Hi Team,
I have current URL as https://xxx.xxx.xxx:8081/neutrino-sso-web/ which is directly natted on firewall on pot 8081
However I now would like to put this URL behind nginx reverse proxy. Since the above URL is given to lot many customers it would not be possible to change the URL. we are planning to change it graudally.
However mean time I installed the nginx and trying to relay the same setup; so that from internet if some accessed https://xx.xxxx.xxx:8081/neutrino-sso-web/ it would proxy_pass to orignial server
My stanza is as below; however this is not working and I am getting
##########
This site can’t provide a secure connection
xxx.xxxx..xxx sent an invalid response.
ERR_SSL_PROTOCOL_ERROR
##############
server {
listen 443;
listen 8081 ssl;
server_name xx.xxxx.xxxx;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_certificate /etc/nginx/certs/xx.xx/216560a7cbdc5937.crt;
ssl_certificate_key /etc/nginx/certs/xx.xx/xxxx.key;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA
-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:
ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256
-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3
-SHA:!DSS';
ssl_dhparam /etc/nginx/certs/dhparam.pem;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
keepalive_timeout 70;
if ( $request_method !~ ^(GET|POST|HEAD)$ ) {
return 403;
break;
}
access_log /var/log/nginx/xxx.xxxx/access.log;
error_log /var/log/nginx/xxx.xxx/error.log;
{
location / {
client_max_body_size 700m;
client_body_buffer_size 128k;
proxy_send_timeout 90;
proxy_http_version 1.1;
proxy_read_timeout 90;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_temp_file_write_size 256k;
proxy_connect_timeout 30s;
proxy_pass https://xxx.xxx.xxx:8081/neutrino-sso-web/login;
proxy_ssl_server_name on;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "no-referrer-when-downgrade";
add_header X-Frame-Options "SAMEORIGIN" always;
}
}
Am I doing anything wroing?
TIA
Blason R