Welcome! Log In Create A New Profile

RD Gateway thru Reverse Proxy

Forum List Message List New Topic Print View

jriker1

December 10, 2019 04:11PM

Registered: 4 years ago
Posts: 9

I have multiple servers internal that need to use port 443 due to requirements of the applications and vendors. One is a Windows 2016 Essentials server the other a custom web app on Linux that requires a communication to the cloud on 443. I have setup a reverse proxy and it's excellent. Only issue I'm having is with Essentials server I login to the web console and when I click to launch a RD Gateway session it comes up and I can authenticate but when it's going to launch the actual session it fails.

Error I get is:

2019/12/10 14:27:48 [error] 27899#27899: *291 upstream prematurely closed connection while reading response header from upstream, client: <IP I'm at>, server: <essentials URL>, request: "RDG_OUT_DATA /remoteDesktopGateway/ HTTP/1.1", uupstream: "https:/<internal_ip>:443/remoteDesktopGateway/", host: "<essentials_URL>"

Below is my custom config settings:

######--------------BEGIN of the script server {
listen 80;
server_name <essentials_URL>;
# redirect http to https
return 301 https://$server_name$request_uri;
client_max_body_size 0;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;

location / {
proxy_pass http://<essentials_internal_ip>;
}
}

server {
listen 80;
server_name <smartwebsite_url>;
# redirect http to https
return 301 https://$server_name$request_uri;
client_max_body_size 0;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;

location / {
proxy_pass http://<smartwebsite_internal_ip>;
}
}

server {
listen 443 ssl;
listen [::]:443 ssl;
server_name <essentials_URL>;
ssl_certificate /config/user-data/ssl_chain_essentials.pem;
ssl_certificate_key /config/user-data/ssl_chain_key_essentials.pem;
access_log /var/log/nginx/<essentials-URL>.access.log;
error_log /var/log/nginx/<essentials-URL>.error.log;
ssl_session_timeout 1d;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
#dh param
ssl_dhparam /config/user-data/dhparam.pem;
# Enable HTTP Strict-Transport-Security
# If you have a subdomain of your site,
# be careful to use the 'includeSubdomains' options
add_header Strict-Transport-Security "max-age=63072000;
includeSubdomains; preload";
# XSS Protection for Nginx web server
add_header X-Frame-Options DENY;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
ssl_session_cache shared:SSL:10m;
add_header X-Robots-Tag none;
client_max_body_size 0;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
location / {
proxy_pass https://<essentials_internal_ip>;
}
}

server {
listen 443 ssl;
server_name <smartwebsite_url>;
ssl_certificate /config/user-data/ssl_chain_smartweb.pem;
ssl_certificate_key /config/user-data/ssl_chain_key_smartweb.pem;
access_log /var/log/nginx/<smartwebsite-URL>.access.log;
error_log /var/log/nginx/<smartwebsite-URL>.error.log;
ssl_session_timeout 1d;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
#dh param
ssl_dhparam /config/user-data/dhparam.pem;
# Enable HTTP Strict-Transport-Security
# If you have a subdomain of your site,
# be carefull to use the 'includeSubdomains' options
add_header Strict-Transport-Security "max-age=63072000;
includeSubdomains; preload";
# XSS Protection for Nginx web server
add_header X-Frame-Options DENY;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header X-Robots-Tag none;
client_max_body_size 0;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
location / {
proxy_pass https://<smartwebsite_internal_ip>:8123;
}
}
#######-----------------end of script----------------------------

Thoughts?

Thanks.

JR

Reply Quote

RSS