Welcome! Log In Create A New Profile

Advanced

Reverse TLS proxy

October 08, 2014 06:22AM
Hi all,
I very new to NGINX, but thought that it might be the best tool to achieve a reverse proxy ( in the DMZ ) for an internal HTTPS server.


Unfortunately it isn't working and I get 502 Bad Gateway message if I check in the error Log I see :

2014/10/07 17:38:27 [crit] 2606#0: *1 connect() to 172.16.36.155:9999 failed (13: Permission denied) while connecting to upstream, client: 10.51.44.100, server: ping0a.cisco.net, request: "https://172.16.36.155:9999/pingfederate/app/", host: "ping0a.cisco.net:9999"


with a tcpdump in the HTTPS server that it is in the internal LAN I don't see any traffic arriving ....

I have a split dns schema in my test, and the FQDN name in the internal HTTPS server is the same as the on e in the DMZ ( ping0a.cisco,.net ).

This is my configuration :
[root@ping0a nginx]# more nginx.conf

user nginx;
worker_processes 1;

error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;


events {
worker_connections 1024;
}


http {
include /etc/nginx/mime.types;
default_type application/octet-stream;

log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

access_log /var/log/nginx/access.log main;

sendfile on;
#tcp_nopush on;

keepalive_timeout 65;

#gzip on;

upstream backend {
server 172.16.36.155:9999;
}

include /etc/nginx/conf.d/*.conf;
}


[root@ping0a conf.d]# more ping0a_ssl.conf
# HTTPS server
#
server {
listen 9999 default ssl;
index index.php index.html index.htm;

server_name ping0a.cisco.net;

ssl on;
ssl_certificate /etc/pki/tls/certs/IdP.pem;
ssl_certificate_key /etc/pki/tls/private/IdP.key;

ssl_session_timeout 5m;

ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+EXP;
ssl_prefer_server_ciphers on;

location / {
proxy_store off;
proxy_pass https://backend;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_ssl_verify off;
}
}

from the hosts in the DMZ where NGINX is installed I can reach the inetrnal HTTPS server

[root@ping0a conf.d]# wget --no-check-certificate https://172.16.36.155:9999/pingfederate/app
--2014-10-08 11:20:25-- https://172.16.36.155:9999/pingfederate/app
Connecting to 172.16.36.155:9999... connected.
WARNING: certificate common name ‘ping0a.cisco.net’ doesn't match requested host name ‘172.16.36.155’.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘app’

[ <=> ] 5,576 --.-K/s in 0s

2014-10-08 11:20:25 (45.8 MB/s) - ‘app’ saved [5576]


What is wrong in my configuration ?

Thank you,
Paulo
Subject Author Posted

Reverse TLS proxy

paucorre October 08, 2014 06:22AM

Re: Reverse TLS proxy

pharasyte October 08, 2014 05:21PM

Re: Reverse TLS proxy

paucorre October 09, 2014 11:40AM

Re: Reverse TLS proxy

unclepieman October 08, 2014 09:24PM

Re: Reverse TLS proxy

paucorre October 09, 2014 11:41AM

Re: Reverse TLS proxy

paucorre October 09, 2014 11:41AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 90
Record Number of Users: 8 on December 15, 2016
Record Number of Guests: 386 on August 02, 2016
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready