nginx reverse proxy ssl IIS

system 1
Centos 7
nginx
IP 192.168.1.101

System 2
SBS2011
192.168.1.2

System 3
Centos Web server

I have created a nginx machine to sit in front of two web servers (IIS and centos). Currently I have http sites sitting on both machines, and I have configured reverse proxy for the HTTP without issue.

What I am failing at is getting the nginx to reverse proxy to system 2 for the https for remote web workspace. (I could just direct port 443 at the router to the system 2 machine, as System 3 does not have any https sites, but it may in the future, so would like to get this working).

I have exported the SSL cert from System2 by following http://www.iborgelt.com/windows-home-server-behind-nginx-reverse-proxy/

Then have created a file in system 1 by:- nano /etc/nginx/conf.d/remote-Mydomain-proxySSL.conf
the file contains
	server {
	  listen 443;
	  server_name remote.mydomain.com.au;
	  ssl on;
	  ssl_certificate /etc/nginx/mydomain.pem;
	  ssl_certificate_key /etc/nginx/mydomain.key;
	  ssl_session_timeout 5m;
	  ssl_protocols SSLv3 TLSv1;
	  ssl_ciphers HIGH:!ADH:!MD5;
	  ssl_prefer_server_ciphers on;
	  location / {
		proxy_pass https://192.168.1.2:443;
		proxy_set_header host remote.mydomain.com.au;
	  }
	}

Open in new window


however at the browser I get
Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.
Error code: ERR_SSL_PROTOCOL_ERROR


I suspect that the SSL cert at system 1 is not loading correctly but when I restart nginx it does not seem to have an issue:-
[root@Nginx nginx]# service nginx restart
Redirecting to /bin/systemctl restart  nginx.service
[root@Nginx nginx]#


Any help would be appreciated.
Cheers
Andrew
LVL 19
Andrew DavisManagerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

GaryCommented:
For a start remove SSLv3 - did you miss the big security alert?

Confused by what you mean when I restart nginx it does not seem to have an issue - either there is a problem or there isn't - care to explain more?
0
Andrew DavisManagerAuthor Commented:
Confused by what you mean when I restart nginx it does not seem to have an issue - either there is a problem or there isn't - care to explain more?

What I mean is that when I started with HTTP proxy settings, if I made an error in the config file, when i tried to restart Nginx it would not start and tell me that it was unable to start. With the settings as they are, it starts without issue. Does not report an error.

I will try your suggestion above.

did you miss the big security alert?
Most probably as i am by no means a linux guru, and i know have exactly 2 days experiance with nginx.
I was originally going to use IIS ARR but decided that I wanted something that didnt require me configuring another Windows VM and figure as this is a set and forget, it is ideal for Linux/nginx :)

will let you know about the above in a few minutes.

Cheers.
0
GaryCommented:
0
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

Andrew DavisManagerAuthor Commented:
okay I changed
ssl_protocols SSLv3 TLSv1;
to
ssl_protocols TLSv1;

Open in new window


service nginx restart

No change to issue.

Also note, that in the browser (Chrome) at the error page i am not seeing any ssl cert information.

Cheers
Andrew
0
Andrew DavisManagerAuthor Commented:
Thanks re the SSLv3 alert.
0
GaryCommented:
Are you sure you copied the correct cert and key to the nginx server?
The error suggest it's an invalid cert

Maybe the .pem is not correctly formatted...if you open it does it look correct, maybe some formatting issues between Windows and Linux
0
Andrew DavisManagerAuthor Commented:
i think you are probably correct. I got the keys from the pfx file, using  openSSL as per http://www.iborgelt.com/windows-home-server-behind-nginx-reverse-proxy/

