Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

nginx reverse proxy ssl IIS

Posted on 2014-10-28
12
1,270 Views
Last Modified: 2014-11-02
system 1
Centos 7
nginx
IP 192.168.1.101

System 2
SBS2011
192.168.1.2

System 3
Centos Web server

I have created a nginx machine to sit in front of two web servers (IIS and centos). Currently I have http sites sitting on both machines, and I have configured reverse proxy for the HTTP without issue.

What I am failing at is getting the nginx to reverse proxy to system 2 for the https for remote web workspace. (I could just direct port 443 at the router to the system 2 machine, as System 3 does not have any https sites, but it may in the future, so would like to get this working).

I have exported the SSL cert from System2 by following http://www.iborgelt.com/windows-home-server-behind-nginx-reverse-proxy/

Then have created a file in system 1 by:- nano /etc/nginx/conf.d/remote-Mydomain-proxySSL.conf
the file contains
	server {
	  listen 443;
	  server_name remote.mydomain.com.au;
	  ssl on;
	  ssl_certificate /etc/nginx/mydomain.pem;
	  ssl_certificate_key /etc/nginx/mydomain.key;
	  ssl_session_timeout 5m;
	  ssl_protocols SSLv3 TLSv1;
	  ssl_ciphers HIGH:!ADH:!MD5;
	  ssl_prefer_server_ciphers on;
	  location / {
		proxy_pass https://192.168.1.2:443;
		proxy_set_header host remote.mydomain.com.au;
	  }
	}

Open in new window


however at the browser I get
Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.
Error code: ERR_SSL_PROTOCOL_ERROR


I suspect that the SSL cert at system 1 is not loading correctly but when I restart nginx it does not seem to have an issue:-
[root@Nginx nginx]# service nginx restart
Redirecting to /bin/systemctl restart  nginx.service
[root@Nginx nginx]#


Any help would be appreciated.
Cheers
Andrew
0
Comment
Question by:Andrew Davis
  • 7
  • 5
12 Comments
 
LVL 58

Expert Comment

by:Gary
ID: 40409834
For a start remove SSLv3 - did you miss the big security alert?

Confused by what you mean when I restart nginx it does not seem to have an issue - either there is a problem or there isn't - care to explain more?
0
 
LVL 18

Author Comment

by:Andrew Davis
ID: 40409849
Confused by what you mean when I restart nginx it does not seem to have an issue - either there is a problem or there isn't - care to explain more?

What I mean is that when I started with HTTP proxy settings, if I made an error in the config file, when i tried to restart Nginx it would not start and tell me that it was unable to start. With the settings as they are, it starts without issue. Does not report an error.

I will try your suggestion above.

did you miss the big security alert?
Most probably as i am by no means a linux guru, and i know have exactly 2 days experiance with nginx.
I was originally going to use IIS ARR but decided that I wanted something that didnt require me configuring another Windows VM and figure as this is a set and forget, it is ideal for Linux/nginx :)

will let you know about the above in a few minutes.

Cheers.
0
 
LVL 58

Expert Comment

by:Gary
ID: 40409853
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 18

Author Comment

by:Andrew Davis
ID: 40409857
okay I changed
ssl_protocols SSLv3 TLSv1;
to
ssl_protocols TLSv1;

Open in new window


service nginx restart

No change to issue.

Also note, that in the browser (Chrome) at the error page i am not seeing any ssl cert information.

Cheers
Andrew
0
 
LVL 18

Author Comment

by:Andrew Davis
ID: 40409859
Thanks re the SSLv3 alert.
0
 
LVL 58

Expert Comment

by:Gary
ID: 40409861
Are you sure you copied the correct cert and key to the nginx server?
The error suggest it's an invalid cert

Maybe the .pem is not correctly formatted...if you open it does it look correct, maybe some formatting issues between Windows and Linux
0
 
LVL 18

Author Comment

by:Andrew Davis
ID: 40409872
i think you are probably correct. I got the keys from the pfx file, using  openSSL as per http://www.iborgelt.com/windows-home-server-behind-nginx-reverse-proxy/

but if i look at the files this is the content:-

mydomain.pem
Bag Attributes
    localKeyID: 01 00 00 00 
subject=/serialNumber=s/FilrOFyFEdN0KJbaq92Rkf9nCP5un1/OU=GT63064709/OU=See www.rapidssl.com/resources/cps (c)14/OU=Domain Control Validated - RapidSSL(R)/CN=remote.mydomain.com.au
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
-----BEGIN CERTIFICATE-----
MIIFMDCCBBigAwIBAgIDEuYgMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
.
I have cut out the cert code for the purposes of pasting to this forum
.
csAJa2IxYfaGBjBYXx5QNdT5ENXDBgazDw7MPquaPPLg1aFz
-----END CERTIFICATE-----
Bag Attributes
    friendlyName: GeoTrust Global CA
subject=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
-----BEGIN CERTIFICATE-----
MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
.
I have cut out the cert code for the purposes of pasting to this forum
.
5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw==
-----END CERTIFICATE-----
Bag Attributes: <Empty Attributes>
subject=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
-----BEGIN CERTIFICATE-----
MIID1TCCAr2gAwIBAgIDAjbRMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
.
I have cut out the cert code for the purposes of pasting to this forum
.
LEL2TxyJeN4mTvVvk0wVaydWTQBUbHq3tw==
-----END CERTIFICATE-----

