Reverse TLS proxy

Hi all,
I very new to NGINX, but thought that it might be the best tool to
achieve a
reverse proxy ( in the DMZ ) for an internal HTTPS server.

Unfortunately it isn’t working and I get 502 Bad Gateway message if I
in the error Log I see :

2014/10/07 17:38:27 [crit] 2606#0: *1 connect() to
(13: Permission denied) while connecting to upstream, client:,
server:, request:”, host:

with a tcpdump in the HTTPS server that it is in the internal LAN I
see any traffic arriving …

I have a split dns schema in my test, and the FQDN name in the internal
HTTPS server is the same as the on e in the DMZ (,.net ).

This is my configuration :
[root@ping0a nginx]# more nginx.conf

user nginx;
worker_processes 1;

error_log /var/log/nginx/error.log warn;
pid /var/run/;

events {
worker_connections 1024;

http {
include /etc/nginx/mime.types;
default_type application/octet-stream;

log_format  main  '$remote_addr - $remote_user [$time_local] 


'$status $body_bytes_sent “$http_referer” ’
‘“$http_user_agent” “$http_x_forwarded_for”’;

access_log  /var/log/nginx/access.log  main;

sendfile        on;
#tcp_nopush     on;

keepalive_timeout  65;

#gzip  on;

upstream backend {

include /etc/nginx/conf.d/*.conf;


[root@ping0a conf.d]# more ping0a_ssl.conf

HTTPS server

server {
listen 9999 default ssl;
index index.php index.html index.htm;


ssl                 on;
ssl_certificate      /etc/pki/tls/certs/IdP.pem;
ssl_certificate_key  /etc/pki/tls/private/IdP.key;

ssl_session_timeout  5m;

ssl_protocols  SSLv3 TLSv1;
ssl_prefer_server_ciphers   on;

location / {
    proxy_store off;
    proxy_pass https://backend;
    proxy_set_header X-Real-IP  $remote_addr;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header Host $host;
    proxy_ssl_verify off;


from the hosts in the DMZ where NGINX is installed I can reach the
HTTPS server

[root@ping0a conf.d]# wget --no-check-certificate
–2014-10-08 11:20:25--
Connecting to… connected.
WARNING: certificate common name ‘’ doesn’t match
requested host name ‘’.
HTTP request sent, awaiting response… 200 OK
Length: unspecified [text/html]
Saving to: ‘app’

[ <=>                                   ] 5,576       --.-K/s   in 


2014-10-08 11:20:25 (45.8 MB/s) - ‘app’ saved [5576]

What is wrong in my configuration ?

Thank you,

Posted at Nginx Forum:


Which distro are you using?

The first thing that comes to mind with this type of issue is that
is enabled and blocking nginx from making connections to the upstream.
can test if this is the case by turning Selinux off and seeing if that
resolves the issue.

This of course only applies to distros that enable Selinux by default
and crew for sure). I’m not sure if AppArmor can cause the same issues
Debian, but it might be worth looking into if that’s what you’re using.

– Justin

Posted at Nginx Forum:

ip.forwarding on?

Correct Justin… beginners mistake … disabled the firewalld but
forgot selinux …

I install it in CentOS 7.0.

Do you know how to troubleshoot it when sometimes the proxy doesn’t go
through … and other times works ??


Posted at Nginx Forum:

Single nic deployed, the solution of Justin worked.

Thank you,

Posted at Nginx Forum:

Single nic deployed, the solution of Justin worked.

Thank you,

Posted at Nginx Forum: