Solved

nginx reverse proxy ssl IIS

Posted on 2014-10-28
12
1,160 Views
Last Modified: 2014-11-02
system 1
Centos 7
nginx
IP 192.168.1.101

System 2
SBS2011
192.168.1.2

System 3
Centos Web server

I have created a nginx machine to sit in front of two web servers (IIS and centos). Currently I have http sites sitting on both machines, and I have configured reverse proxy for the HTTP without issue.

What I am failing at is getting the nginx to reverse proxy to system 2 for the https for remote web workspace. (I could just direct port 443 at the router to the system 2 machine, as System 3 does not have any https sites, but it may in the future, so would like to get this working).

I have exported the SSL cert from System2 by following http://www.iborgelt.com/windows-home-server-behind-nginx-reverse-proxy/

Then have created a file in system 1 by:- nano /etc/nginx/conf.d/remote-Mydomain-proxySSL.conf
the file contains
	server {
	  listen 443;
	  server_name remote.mydomain.com.au;
	  ssl on;
	  ssl_certificate /etc/nginx/mydomain.pem;
	  ssl_certificate_key /etc/nginx/mydomain.key;
	  ssl_session_timeout 5m;
	  ssl_protocols SSLv3 TLSv1;
	  ssl_ciphers HIGH:!ADH:!MD5;
	  ssl_prefer_server_ciphers on;
	  location / {
		proxy_pass https://192.168.1.2:443;
		proxy_set_header host remote.mydomain.com.au;
	  }
	}

Open in new window


however at the browser I get
Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.
Error code: ERR_SSL_PROTOCOL_ERROR


I suspect that the SSL cert at system 1 is not loading correctly but when I restart nginx it does not seem to have an issue:-
[root@Nginx nginx]# service nginx restart
Redirecting to /bin/systemctl restart  nginx.service
[root@Nginx nginx]#


Any help would be appreciated.
Cheers
Andrew
0
Comment
Question by:Andrew Davis
  • 7
  • 5
12 Comments
 
LVL 58

Expert Comment

by:Gary
Comment Utility
For a start remove SSLv3 - did you miss the big security alert?

Confused by what you mean when I restart nginx it does not seem to have an issue - either there is a problem or there isn't - care to explain more?
0
 
LVL 18

Author Comment

by:Andrew Davis
Comment Utility
Confused by what you mean when I restart nginx it does not seem to have an issue - either there is a problem or there isn't - care to explain more?

What I mean is that when I started with HTTP proxy settings, if I made an error in the config file, when i tried to restart Nginx it would not start and tell me that it was unable to start. With the settings as they are, it starts without issue. Does not report an error.

I will try your suggestion above.

did you miss the big security alert?
Most probably as i am by no means a linux guru, and i know have exactly 2 days experiance with nginx.
I was originally going to use IIS ARR but decided that I wanted something that didnt require me configuring another Windows VM and figure as this is a set and forget, it is ideal for Linux/nginx :)

will let you know about the above in a few minutes.

Cheers.
0
 
LVL 58

Expert Comment

by:Gary
Comment Utility
0
 
LVL 18

Author Comment

by:Andrew Davis
Comment Utility
okay I changed
ssl_protocols SSLv3 TLSv1;
to
ssl_protocols TLSv1;

Open in new window


service nginx restart

No change to issue.

Also note, that in the browser (Chrome) at the error page i am not seeing any ssl cert information.

Cheers
Andrew
0
 
LVL 18

Author Comment

by:Andrew Davis
Comment Utility
Thanks re the SSLv3 alert.
0
 
LVL 58

Expert Comment

by:Gary
Comment Utility
Are you sure you copied the correct cert and key to the nginx server?
The error suggest it's an invalid cert

Maybe the .pem is not correctly formatted...if you open it does it look correct, maybe some formatting issues between Windows and Linux
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 18

Author Comment

by:Andrew Davis
Comment Utility
i think you are probably correct. I got the keys from the pfx file, using  openSSL as per http://www.iborgelt.com/windows-home-server-behind-nginx-reverse-proxy/

