<div>
CSRF failure means you are most probably losing a cookie. 
You will get a cookie during initial connection, if that cookie gets lost then the session will be disconnected. 
The CSRF check is to prevent session hijacking. 
(It might also happen when your source IP changes or some other checks fail, of if there are multiple servers that don;t share a database with issued cookies.). 
Before logon you just get a new cookie to show afterwards, once logged on the cookie must be there.
</div>

<div>
Thanks for the info about the cookie. That makes sense because I am seeing the same behavior on other servers after login. Do you know what I need to do to get that cookie to pass through the proxy? Login works fine locally so I know the servers are functioning fine. 
 
Thanks again for the help. 
 
Stuart
</div>

<div>
Both servers need to have the same session info to check the cookie. So the App needs to support that part. 
HTTP is stateless in and of itself. So every request is on it's own. When a server receives the packet (including cookies) the web app can stitch all request together. To prevent session hijacking CSRF cookies can be used, in that case ALL backends need to be able to validate all requests. 
 
Maybe you should look at haproxy as reverse proxy, that proxy can ensure that if you start with server 1, that you session continues to go to server 1... and doesn't swap per &nbsp;request.
</div>

<div>
@noci, So I feel I have messed with this long enough with nginx although I am sure its totally possible my time is probably better sent in HAProxy 
 
I have installed HAProxy on an Ubuntu server VM and I'm attempting to configure it. 
 
It seems that most information I find about configuration of HAProxy seems to be with load balancing. And I'm a totally newb so that doesn't really make it easy for me. 
 
I have 4 servers that need to be accessed via port 443 we'll call them servers1-4 
 
Here is my attempt at a working configuration. The top portion is from the default config file from HAProxy 

<pre><code class="code-10 nolinks" id="code-20-42770129-1">global
 log /dev/log local0
 log /dev/log local1 notice
 chroot /var/lib/haproxy
 stats socket /run/haproxy/admin.sock mode 660 level admin
 stats timeout 30s
 user haproxy
 group haproxy
 daemon

 # Default SSL material locations
 ca-base /etc/ssl/certs
 crt-base /etc/ssl/private

 # Default ciphers to use on SSL-enabled listening sockets.
 # For more information, see ciphers(1SSL). This list is from:
 # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
 ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES25$
 ssl-default-bind-options no-sslv3

defaults
 log global
 mode http
 option httplog
 option dontlognull
 timeout connect 5000
 timeout client 50000
 timeout server 50000
 errorfile 400 /etc/haproxy/errors/400.http
 errorfile 403 /etc/haproxy/errors/403.http
 errorfile 408 /etc/haproxy/errors/408.http
 errorfile 500 /etc/haproxy/errors/500.http
 errorfile 502 /etc/haproxy/errors/502.http
 errorfile 503 /etc/haproxy/errors/503.http
 errorfile 504 /etc/haproxy/errors/504.http

frontend localhost
 mode http
 use_backend server1 if { hdr(host) -i subdomain1.domain.com }
 use_backend server2 if { hdr(host) -i subdomain2.domain.com }
 use_backend server3 if { hdr(host) -i subdomain3.domain.com}
 use_backend server4 if { hdr(host) -i subdomain4.domain.com }

backend server1
 server server1 192.168.1.100

backend server2
 server server2 192.168.1.101

backend server3
 server server3 192.168.1.102

backend server4
 server server4 192.168.1.103
</code></pre>
 
If you could help me I would be very grateful. 
 
Thanks, 
Stuart
</div>

<div>
This should be workable... 
 
after you add the TLS / SSL stuff: &nbsp; 
 
In options: 

<pre><code class="code-1 nolinks" id="code-20-42770473-1"> ssl-default-bind-options ssl-min-ver TLSv1.0 ssl-max-ver TLSv1.3 no-tls-tickets
 ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS:!kRSA:!3DES
 ssl-default-server-options no-sslv3 no-tls-tickets ssl-min-ver TLSv1.0 ssl-max-ver TLSv1.3
 ssl-default-server-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS:!eNULL:!DES:!3DES
 tune.ssl.default-dh-param 2048
</code></pre>
 
(You may need to upgrade the minimal TLS version to 1.2 in the near future.) 
 
