Welcome! Log In Create A New Profile

Advanced

Re: RD Gateway thru Reverse Proxy

Moshe Katz
December 10, 2019 04:20PM
RD Gateway isn't a real HTTP(S) connection, so you need to use a `stream`
block.

This has been discussed on this email list several years ago:
https://forum.nginx.org/read.php?11,266872

Moshe

On Tue, Dec 10, 2019, 4:11 PM jriker1 <nginx-forum@forum.nginx.org> wrote:

> I have multiple servers internal that need to use port 443 due to
> requirements of the applications and vendors. One is a Windows 2016
> Essentials server the other a custom web app on Linux that requires a
> communication to the cloud on 443. I have setup a reverse proxy and it's
> excellent. Only issue I'm having is with Essentials server I login to the
> web console and when I click to launch a RD Gateway session it comes up and
> I can authenticate but when it's going to launch the actual session it
> fails.
>
> Error I get is:
>
> 2019/12/10 14:27:48 [error] 27899#27899: *291 upstream prematurely closed
> connection while reading response header from upstream, client: <IP I'm
> at>,
> server: <essentials URL>, request: "RDG_OUT_DATA /remoteDesktopGateway/
> HTTP/1.1", uupstream: "https:/<internal_ip>:443/remoteDesktopGateway/",
> host: "<essentials_URL>"
>
> Below is my custom config settings:
>
> ######--------------BEGIN of the script
>
> server {
> listen 80;
> server_name <essentials_URL>;
> # redirect http to https
> return 301 https://$server_name$request_uri;
> client_max_body_size 0;
> proxy_http_version 1.1;
> proxy_buffering off;
> proxy_set_header Upgrade $http_upgrade;
> proxy_set_header Connection "Upgrade";
> proxy_set_header Host $host;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
>
> location / {
> proxy_pass http://<essentials_internal_ip>;
> }
> }
>
> server {
> listen 80;
> server_name <smartwebsite_url>;
> # redirect http to https
> return 301 https://$server_name$request_uri;
> client_max_body_size 0;
> proxy_http_version 1.1;
> proxy_buffering off;
> proxy_set_header Upgrade $http_upgrade;
> proxy_set_header Connection "Upgrade";
> proxy_set_header Host $host;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
>
> location / {
> proxy_pass http://<smartwebsite_internal_ip>;
> }
> }
>
> server {
> listen 443 ssl;
> listen [::]:443 ssl;
> server_name <essentials_URL>;
> ssl_certificate /config/user-data/ssl_chain_essentials.pem;
> ssl_certificate_key /config/user-data/ssl_chain_key_essentials.pem;
> access_log /var/log/nginx/<essentials-URL>.access.log;
> error_log /var/log/nginx/<essentials-URL>.error.log;
> ssl_session_timeout 1d;
> ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
> ssl_ciphers
>
> "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
>
> ssl_prefer_server_ciphers on;
> ssl_session_cache shared:SSL:10m;
> #dh param
> ssl_dhparam /config/user-data/dhparam.pem;
> # Enable HTTP Strict-Transport-Security
> # If you have a subdomain of your site,
> # be careful to use the 'includeSubdomains' options
> add_header Strict-Transport-Security "max-age=63072000;
> includeSubdomains; preload";
> # XSS Protection for Nginx web server
> add_header X-Frame-Options DENY;
> add_header X-XSS-Protection "1; mode=block";
> add_header X-Content-Type-Options nosniff;
> ssl_session_cache shared:SSL:10m;
> add_header X-Robots-Tag none;
> client_max_body_size 0;
> proxy_http_version 1.1;
> proxy_buffering off;
> proxy_set_header Upgrade $http_upgrade;
> proxy_set_header Connection "Upgrade";
> proxy_set_header Host $host;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
> location / {
> proxy_pass https://<essentials_internal_ip>;
> }
> }
>
> server {
> listen 443 ssl;
> server_name <smartwebsite_url>;
> ssl_certificate /config/user-data/ssl_chain_smartweb.pem;
> ssl_certificate_key /config/user-data/ssl_chain_key_smartweb.pem;
> access_log /var/log/nginx/<smartwebsite-URL>.access.log;
> error_log /var/log/nginx/<smartwebsite-URL>.error.log;
> ssl_session_timeout 1d;
> ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
> ssl_ciphers
>
> "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
> ssl_prefer_server_ciphers on;
> ssl_session_cache shared:SSL:10m;
> #dh param
> ssl_dhparam /config/user-data/dhparam.pem;
> # Enable HTTP Strict-Transport-Security
> # If you have a subdomain of your site,
> # be carefull to use the 'includeSubdomains' options
> add_header Strict-Transport-Security "max-age=63072000;
> includeSubdomains; preload";
> # XSS Protection for Nginx web server
> add_header X-Frame-Options DENY;
> add_header X-XSS-Protection "1; mode=block";
> add_header X-Content-Type-Options nosniff;
> add_header X-Robots-Tag none;
> client_max_body_size 0;
> proxy_http_version 1.1;
> proxy_buffering off;
> proxy_set_header Upgrade $http_upgrade;
> proxy_set_header Connection "Upgrade";
> proxy_set_header Host $host;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
> location / {
> proxy_pass https://<smartwebsite_internal_ip>:8123;
> }
> }
> #######-----------------end of script----------------------------
>
>
> Thoughts?
>
> Thanks.
>
> JR
>
> Posted at Nginx Forum:
> https://forum.nginx.org/read.php?2,286440,286440#msg-286440
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

RD Gateway thru Reverse Proxy

jriker1 December 10, 2019 04:11PM

Re: RD Gateway thru Reverse Proxy

Moshe Katz December 10, 2019 04:20PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 67
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready