Reverse TLS proxy

addis_a · October 8, 2014, 12:23pm

Hi all,
I very new to NGINX, but thought that it might be the best tool to
achieve a
reverse proxy ( in the DMZ ) for an internal HTTPS server.

Unfortunately it isn’t working and I get 502 Bad Gateway message if I
check
in the error Log I see :

2014/10/07 17:38:27 [crit] 2606#0: *1 connect() to 172.16.36.155:9999
failed
(13: Permission denied) while connecting to upstream, client:
10.51.44.100,
server: ping0a.cisco.net, request:
“https://172.16.36.155:9999/pingfederate/app/”, host:
“ping0a.cisco.net:9999”

with a tcpdump in the HTTPS server that it is in the internal LAN I
don’t
see any traffic arriving …

I have a split dns schema in my test, and the FQDN name in the internal
HTTPS server is the same as the on e in the DMZ ( ping0a.cisco,.net ).

This is my configuration :
[[email protected] nginx]# more nginx.conf

user nginx;
worker_processes 1;

error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

events {
worker_connections 1024;
}

http {
include /etc/nginx/mime.types;
default_type application/octet-stream;

log_format  main  '$remote_addr - $remote_user [$time_local]

“$request”
’
'$status $body_bytes_sent “$http_referer” ’
‘"$http_user_agent" “$http_x_forwarded_for”’;

access_log  /var/log/nginx/access.log  main;

sendfile        on;
#tcp_nopush     on;

keepalive_timeout  65;

#gzip  on;

upstream backend {
server 172.16.36.155:9999;
}

include /etc/nginx/conf.d/*.conf;

}

[[email protected] conf.d]# more ping0a_ssl.conf

HTTPS server

server {
listen 9999 default ssl;
index index.php index.html index.htm;

server_name ping0a.cisco.net;

ssl                 on;
ssl_certificate      /etc/pki/tls/certs/IdP.pem;
ssl_certificate_key  /etc/pki/tls/private/IdP.key;

ssl_session_timeout  5m;

ssl_protocols  SSLv3 TLSv1;
ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+EXP;
ssl_prefer_server_ciphers   on;

location / {
    proxy_store off;
    proxy_pass https://backend;
    proxy_set_header X-Real-IP  $remote_addr;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header Host $host;
    proxy_ssl_verify off;
}

}

from the hosts in the DMZ where NGINX is installed I can reach the
inetrnal
HTTPS server

[[email protected] conf.d]# wget --no-check-certificate
https://172.16.36.155:9999/pingfederate/app
–2014-10-08 11:20:25-- https://172.16.36.155:9999/pingfederate/app
Connecting to 172.16.36.155:9999… connected.
WARNING: certificate common name ‘ping0a.cisco.net’ doesn’t match
requested host name ‘172.16.36.155’.
HTTP request sent, awaiting response… 200 OK
Length: unspecified [text/html]
Saving to: ‘app’

[ <=>                                   ] 5,576       --.-K/s   in

0s

2014-10-08 11:20:25 (45.8 MB/s) - ‘app’ saved [5576]

What is wrong in my configuration ?

Thank you,
Paulo

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,253833,253833#msg-253833

paucorre · October 8, 2014, 11:21pm

Hello,

Which distro are you using?

The first thing that comes to mind with this type of issue is that
Selinux
is enabled and blocking nginx from making connections to the upstream.
You
can test if this is the case by turning Selinux off and seeing if that
resolves the issue.

This of course only applies to distros that enable Selinux by default
(RHEL
and crew for sure). I’m not sure if AppArmor can cause the same issues
on
Debian, but it might be worth looking into if that’s what you’re using.

– Justin

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,253833,253850#msg-253850