but if i look at the files this is the content:-

mydomain.pem
Bag Attributes
    localKeyID: 01 00 00 00 
subject=/serialNumber=s/FilrOFyFEdN0KJbaq92Rkf9nCP5un1/OU=GT63064709/OU=See www.rapidssl.com/resources/cps (c)14/OU=Domain Control Validated - RapidSSL(R)/CN=remote.mydomain.com.au
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
-----BEGIN CERTIFICATE-----
MIIFMDCCBBigAwIBAgIDEuYgMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
.
I have cut out the cert code for the purposes of pasting to this forum
.
csAJa2IxYfaGBjBYXx5QNdT5ENXDBgazDw7MPquaPPLg1aFz
-----END CERTIFICATE-----
Bag Attributes
    friendlyName: GeoTrust Global CA
subject=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
-----BEGIN CERTIFICATE-----
MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
.
I have cut out the cert code for the purposes of pasting to this forum
.
5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw==
-----END CERTIFICATE-----
Bag Attributes: <Empty Attributes>
subject=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
-----BEGIN CERTIFICATE-----
MIID1TCCAr2gAwIBAgIDAjbRMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
.
I have cut out the cert code for the purposes of pasting to this forum
.
LEL2TxyJeN4mTvVvk0wVaydWTQBUbHq3tw==
-----END CERTIFICATE-----

Open in new window


and
mydomain.key
Bag Attributes
    Microsoft Local Key set: <No Values>
    localKeyID: 01 00 00 00 
    friendlyName: lr-2a298745-cf96-47c2-a98a-4047857eba2b
    Microsoft CSP Name: Microsoft Enhanced Cryptographic Provider v1.0
Key Attributes
    X509v3 Key Usage: 10 
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC5kfarVJxxA5h0
.
I have cut out the cert code for the purposes of pasting to this forum
.
CQg4lcOyN5Xbnq/8RStSaZp221/HsEa+nxx1ACcyO9RlcHUtIt+sPiQEwOrrnJqC
uJmS81tOGOWh+uculcv80Yc=
-----END PRIVATE KEY-----

Open in new window


I suspect that everything above the
-----BEGIN
should be removed, but i will wait for your experienced input.

Cheers
0
 
LVL 58

Expert Comment

by:Gary
Comment Utility
mydomain.pem is not valid and neither is your key file

This is what a .pem and key file should look like
http://ospkibook.sourceforge.net/docs/OSPKI-2.4.7/OSPKI-html/sample-ca-cert.htm
0
 
LVL 58

Assisted Solution

by:Gary
Gary earned 500 total points
Comment Utility
All this bit
Bag Attributes

Is invalid in the file
0
 
LVL 18

Author Comment

by:Andrew Davis
Comment Utility
Thats what I thought, but i never looked in the file that open ssl created.

so now i have modified the mydomain.pem file to
-----BEGIN CERTIFICATE-----
MIIFMDCCBBigAwIBAgIDEuYgMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
.
Lines removed for forum post
.
TAF7QBIm7s2L0euZl4XxWHmxfjTPqlYqJhFMDzRRV50z1b6j5rtF9aGfabruv0Us
csAJa2IxYfaGBjBYXx5QNdT5ENXDBgazDw7MPquaPPLg1aFz
-----END CERTIFICATE-----

Open in new window


and mydomain.key to
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC5kfarVJxxA5h0
.
Lines removed for forum post
.
CQg4lcOyN5Xbnq/8RStSaZp221/HsEa+nxx1ACcyO9RlcHUtIt+sPiQEwOrrnJqC
uJmS81tOGOWh+uculcv80Yc=
-----END PRIVATE KEY-----

Open in new window


restarted nginx
Still the same issue...

wondering in centos/nginx/openssl is there a way that i can create self signed files for testing?

cheers
0
 
LVL 18

Accepted Solution

by:
Andrew Davis earned 0 total points
Comment Utility
just a quick update i got it to work with
# HTTPS server
	#
	server {
		listen       443 ssl;
		server_name  remote.mydomain.com.au:443;

		ssl_certificate      /etc/nginx/mydomain.pem;
		ssl_certificate_key  /etc/nginx/mydomain.key;

		ssl_session_cache shared:SSL:1m;
		ssl_session_timeout  5m;

		ssl_ciphers  HIGH:!aNULL:!MD5;
		ssl_prefer_server_ciphers   on;

		location / {
			proxy_pass https://192.168.1.2/;
		}
	}

Open in new window


however now rpc/https does not work. This is how our exchange client talks to the exchange server.
on trying to connect it asks for username and password, and loops at that.

I am looking into it at the moment, but if you have any ideas that would be great.

Cheers
Andrew
0
 
LVL 18

Author Closing Comment

by:Andrew Davis
Comment Utility
Thanks for your help and time Gary.

i have split the award between both of us, as you did get me to look at my certs. in the end (after i corrected my cert layout) it turned out that my certs were fine, and once i used the SSL example that comes with nginx it worked fine. Although it now appears that it wont support RPC/HTTP so may have to think about moving to something like HAproxy, but thats for another day :)

Cheers
Andrew
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

If your site has a few sections that need to be secure when data is transmitted between the server and local computer, such as a /order/ section for ordering or /customer/ which contains customer data, etc it would of course be recommended to secure…
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now