The frontend needs to listen to port 443... 
 

<pre><code class="code-1 nolinks" id="code-20-42770473-2">frontend myfront
 bind :443 ssl crt /etc/haproxy/crt/ alpn h2,http/1.1
 #bind :::443 v4v6 ssl crt /etc/haproxy/crt/ alpn h2,http/1.1 if IPv6 is involved....
 log global
 mode http
 option forwardfor
</code></pre>
 
All certificates needed can be put into a directory named /etc/haproxy/crt/ and maybe remove the &quot;alpn&quot; as that requires some more work to get fingerprints from the certificates. 
Then there is the question how to access the actual servers.... 
if those use http your method is fine 
if the use https then you may need: 
 

<pre><code class="code-1 nolinks" id="code-20-42770473-3">server server1 192.168.1.100:443 ssl verify none
</code></pre>
The &quot;&nbsp;verify none &quot;&nbsp;can be skipped if there is a valid, verifyable certificate on the backend.
</div>

<div>
You could add this entry to redirect all http calls to https using somthing like: 

<pre><code class="code-1 nolinks" id="code-20-42770490-1">listen http-to-https
 bind *:80 v4v6
 mode http
 redirect scheme https code 301 #if !{ ssl_fc }
</code></pre>
 
remove the v4v6 if no IPv6 is used.
</div>

<div>
Thanks so much for all the hlep just to clearify can I put the above config in any place in haproxy.cfg or does it need to go in specific sections? 
 
It seems that 2 of the above sections are listed clearly but the other two aren't. I'll just repost and see what you think. 
 
And are there any dependancies I need to install? I dont seem to be able to start haproxy via systemctl start haproxy. 
 

<pre><code class="code-10 nolinks" id="code-20-42770690-1">global
 log /dev/log local0
 log /dev/log local1 notice
 chroot /var/lib/haproxy
 stats socket /run/haproxy/admin.sock mode 660 level admin
 stats timeout 30s
 user haproxy
 group haproxy
 daemon

 # Default SSL material locations
 ca-base /etc/ssl/certs
 crt-base /etc/ssl/private

 # Default ciphers to use on SSL-enabled listening sockets.
 # For more information, see ciphers(1SSL). This list is from:
 # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
 ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES12$
 ssl-default-bind-options no-sslv3
 ssl-default-bind-options ssl-min-ver TLSv1.0 ssl-max-ver TLSv1.3 no-tls-tickets
 ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1$
 ssl-default-server-options no-sslv3 no-tls-tickets ssl-min-ver TLSv1.0 ssl-max$
 ssl-default-server-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES$
 tune.ssl.default-dh-param 2048

defaults
 log global
 mode http
 option httplog
 option dontlognull
 timeout connect 5000
 timeout client 50000
 timeout server 50000
 errorfile 400 /etc/haproxy/errors/400.http
 errorfile 403 /etc/haproxy/errors/403.http
 errorfile 408 /etc/haproxy/errors/408.http
 errorfile 500 /etc/haproxy/errors/500.http
 errorfile 502 /etc/haproxy/errors/502.http
 errorfile 503 /etc/haproxy/errors/503.http
 errorfile 504 /etc/haproxy/errors/504.http

frontend myfront
 bind :443 ssl crt /etc/haproxy/crt/ alpn h2,http/1.1
 #bind :::443 v4v6 ssl crt /etc/haproxy/crt/ alpn h2,http/1.1 if IPv6 is invo$
 log global
 mode http
 option forwardfor

frontend localhost
 mode http
 use_backend server1 if { hdr(host) -i subdomain1.domain.com }
 use_backend server14 if { hdr(host) -i subdomain2.domain.com }
 use_backend server3 if { hdr(host) -i subdomain3.domain.com}
 use_backend server4 if { hdr(host) -i subdomain4.domain.com }

backend server1
 server server1 192.168.1.100:443

backend server2
 server server2 192.168.1.101:443

backend server3
 server server3 192.168.1.102:443

backend server4
 server server4 192.168.1.103:443
</code></pre>
</div>

<div>
In specific I get this. 

<pre><code class="code-1 nolinks" id="code-20-42770694-1">Job for haproxy.service failed because the control process exited with error code.
See &quot;systemctl status haproxy.service&quot; and &quot;journalctl -xe&quot; for details.
</code></pre>
 

<pre><code class="code-10 nolinks" id="code-20-42770694-2">@haproxy:/etc/haproxy$ systemctl status haproxy.service
● haproxy.service - HAProxy Load Balancer
 Loaded: loaded (/lib/systemd/system/haproxy.service; enabled; vendor preset: enab
 Active: failed (Result: exit-code) since Tue 2019-01-08 18:47:44 UTC; 52s ago
 Docs: man:haproxy(1)
 file:/usr/share/doc/haproxy/configuration.txt.gz
 Process: 9007 ExecStartPre=/usr/sbin/haproxy -f $CONFIG -c -q $EXTRAOPTS (code=exi
 Main PID: 7117 (code=exited, status=143)

Jan 08 18:47:44 haproxy systemd[1]: haproxy.service: Control process exited, code=ex
Jan 08 18:47:44 haproxy systemd[1]: haproxy.service: Failed with result 'exit-code'.
Jan 08 18:47:44 haproxy systemd[1]: Failed to start HAProxy Load Balancer.
Jan 08 18:47:44 haproxy systemd[1]: haproxy.service: Service hold-off time over, sch
Jan 08 18:47:44 haproxy systemd[1]: haproxy.service: Scheduled restart job, restart
Jan 08 18:47:44 haproxy systemd[1]: Stopped HAProxy Load Balancer.
Jan 08 18:47:44 haproxy systemd[1]: haproxy.service: Start request repeated too quic
Jan 08 18:47:44 haproxy systemd[1]: haproxy.service: Failed with result 'exit-code'.
Jan 08 18:47:44 haproxy systemd[1]: Failed to start HAProxy Load Balancer.
</code></pre>
 

<pre><code class="code-10 nolinks" id="code-20-42770694-3">-- Subject: Unit haproxy.service has finished shutting down
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit haproxy.service has finished shutting down.
Jan 08 18:50:03 haproxy systemd[1]: Starting HAProxy Load Balancer...
-- Subject: Unit haproxy.service has begun start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit haproxy.service has begun starting up.
Jan 08 18:50:03 haproxy haproxy[9130]: [ALERT] 007/185003 (9130) : parsing [/etc/hap
Jan 08 18:50:03 haproxy haproxy[9130]: [ALERT] 007/185003 (9130) : parsing [/etc/hap
Jan 08 18:50:03 haproxy haproxy[9130]: [ALERT] 007/185003 (9130) : Error(s) found in
Jan 08 18:50:03 haproxy haproxy[9130]: [ALERT] 007/185003 (9130) : Fatal errors foun
Jan 08 18:50:03 haproxy systemd[1]: haproxy.service: Control process exited, code=ex
Jan 08 18:50:03 haproxy systemd[1]: haproxy.service: Failed with result 'exit-code'.
Jan 08 18:50:03 haproxy systemd[1]: Failed to start HAProxy Load Balancer.
-- Subject: Unit haproxy.service has failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit haproxy.service has failed.
--
-- The result is RESULT.
Jan 08 18:50:04 haproxy systemd[1]: haproxy.service: Service hold-off time over, sch
Jan 08 18:50:04 haproxy systemd[1]: haproxy.service: Scheduled restart job, restart
-- Subject: Automatic restarting of a unit has been scheduled
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Automatic restarting of the unit haproxy.service has been scheduled, as the resul
-- the configured Restart= setting for the unit.
Jan 08 18:50:04 haproxy systemd[1]: Stopped HAProxy Load Balancer.
-- Subject: Unit haproxy.service has finished shutting down
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit haproxy.service has finished shutting down.
Jan 08 18:50:04 haproxy systemd[1]: haproxy.service: Start request repeated too quic
Jan 08 18:50:04 haproxy systemd[1]: haproxy.service: Failed with result 'exit-code'.
Jan 08 18:50:04 haproxy systemd[1]: Failed to start HAProxy Load Balancer.
-- Subject: Unit haproxy.service has failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit haproxy.service has failed.
--
-- The result is RESULT.
</code></pre>
</div>

