.mydomain.com.au;
	  ssl on;
	  ssl_certificate /etc/nginx/mydomain.pem;
	  ssl_certificate_key /etc/nginx/mydomain.key;
	  ssl_session_timeout 5m;
	  ssl_protocols SSLv3 TLSv1;
	  ssl_ciphers HIGH:!ADH:!MD5;
	  ssl_prefer_server_ciphers on;
	  location / {
		proxy_pass https://192.168.1.2:443;
		proxy_set_header host remote.mydomain.com.au;
	  }
	}

Open in new window


however at the browser I get
Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.
Error code: ERR_SSL_PROTOCOL_ERROR


I suspect that the SSL cert at system 1 is not loading correctly but when I restart nginx it does not seem to have an issue:-
[root@Nginx nginx]# service nginx restart
Redirecting to /bin/systemctl restart  nginx.service
[root@Nginx nginx]#


Any help would be appreciated.
Cheers
Andrew
0
Andrew Davis
Asked:
Andrew Davis
  • 7
  • 5
2 Solutions
 
GaryCommented:
For a start remove SSLv3 - did you miss the big security alert?

Confused by what you mean when I restart nginx it does not seem to have an issue - either there is a problem or there isn't - care to explain more?
0
 
Andrew DavisManagerAuthor Commented:
Confused by what you mean when I restart nginx it does not seem to have an issue - either there is a problem or there isn't - care to explain more?

What I mean is that when I started with HTTP proxy settings, if I made an error in the config file, when i tried to restart Nginx it would not start and tell me that it was unable to start. With the settings as they are, it starts without issue. Does not report an error.

I will try your suggestion above.

did you miss the big security alert?
Most probably as i am by no means a linux guru, and i know have exactly 2 days experiance with nginx.
I was originally going to use IIS ARR but decided that I wanted something that didnt require me configuring another Windows VM and figure as this is a set and forget, it is ideal for Linux/nginx :)

will let you know about the above in a few minutes.

Cheers.
0
 
GaryCommented:
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
Andrew DavisManagerAuthor Commented:
okay I changed
ssl_protocols SSLv3 TLSv1;
to
ssl_protocols TLSv1;

Open in new window


service nginx restart

No change to issue.

Also note, that in the browser (Chrome) at the error page i am not seeing any ssl cert information.

Cheers
Andrew
0
 
Andrew DavisManagerAuthor Commented:
Thanks re the SSLv3 alert.
0
 
GaryCommented:
Are you sure you copied the correct cert and key to the nginx server?
The error suggest it's an invalid cert

Maybe the .pem is not correctly formatted...if you open it does it look correct, maybe some formatting issues between Windows and Linux
0
 
Andrew DavisManagerAuthor Commented:
i think you are probably correct. I got the keys from the pfx file, using  openSSL as per http://www.iborgelt.com/windows-home-server-behind-nginx-reverse-proxy/

but if i look at the files this is the content:-

mydomain.pem
Bag Attributes
    localKeyID: 01 00 00 00 
subject=/serialNumber=s/FilrOFyFEdN0KJbaq92Rkf9nCP5un1/OU=GT63064709/OU=See www.rapidssl.com/resources/cps (c)14/OU=Domain Control Validated - RapidSSL(R)/CN=remote.mydomain.com.au
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
-----BEGIN CERTIFICATE-----
MIIFMDCCBBigAwIBAgIDEuYgMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
.
I have cut out the cert code for the purposes of pasting to this forum
.
csAJa2IxYfaGBjBYXx5QNdT5ENXDBgazDw7MPquaPPLg1aFz
-----END CERTIFICATE-----
Bag Attributes
    friendlyName: GeoTrust Global CA
subject=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
-----BEGIN CERTIFICATE-----
MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
.
I have cut out the cert code for the purposes of pasting to this forum
.
5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw==
-----END CERTIFICATE-----
Bag Attributes: <Empty Attributes>
subject=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
-----BEGIN CERTIFICATE-----
MIID1TCCAr2gAwIBAgIDAjbRMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
.
I have cut out the cert code for the purposes of pasting to this forum
.
LEL2TxyJeN4mTvVvk0wVaydWTQBUbHq3tw==
-----END CERTIFICATE-----