but if i look at the files this is the content:-

mydomain.pem
Bag Attributes
    localKeyID: 01 00 00 00 
subject=/serialNumber=s/FilrOFyFEdN0KJbaq92Rkf9nCP5un1/OU=GT63064709/OU=See www.rapidssl.com/resources/cps (c)14/OU=Domain Control Validated - RapidSSL(R)/CN=remote.mydomain.com.au
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
-----BEGIN CERTIFICATE-----
MIIFMDCCBBigAwIBAgIDEuYgMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
.
I have cut out the cert code for the purposes of pasting to this forum
.
csAJa2IxYfaGBjBYXx5QNdT5ENXDBgazDw7MPquaPPLg1aFz
-----END CERTIFICATE-----
Bag Attributes
    friendlyName: GeoTrust Global CA
subject=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
-----BEGIN CERTIFICATE-----
MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
.
I have cut out the cert code for the purposes of pasting to this forum
.
5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw==
-----END CERTIFICATE-----
Bag Attributes: <Empty Attributes>
subject=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
-----BEGIN CERTIFICATE-----
MIID1TCCAr2gAwIBAgIDAjbRMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
.
I have cut out the cert code for the purposes of pasting to this forum
.
LEL2TxyJeN4mTvVvk0wVaydWTQBUbHq3tw==
-----END CERTIFICATE-----

Open in new window


and
mydomain.key
Bag Attributes
    Microsoft Local Key set: <No Values>
    localKeyID: 01 00 00 00 
    friendlyName: lr-2a298745-cf96-47c2-a98a-4047857eba2b
    Microsoft CSP Name: Microsoft Enhanced Cryptographic Provider v1.0
Key Attributes
    X509v3 Key Usage: 10 
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC5kfarVJxxA5h0
.
I have cut out the cert code for the purposes of pasting to this forum
.
CQg4lcOyN5Xbnq/8RStSaZp221/HsEa+nxx1ACcyO9RlcHUtIt+sPiQEwOrrnJqC
uJmS81tOGOWh+uculcv80Yc=
-----END PRIVATE KEY-----

Open in new window


I suspect that everything above the
-----BEGIN
should be removed, but i will wait for your experienced input.

Cheers
0
GaryCommented:
mydomain.pem is not valid and neither is your key file

This is what a .pem and key file should look like
http://ospkibook.sourceforge.net/docs/OSPKI-2.4.7/OSPKI-html/sample-ca-cert.htm
0
GaryCommented:
All this bit
Bag Attributes

Is invalid in the file
0
Andrew DavisManagerAuthor Commented:
Thats what I thought, but i never looked in the file that open ssl created.

so now i have modified the mydomain.pem file to
-----BEGIN CERTIFICATE-----
MIIFMDCCBBigAwIBAgIDEuYgMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
.
Lines removed for forum post
.
TAF7QBIm7s2L0euZl4XxWHmxfjTPqlYqJhFMDzRRV50z1b6j5rtF9aGfabruv0Us
csAJa2IxYfaGBjBYXx5QNdT5ENXDBgazDw7MPquaPPLg1aFz
-----END CERTIFICATE-----

Open in new window


and mydomain.key to
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC5kfarVJxxA5h0
.
Lines removed for forum post
.
CQg4lcOyN5Xbnq/8RStSaZp221/HsEa+nxx1ACcyO9RlcHUtIt+sPiQEwOrrnJqC
uJmS81tOGOWh+uculcv80Yc=
-----END PRIVATE KEY-----

Open in new window


restarted nginx
Still the same issue...

wondering in centos/nginx/openssl is there a way that i can create self signed files for testing?

cheers
0
Andrew DavisManagerAuthor Commented:
just a quick update i got it to work with
# HTTPS server
	#
	server {
		listen       443 ssl;
		server_name  remote.mydomain.com.au:443;

		ssl_certificate      /etc/nginx/mydomain.pem;
		ssl_certificate_key  /etc/nginx/mydomain.key;

		ssl_session_cache shared:SSL:1m;
		ssl_session_timeout  5m;

		ssl_ciphers  HIGH:!aNULL:!MD5;
		ssl_prefer_server_ciphers   on;

		location / {
			proxy_pass https://192.168.1.2/;
		}
	}

Open in new window


however now rpc/https does not work. This is how our exchange client talks to the exchange server.
on trying to connect it asks for username and password, and loops at that.

I am looking into it at the moment, but if you have any ideas that would be great.

Cheers
Andrew
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Andrew DavisManagerAuthor Commented:
Thanks for your help and time Gary.

i have split the award between both of us, as you did get me to look at my certs. in the end (after i corrected my cert layout) it turned out that my certs were fine, and once i used the SSL example that comes with nginx it worked fine. Although it now appears that it wont support RPC/HTTP so may have to think about moving to something like HAproxy, but thats for another day :)

Cheers
Andrew
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Distributions

From novice to tech pro — start learning today.