<div>
to connect to an https port (443) the server line should contain ssl 
 
The line for server2 (use_backend)... &nbsp;server14... 
 
Try to avoid using names for multiple purposes, use meaning full names. 
 
frontend fe_ssl &nbsp; &nbsp; &nbsp; &nbsp;# the SSL frontend. 
&nbsp;backend be_domain1 &nbsp; &nbsp; &nbsp;# because you disect on domains... 
&nbsp;server &nbsp;se_server1 ... &nbsp; &nbsp; # clear this is a server.
</div>

<div>
Yeah 14 was a typo. I have been renaming everything for privacy reasons. So in the end I will have everything named to make sense. 
 
Do you mean &quot;ssl verify none&quot;
</div>

<div>
just ssl, the verify none will prevent verifying the ssl certificates on a server (allowing to use selfsigned certificates).
</div>

<div>
<pre><code class="code-10 nolinks" id="code-20-42770760-1">frontend myfront
 bind :443 ssl crt /etc/haproxy/crt/ alpn h2,http/1.1
 #bind :::443 v4v6 ssl crt /etc/haproxy/crt/ alpn h2,http/1.1 if IPv6 is invo$
 log global
 mode http
 option forwardfor

frontend localhost
 mode http
 use_backend lpr1 if { hdr(host) -i lpr1.domain.com }
 use_backend lpr14 if { hdr(host) -i lpr14.domain.com }
 use_backend avigilon if { hdr(host) -i avigilon.domain.com }
 use_backend hassio if { hdr(host) -i hass.domain.com }

backend lpr1
 server lpr1 192.168.1.83:443 ssl

backend lpr14
 server lpr14 192.168.1.114:443 ssl

backend avigilon
 server avigilon 192.168.1.197:443 ssl

backend hassio
 server hassio 192.168.20.8:443 ssl
</code></pre>
 
Is this correct because haproxy still wont start.
</div>

<div>
try to use be_lpr1 &nbsp;for all backend references and se_lpr1 for the server line.... 
So to make the above look better... (also in logging below will show better is a backend lpr1 is in volved or a server lpr1.) 

<pre><code class="code-10 nolinks" id="code-20-42770774-1">frontend myfront
 bind :443 ssl crt /etc/haproxy/crt/ h2,http/1.1
 #bind :::443 v4v6 ssl crt /etc/haproxy/crt/ h2,http/1.1 ## if IPv6 is involved, without IPv4 you can drop this line.
 log global
 mode http
 option forwardfor
 use_backend be_lpr1 if { hdr(host) -i lpr1.domain.com }
 use_backend be_lpr14 if { hdr(host) -i lpr14.domain.com }
 use_backend be_avigilon if { hdr(host) -i avigilon.domain.com }
 use_backend be_hassio if { hdr(host) -i hass.domain.com }

backend be_lpr1
 server se_lpr1 192.168.1.83:443 ssl

backend be_lpr14
 server se_lpr14 192.168.1.114:443 ssl

backend be_avigilon
 server se_avigilon 192.168.1.197:443 ssl

backend be_hassio
 server se_hassio 192.168.20.8:443 ssl
</code></pre>
 
The alpn is optional and requires more setup outside of haproxy. (so drop it for now). 
please provide the error messages if anything fails those do help explaining what is happening (or rather why it isn;t happening).
</div>

<div>
Oh ok I understand now that makes sense. 
 