Open in new window


and
mydomain.key
Bag Attributes
    Microsoft Local Key set: <No Values>
    localKeyID: 01 00 00 00 
    friendlyName: lr-2a298745-cf96-47c2-a98a-4047857eba2b
    Microsoft CSP Name: Microsoft Enhanced Cryptographic Provider v1.0
Key Attributes
    X509v3 Key Usage: 10 
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC5kfarVJxxA5h0
.
I have cut out the cert code for the purposes of pasting to this forum
.
CQg4lcOyN5Xbnq/8RStSaZp221/HsEa+nxx1ACcyO9RlcHUtIt+sPiQEwOrrnJqC
uJmS81tOGOWh+uculcv80Yc=
-----END PRIVATE KEY-----

Open in new window


I suspect that everything above the
-----BEGIN
should be removed, but i will wait for your experienced input.

Cheers
0
 
LVL 58

Expert Comment

by:Gary
ID: 40409879
mydomain.pem is not valid and neither is your key file

This is what a .pem and key file should look like
http://ospkibook.sourceforge.net/docs/OSPKI-2.4.7/OSPKI-html/sample-ca-cert.htm
0
 
LVL 58

Assisted Solution

by:Gary
Gary earned 500 total points
ID: 40409883
All this bit
Bag Attributes

Is invalid in the file
0
 
LVL 18

Author Comment

by:Andrew Davis
ID: 40409890
Thats what I thought, but i never looked in the file that open ssl created.

so now i have modified the mydomain.pem file to
-----BEGIN CERTIFICATE-----
MIIFMDCCBBigAwIBAgIDEuYgMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
.
Lines removed for forum post
.
TAF7QBIm7s2L0euZl4XxWHmxfjTPqlYqJhFMDzRRV50z1b6j5rtF9aGfabruv0Us
csAJa2IxYfaGBjBYXx5QNdT5ENXDBgazDw7MPquaPPLg1aFz
-----END CERTIFICATE-----

Open in new window


and mydomain.key to
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC5kfarVJxxA5h0
.
Lines removed for forum post
.
CQg4lcOyN5Xbnq/8RStSaZp221/HsEa+nxx1ACcyO9RlcHUtIt+sPiQEwOrrnJqC
uJmS81tOGOWh+uculcv80Yc=
-----END PRIVATE KEY-----

Open in new window


restarted nginx
Still the same issue...

wondering in centos/nginx/openssl is there a way that i can create self signed files for testing?

cheers
0
 
LVL 18

Accepted Solution

by:
Andrew Davis earned 0 total points
ID: 40410031
just a quick update i got it to work with
# HTTPS server
	#
	server {
		listen       443 ssl;
		server_name  remote.mydomain.com.au:443;

		ssl_certificate      /etc/nginx/mydomain.pem;
		ssl_certificate_key  /etc/nginx/mydomain.key;

		ssl_session_cache shared:SSL:1m;
		ssl_session_timeout  5m;

		ssl_ciphers  HIGH:!aNULL:!MD5;
		ssl_prefer_server_ciphers   on;

		location / {
			proxy_pass https://192.168.1.2/;
		}
	}

Open in new window


however now rpc/https does not work. This is how our exchange client talks to the exchange server.
on trying to connect it asks for username and password, and loops at that.

I am looking into it at the moment, but if you have any ideas that would be great.

Cheers
Andrew
0
 
LVL 18

Author Closing Comment

by:Andrew Davis
ID: 40417988
Thanks for your help and time Gary.

i have split the award between both of us, as you did get me to look at my certs. in the end (after i corrected my cert layout) it turned out that my certs were fine, and once i used the SSL example that comes with nginx it worked fine. Although it now appears that it wont support RPC/HTTP so may have to think about moving to something like HAproxy, but thats for another day :)

Cheers
Andrew
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Apache / XAMPP  authorisation 10 62
Web Reply Form - PHP with Upload 4 73
Centos 6 User Can't Assign Password 2 59
Installing 3rd Party SSL for enabling LDAP over SSL 13 55
Hi, in this article I'm going to teach you how to run your own site, and how to let people in (without IP). I'll talk about and explain each step... :) By the way, everything in this Tutorial is completely free and legal. This article is for …
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question