Open in new window


and
mydomain.key
Bag Attributes
    Microsoft Local Key set: <No Values>
    localKeyID: 01 00 00 00 
    friendlyName: lr-2a298745-cf96-47c2-a98a-4047857eba2b
    Microsoft CSP Name: Microsoft Enhanced Cryptographic Provider v1.0
Key Attributes
    X509v3 Key Usage: 10 
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC5kfarVJxxA5h0
.
I have cut out the cert code for the purposes of pasting to this forum
.
CQg4lcOyN5Xbnq/8RStSaZp221/HsEa+nxx1ACcyO9RlcHUtIt+sPiQEwOrrnJqC
uJmS81tOGOWh+uculcv80Yc=
-----END PRIVATE KEY-----

Open in new window


I suspect that everything above the
-----BEGIN
should be removed, but i will wait for your experienced input.

Cheers
0
 
GaryCommented:
mydomain.pem is not valid and neither is your key file

This is what a .pem and key file should look like
http://ospkibook.sourceforge.net/docs/OSPKI-2.4.7/OSPKI-html/sample-ca-cert.htm
0
 
GaryCommented:
All this bit
Bag Attributes

Is invalid in the file
0
 
Andrew DavisManagerAuthor Commented:
Thats what I thought, but i never looked in the file that open ssl created.

so now i have modified the mydomain.pem file to
-----BEGIN CERTIFICATE-----
MIIFMDCCBBigAwIBAgIDEuYgMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
.
Lines removed for forum post
.
TAF7QBIm7s2L0euZl4XxWHmxfjTPqlYqJhFMDzRRV50z1b6j5rtF9aGfabruv0Us
csAJa2IxYfaGBjBYXx5QNdT5ENXDBgazDw7MPquaPPLg1aFz
-----END CERTIFICATE-----

Open in new window


and mydomain.key to
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC5kfarVJxxA5h0
.
Lines removed for forum post
.
CQg4lcOyN5Xbnq/8RStSaZp221/HsEa+nxx1ACcyO9RlcHUtIt+sPiQEwOrrnJqC
uJmS81tOGOWh+uculcv80Yc=
-----END PRIVATE KEY-----

Open in new window


restarted nginx
Still the same issue...

wondering in centos/nginx/openssl is there a way that i can create self signed files for testing?

cheers
0
 
Andrew DavisManagerAuthor Commented:
just a quick update i got it to work with
# HTTPS server
	#
	server {
		listen       443 ssl;
		server_name  remote.mydomain.com.au:443;

		ssl_certificate      /etc/nginx/mydomain.pem;
		ssl_certificate_key  /etc/nginx/mydomain.key;

		ssl_session_cache shared:SSL:1m;
		ssl_session_timeout  5m;

		ssl_ciphers  HIGH:!aNULL:!MD5;
		ssl_prefer_server_ciphers   on;

		location / {
			proxy_pass https://192.168.1.2/;
		}
	}

Open in new window


however now rpc/https does not work. This is how our exchange client talks to the exchange server.
on trying to connect it asks for username and password, and loops at that.

I am looking into it at the moment, but if you have any ideas that would be great.

Cheers
Andrew
0
 
Andrew DavisManagerAuthor Commented:
Thanks for your help and time Gary.

i have split the award between both of us, as you did get me to look at my certs. in the end (after i corrected my cert layout) it turned out that my certs were fine, and once i used the SSL example that comes with nginx it worked fine. Although it now appears that it wont support RPC/HTTP so may have to think about moving to something like HAproxy, but thats for another day :)

Cheers
Andrew
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

  • 7
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now