Hi Team,
I have current URL as https://xxx.xxx.xxx:8081/neutrino-sso-web/ which is
directly natted on firewall on pot 8081
However I now would like to put this URL behind nginx reverse proxy. Since
the above URL is given to lot many customers it would not be possible to
change the URL. we are planning to change it graudally.
However mean time I installed the nginx and trying to relay the same setup;
so that from internet if some accessed
https://xx.xxxx.xxx:8081/neutrino-sso-web/ it would proxy_pass to orignial
server
My stanza is as below; however this is not working and I am getting
##########
This site can’t provide a secure connection
xxx.xxxx..xxx sent an invalid response.
ERR_SSL_PROTOCOL_ERROR
##############
server {
listen 443;
listen 8081 ssl;
server_name xx.xxxx.xxxx;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_certificate /etc/nginx/certs/xx.xx/216560a7cbdc5937.crt;
ssl_certificate_key /etc/nginx/certs/xx.xx/xxxx.key;
ssl_ciphers
'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA
-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:
ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256
-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3
-SHA:!DSS';
ssl_dhparam /etc/nginx/certs/dhparam.pem;
add_header Strict-Transport-Security "max-age=31536000;
includeSubDomains; preload" always;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
keepalive_timeout 70;
if ( $request_method !~ ^(GET|POST|HEAD)$ ) {
return 403;
break;
}
access_log /var/log/nginx/xxx.xxxx/access.log;
error_log /var/log/nginx/xxx.xxx/error.log;
{
location / {
client_max_body_size 700m;
client_body_buffer_size 128k;
proxy_send_timeout 90;
proxy_http_version 1.1;
proxy_read_timeout 90;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_temp_file_write_size 256k;
proxy_connect_timeout 30s;
proxy_pass https://xxx.xxx.xxx:8081/neutrino-sso-web/login;
proxy_ssl_server_name on;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
add_header Strict-Transport-Security "max-age=31536000;
includeSubDomains" always;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "no-referrer-when-downgrade";
add_header X-Frame-Options "SAMEORIGIN" always;
}
}
Am I doing anything wroing?
TIA
Blason R
Posted at Nginx Forum: https://forum.nginx.org/read.php?2,295782,295782#msg-295782
Hi,
thanks for the report.
On Wed, Nov 16, 2022 at 01:04:45PM -0500, blason wrote:
[...]
> My stanza is as below; however this is not working and I am getting
>
> ##########
> This site can’t provide a secure connection
> xxx.xxxx..xxx sent an invalid response.
> ERR_SSL_PROTOCOL_ERROR
> ##############
Is there anything interesting in a error.log file?
Have you tried to enable debugging log [1]?
Have you tried to test the configuration with command line tools,
such as curl?
References
1. http://nginx.org/en/docs/debugging_log.html
--
Sergey A. Osokin
On Thu, Nov 17, 2022 at 12:58:31PM -0500, blason wrote:
Hi there,
> Nothing interesting as such however below is the curl output from nginx
> server
How sure are you that this response came from your nginx server?
> curl -I https://xxx.xxxx.xxx:8081/neutrino-sso-web
The nginx config you showed included some add_header directives.
The matching http response headers are not in what you show here.
> HTTP/1.1 302 Found
> Date: Thu, 17 Nov 2022 17:57:10 GMT
> Server: JBoss-EAP/7
> Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Is there any chance that you are actually talking to a different web
server entirely?
Do your nginx server logs show this request being handled?
(Or have I misunderstood something about this post?)
Cheers,
f
--
Francis Daly francis at daoine.org
Hi,
On Thu, Nov 17, 2022 at 12:58:31PM -0500, blason wrote:
> Nothing interesting as such however below is the curl output from nginx
> server
>
> curl -I https://xxx.xxxx.xxx:8081/neutrino-sso-web
> HTTP/1.1 302 Found
> Date: Thu, 17 Nov 2022 17:57:10 GMT
> Server: JBoss-EAP/7
> Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
> X-Powered-By: Undertow/1
> X-Powered-By: JSP/2.3
> X-Frame-Options: DENY
> Location: https://xxxx.xxxx.xxxx:8081/neutrino-sso-web/login
> Strict-Transport-Security: max-age=15768000 ; includeSubDomains
> X-Content-Type-Options: nosniff
> Content-Type: text/html; charset=UTF-8
> Set-Cookie:
> JSESSIONID="nhsQqmnRHPaYQMdNjhkMIQ7HL6vo-fWCrPTfC8Zd.master:aeon";
> Version=1; Path=/neutrino-sso-web; Secure;
> HttpOnly;HttpOnly;Secure;SameSite=strict
> Access-Control-Allow-Origin: *
So, the request and response both look good, 302 is the valid
response code from the upstream I believe, and that redirects
to a login page. No issue.
--
Sergey A. Osokin