[SOLVED] Nginx as SSL Reverse Proxy

mosiac · 07-15-2013, 02:24 PM

o I have a nginx.conf file that has multiple server blocks in it and they all are working except this one, and this one is half working so I assume I'm just missing one thing. Basically what happens is you can goto the server name that is set and the proxy pass works for that first site, but that site is also a login page that after authentication forwards the user to another page and what I'd like to make sure happens is that after authentication the ssl and server name still work as opposed to what's happening now which is it breaks down completely.

server {
chunkin on;

error_page 411 = @my_411_error;
location @my_411_error {
chunkin_resume;
}

listen 8897 ssl;
server_name myhttpaddress.com;

### SSL log files ###
access_log /var/log/nginx/ssl-access.log;
error_log /var/log/nginx/ssl-error.log;

### SSL cert files ###
ssl_certificate /etc/nginx/ssl/mycert.crt;
ssl_certificate_key /etc/nginx/ssl/mycert.key;
### Add SSL specific settings here ###
keepalive_timeout 60;

### Limiting Ciphers ################
# Uncomment as per your setup
# ssl_ciphers HIGH:!ADH
# ssl_perfer_server_ciphers on;
# ssl_protocols SSLv3;
#####################################
# We want full access to SSL via backend ###

location /brim/ {
more_clear_input_headers 'Transfer-Encoding';
proxy_pass http://myserver.com:8897/brim/;
### force timeouts if one of backend is died ##
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

### Set headers ####
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

### Most PHP, Python, Rails, Java App can use this header ###
proxy_set_header X-Forwarded_Proto https;

### By default we don't want to redirect it ####
proxy_redirect off;

}

}

smallpond · 07-15-2013, 04:46 PM

"breaks down completely" is not an error message. Have you checked the access log? error log? The response? What do you actually get?

SSL negotiation should switch you from unencrypted to encrypted communication to the same IP. The nginx reverse proxy must remain inline between the client and unencrypted server for this to work.

mosiac · 07-15-2013, 08:29 PM

I'll double check the access and error logs in the morning but I didn't really think to look because the SSL passthrough is working. The end user gets the ssl warning (it's self signed certs) and they get to their login page, but after they login forwarding seems to stop. The proxy pass address seems to go away and it reverts back to trying to do pages as the server name.

Let me double check again in the morning for sure to see if there is anything definitive in the logs to post.

EDIT LOG ADDED:

Code:

1.1.1.1 - - [15/Jul/2013:11:20:54 -0500] "GET /brim/ HTTP/1.1" 401 1468 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
1.1.1.1 - r2b_admin [15/Jul/2013:11:21:26 -0500] "GET /brim/ HTTP/1.1" 200 4612 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
1.1.1.1 - r2b_admin [15/Jul/2013:11:21:26 -0500] "GET /brim/static/css/mobile.css HTTP/1.1" 200 1432 "https://brimtest.servername:8897/brim/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
1.1.1.1 - r2b_admin [15/Jul/2013:11:21:26 -0500] "GET /brim/static/css/components.css HTTP/1.1" 200 2536 "https://brimtest.servername:8897/brim/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
1.1.1.1 - r2b_admin [15/Jul/2013:11:21:26 -0500] "GET /brim/static/images/favicon.ico HTTP/1.1" 200 1150 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
1.1.1.1 - r2b_admin [15/Jul/2013:11:21:26 -0500] "GET /brim/static/css/boilerplate.css HTTP/1.1" 200 10357 "https://brimtest.servername:8897/brim/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
1.1.1.1 - r2b_admin [15/Jul/2013:11:21:26 -0500] "GET /brim/static/css/backbone.pagingcontrols.css HTTP/1.1" 200 3853 "https://brimtest.servername:8897/brim/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
1.1.1.1 - r2b_admin [15/Jul/2013:11:21:26 -0500] "GET /brim/static/css/config.css HTTP/1.1" 200 18254 "https://brimtest.servername:8897/brim/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
1.1.1.1 - r2b_admin [15/Jul/2013:11:21:26 -0500] "GET /brim/static/js/application.js HTTP/1.1" 200 183 "https://brimtest.servername:8897/brim/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
1.1.1.1 - r2b_admin [15/Jul/2013:11:21:26 -0500] "GET /brim/static/images/e-logo-lg.png HTTP/1.1" 200 3861 "https://brimtest.servername:8897/brim/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
1.1.1.1 - r2b_admin [15/Jul/2013:11:21:26 -0500] "GET /brim/static/images/logo-ellucian.png HTTP/1.1" 200 1608 "https://brimtest.servername:8897/brim/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
1.1.1.1 - r2b_admin [15/Jul/2013:11:21:27 -0500] "GET /brim/static/images/bg-dark-grey-bar.png HTTP/1.1" 200 1036 "https://brimtest.servername:8897/brim/static/css/config.css" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
1.1.1.1 - r2b_admin [15/Jul/2013:11:21:27 -0500] "GET /brim/static/images/bg-header.png HTTP/1.1" 200 2998 "https://brimtest.servername:8897/brim/static/css/config.css" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
1.1.1.1 - r2b_admin [15/Jul/2013:11:21:27 -0500] "GET /brim/static/images/icon-configurations.png HTTP/1.1" 200 1259 "https://brimtest.servername:8897/brim/static/css/config.css" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
1.1.1.1 - r2b_admin [15/Jul/2013:11:21:27 -0500] "GET /brim/static/images/dark-bg-texture.png HTTP/1.1" 200 45871 "https://brimtest.servername:8897/brim/static/css/config.css" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
1.1.1.1 - r2b_admin [15/Jul/2013:11:21:27 -0500] "GET /brim/configuration/show HTTP/1.1" 200 6390 "https://brimtest.servername:8897/brim/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
1.1.1.1 - - [15/Jul/2013:11:21:31 -0500] "-" 400 0 "-" "-"
1.1.1.1 - r2b_admin [15/Jul/2013:11:21:37 -0500] "GET /brim/configuration/show/BRIM_USER HTTP/1.1" 200 6390 "https://brimtest.servername:8897/brim/configuration/show" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
1.1.1.1 - r2b_admin [15/Jul/2013:11:21:40 -0500] "GET /brim/loaderError/index HTTP/1.1" 302 5 "https://brimtest.servername:8897/brim/configuration/show/BRIM_USER" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
1.1.1.1 - r2b_admin [15/Jul/2013:11:22:12 -0500] "GET /brim/matchOrPushMsg/index HTTP/1.1" 302 5 "https://brimtest.servername:8897/brim/configuration/show/BRIM_USER" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
1.1.1.1 - r2b_admin [15/Jul/2013:11:22:25 -0500] "GET /brim/configuration/show/BRIM_USER HTTP/1.1" 200 6396 "https://brimtest.servername:8897/brim/configuration/show/BRIM_USER" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
1.1.1.1 - r2b_admin [15/Jul/2013:11:22:27 -0500] "GET /brim/configuration/show/BRIM_USER HTTP/1.1" 200 6390 "https://brimtest.servername:8897/brim/configuration/show/BRIM_USER" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
1.1.1.1 - r2b_admin [15/Jul/2013:11:22:36 -0500] "GET /brim/eventError/index HTTP/1.1" 302 5 "https://brimtest.servername:8897/brim/configuration/show/BRIM_USER" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
1.1.1.1 - r2b_admin [15/Jul/2013:11:23:11 -0500] "GET /brim/configuration/show/BRIM_USER HTTP/1.1" 200 6396 "https://brimtest.servername:8897/brim/configuration/show/BRIM_USER" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
1.1.1.1 - - [15/Jul/2013:11:23:25 -0500] "GET /bannerevents/ HTTP/1.1" 302 315 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
1.1.1.1 - r2b_admin [15/Jul/2013:11:25:22 -0500] "GET /brim/ HTTP/1.1" 200 4612 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
1.1.1.1 - r2b_admin [15/Jul/2013:11:25:22 -0500] "GET /brim/configuration/show HTTP/1.1" 200 6390 "https://brimtest.servername:8897/brim/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
1.1.1.1 - r2b_admin [15/Jul/2013:11:25:31 -0500] "GET /brim/eventError/index HTTP/1.1" 302 5 "https://brimtest.servername:8897/brim/configuration/show" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
1.1.1.1 - r2b_admin [15/Jul/2013:11:26:59 -0500] "GET /brim/eventError/index HTTP/1.1" 302 5 "https://brimtest.servername:8897/brim/configuration/show" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"

Didn't know if people were ok with a pastebin and i've edited out private data for security purposes.

smallpond · 07-16-2013, 08:43 AM

Code:

1.1.1.1 - r2b_admin [15/Jul/2013:11:25:31 -0500] "GET /brim/eventError/index HTTP/1.1" 302 5 "https://brimtest.servername:8897/brim/configuration/show" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"

Pretty sure that 302 status tells the client not to go through the proxy, go to the redirect address and get it yourself.

mosiac · 07-16-2013, 08:46 AM

Is there something in the configuration I need to change to fix that?

mosiac · 07-18-2013, 01:24 PM

So I think I need to modify my request a little bit now.

Can I have something like this?

Code:

server {
chunkin on;

error_page 411 = @my_411_error;
location @my_411_error {
chunkin_resume;
}

listen 443 ssl;
server_name myhttpaddress.com;

### SSL log files ###
access_log /var/log/nginx/ssl-access.log;
error_log /var/log/nginx/ssl-error.log;

### SSL cert files ###
ssl_certificate /etc/nginx/ssl/mycert.crt;
ssl_certificate_key /etc/nginx/ssl/mycert.key;
### Add SSL specific settings here ###
keepalive_timeout 60;

### Limiting Ciphers ################
# Uncomment as per your setup
# ssl_ciphers HIGH:!ADH
# ssl_perfer_server_ciphers on;
# ssl_protocols SSLv3;
#####################################
# We want full access to SSL via backend ###


location /brim/ {
more_clear_input_headers 'Transfer-Encoding';
proxy_pass http://myserver.com:8897/brim/;
### force timeouts if one of backend is died ##
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

### Set headers ####
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

### Most PHP, Python, Rails, Java App can use this header ###
proxy_set_header X-Forwarded_Proto https;

### By default we don't want to redirect it ####
proxy_redirect off;

}

}

Where the proxy pass traffic uses 443 but the hosted site on another server is on port 8897?

mosiac · 07-18-2013, 03:54 PM

Just wanted to say again this is solved but I have another issue and I'll post about it in a different thread.

Here's what fixed it, I needed to add the following to my config file:

Code:

  ### Set headers ####
                proxy_set_header Host $http_host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_store off;
                #proxy_redirect off;
                proxy_buffering off;
                ###  cache  ###
                proxy_cache data-cache;
                proxy_cache_valid 200 302 60m;

                ### Most PHP, Python, Rails, Java App can use this header ###
                proxy_set_header X-Forwarded_Proto https;

                ### By default we don't want to redirect it ####
                proxy_redirect http://servername.edu:8897 https://servername.edu:8897;

and for the caching you need to add the following lines in your http{} container

Code:

proxy_cache_path /etc/nginx/cache levels=1:2 keys_zone=data-cache:8m
max_size=1000m inactive=600m;
  proxy_temp_path /etc/nginx/cache/tmp;