<pre><code class="code-10 nolinks" id="code-20-42770786-1">frontend localhost
 mode http
 use_backend be_lpr1 if { hdr(host) -i lpr1.domain.com }
 use_backend be_lpr14 if { hdr(host) -i lpr14.domain.com }
 use_backend be_avigilon if { hdr(host) -i avigilon.domain.com }
 use_backend be_hassio if { hdr(host) -i hass.domain.com }

backend be_lpr1
 server se_lpr1 192.168.1.83:443 ssl

backend be_lpr14
 server se_lpr14 192.168.1.114:443 ssl

backend be_avigilon
 server se_avigilon 192.168.1.197:443 ssl

backend be_hassio
 server se_hassio 192.168.20.8:443 ssl
</code></pre>
 
I know that may be exactly what you put above but just want to verify its right.
</div>

<div>
I'm still unable to start it though.
</div>

<div>
<pre><code class="code-10 nolinks" id="code-20-42770796-1">beatified@haproxy:/etc/haproxy$ systemctl start haproxy
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
Authentication is required to start 'haproxy.service'.
Authenticating as: Stuart (beatified)
Password:
==== AUTHENTICATION COMPLETE ===
Job for haproxy.service failed because the control process exited with error code.
See &quot;systemctl status haproxy.service&quot; and &quot;journalctl -xe&quot; for details.
beatified@haproxy:/etc/haproxy$ systemctl status haproxy.service
● haproxy.service - HAProxy Load Balancer
 Loaded: loaded (/lib/systemd/system/haproxy.service; enabled; vendor preset: enab
 Active: failed (Result: exit-code) since Tue 2019-01-08 20:23:51 UTC; 2min 41s ag
 Docs: man:haproxy(1)
 file:/usr/share/doc/haproxy/configuration.txt.gz
 Process: 1728 ExecStartPre=/usr/sbin/haproxy -f $CONFIG -c -q $EXTRAOPTS (code=exi

Jan 08 20:23:50 haproxy systemd[1]: haproxy.service: Control process exited, code=ex
Jan 08 20:23:50 haproxy systemd[1]: haproxy.service: Failed with result 'exit-code'.
Jan 08 20:23:50 haproxy systemd[1]: Failed to start HAProxy Load Balancer.
Jan 08 20:23:51 haproxy systemd[1]: haproxy.service: Service hold-off time over, sch
Jan 08 20:23:51 haproxy systemd[1]: haproxy.service: Scheduled restart job, restart
Jan 08 20:23:51 haproxy systemd[1]: Stopped HAProxy Load Balancer.
Jan 08 20:23:51 haproxy systemd[1]: haproxy.service: Start request repeated too quic
Jan 08 20:23:51 haproxy systemd[1]: haproxy.service: Failed with result 'exit-code'.
Jan 08 20:23:51 haproxy systemd[1]: Failed to start HAProxy Load Balancer.
</code></pre>
</div>

<div>
Oh wait did I put it in the wrong section? I put it in &quot;frontend localhost&quot; you seem to have it in &quot;frontend myfront&quot;.
</div>

<div>
You need a bind at least in a front end... 
(localhost may not be the best name choice, myfront neither.... 
better is fe_firewall1 or likewise...) &nbsp;(In consolidated logging localhost doesn't add value). 
 
haproxy messages seem to be missing. i only see systemd messages. The earlier log had haproxy messages &nbsp; haproxy[xxx]
</div>

<div>
hm..., maybe remove the &quot;h2,&quot; &nbsp;part from the config as well, not sure if your haproxy already supports it. 
(h2 = http/2 support (the official version of the SPDY protocol). &nbsp; Before 1.9.x it isn't actually supported on the backends yet).
</div>

<div>
<div class="content wysiwyg-content">
I am getting an error on running nginx as a reverse proxy to access multiple servers with ssl. 
 
The initial ssl forward seems to happen properly but once I'm logged in the issue occurs. 
 
The error only seems to show up after I have logged in. See screen shots to see what I mean. 
 
This same behavior seems to happen on other servers as well. 
 
I want to run nginx not other reverse proxies so please advice on the current config not other solutions. 
<a href="https://filedb.experts-exchange.com/incoming/2018/12_w52/1408244/lpr-error.jpg" target="_blank" class="file-inline" title="lpr-error.jpg (76 KB)"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M67.508 468.467c-58.005-58.013-58.016-151.92 0-209.943l225.011-225.04c44.643-44.645 117.279-44.645 161.92 0 44.743 44.749 44.753 117.186 0 161.944l-189.465 189.49c-31.41 31.413-82.518 31.412-113.926.001-31.479-31.482-31.49-82.453 0-113.944L311.51 110.491c4.687-4.687 12.286-4.687 16.972 0l16.967 16.971c4.685 4.686 4.685 12.283 0 16.969L184.983 304.917c-12.724 12.724-12.73 33.328 0 46.058 12.696 12.697 33.356 12.699 46.054-.001l189.465-189.489c25.987-25.989 25.994-68.06.001-94.056-25.931-25.934-68.119-25.932-94.049 0l-225.01 225.039c-39.249 39.252-39.258 102.795-.001 142.057 39.285 39.29 102.885 39.287 142.162-.028A739446.174 739446.174 0 0 1 439.497 238.49c4.686-4.687 12.282-4.684 16.969.004l16.967 16.971c4.685 4.686 4.689 12.279.004 16.965a755654.128 755654.128 0 0 0-195.881 195.996c-58.034 58.092-152.004 58.093-210.048.041z"/></svg>lpr-error.jpg</a> 
<a href="https://filedb.experts-exchange.com/incoming/2018/12_w52/1408245/lpr-login.jpg" target="_blank" class="file-inline" title="lpr-login.jpg (84 KB)"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M67.508 468.467c-58.005-58.013-58.016-151.92 0-209.943l225.011-225.04c44.643-44.645 117.279-44.645 161.92 0 44.743 44.749 44.753 117.186 0 161.944l-189.465 189.49c-31.41 31.413-82.518 31.412-113.926.001-31.479-31.482-31.49-82.453 0-113.944L311.51 110.491c4.687-4.687 12.286-4.687 16.972 0l16.967 16.971c4.685 4.686 4.685 12.283 0 16.969L184.983 304.917c-12.724 12.724-12.73 33.328 0 46.058 12.696 12.697 33.356 12.699 46.054-.001l189.465-189.489c25.987-25.989 25.994-68.06.001-94.056-25.931-25.934-68.119-25.932-94.049 0l-225.01 225.039c-39.249 39.252-39.258 102.795-.001 142.057 39.285 39.29 102.885 39.287 142.162-.028A739446.174 739446.174 0 0 1 439.497 238.49c4.686-4.687 12.282-4.684 16.969.004l16.967 16.971c4.685 4.686 4.689 12.279.004 16.965a755654.128 755654.128 0 0 0-195.881 195.996c-58.034 58.092-152.004 58.093-210.048.041z"/></svg>lpr-login.jpg</a>
</div>
</div>

lpr-login.jpg

lpr-error.jpg

I am getting an error on running nginx as a reverse proxy to access multiple servers with ssl.

The initial ssl forward seems to happen properly but once I'm logged in the issue occurs.

The error only seems to show up after I have logged in. See screen shots to see what I mean.

This same behavior seems to happen on other servers as well. 

I want to run nginx not other reverse proxies so please advice on the current config not other solutions.

nginx reverse proxy error

HTTPS is a protocol for secure communication over a computer network which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security (TLS) or its predecessor, Secure Sockets Layer (SSL). The main motivation for HTTPS is authentication of the visited website and to protect the privacy and integrity of the exchanged data. HTTPS is widely used for protecting page authenticity on all types of websites, securing accounts and keeping user communications, identity and web browsing private.