NGINX Reverse proxy with HTTPS

Follow up of a previous question of mine.

What I want to do?

I want to have my reverse proxy [NGINX] to redirect incoming webtraffic (HTTP and HTTPS) to the correct server based on the sub-domain.

The traffic towards the reverseproxy (RP) from the internet should be with HTTPS while inside my network I don't mind http traffic.

What is my current situation?

I got my webservices running, as of now only 2, iRedMail and Kanboard. Both can be reached via http without a problem. I was able to share my wildcard certificate from my RP with my other servers (I learned later, this isn't necessary).

However, when I try to reach my Servers domain-name via https over Firefox I get PR_END_OF_FILE_ERROR and via Chrome ERR:CONNECTION_CLOSED. In this case it doesn't matter if I try to reach the webserver on the RP itself or the other 2.

Meaning I understood the NGINX with http proxy but failed when it came to certificates and https proxy.

For my configurations please check out the following pastebins, I don't want this post to be to long. All pasts will be available for 6 Months, and I will edit this post to add my failed configuration, if there is any.

And finally the output of logs I thought about:

 (Reverse-Proxy)> sudo nano /var/log/nginx/error.log
2020/02/21 07:07:46 [error] 9213#9213: *1 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: XXX.XXX.XXX.XXX, server: 0.0.0.0:443
2020/02/21 07:08:27 [error] 9213#9213: *2 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: XXX.XXX.XXX.XXX, server: 0.0.0.0:443
2020/02/21 07:11:46 [error] 9320#9320: *1 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: XXX.XXX.XXX.XXX, server: 0.0.0.0:443
2020/02/21 07:12:03 [error] 9320#9320: *2 open() "/usr/share/nginx/html/favicon.ico" failed (2: No such file or directory), client: XXX.XXX.XXX.XXX, server: request: "GET /favic$
2020/02/21 07:12:07 [error] 9320#9320: *3 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: XXX.XXX.XXX.XXX, server: 0.0.0.0:443
2020/02/21 07:23:12 [error] 9320#9320: *4 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: XXX.XXX.XXX.XXX, server: 0.0.0.0:443
2020/02/21 07:23:12 [error] 9320#9320: *5 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: XXX.XXX.XXX.XXX, server: 0.0.0.0:443
2020/02/21 07:23:17 [error] 9320#9320: *6 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: XXX.XXX.XXX.XXX, server: 0.0.0.0:443
2020/02/21 07:23:47 [error] 9320#9320: *7 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: XXX.XXX.XXX.XXX, server: 0.0.0.0:443
2020/02/21 07:24:47 [error] 9320#9320: *8 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: XXX.XXX.XXX.XXX, server: 0.0.0.0:443
2020/02/21 07:29:47 [error] 9320#9320: *10 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: XXX.XXX.XXX.XXX, server: 0.0.0.0:443
2020/02/21 07:39:48 [error] 9320#9320: *11 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: XXX.XXX.XXX.XXX, server: 0.0.0.0:443
2020/02/21 07:53:21 [error] 9320#9320: *12 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: XXX.XXX.XXX.XXX, server: 0.0.0.0:443

I tried this from 7 am to 9 am, but the log stopped with errors around 8 am. I also checked the logs of the Kanboard server, but nothing was reported, neither for access nor error.

What I have checked so far:

  1. If I change the portforward for https directly to my mailserver I can access it without a problem
  2. I checked my RP-config for path errors regarding the certificate

Stacks I went through so far:

NGINX RP for multiple Server,Redirect via Subdomain,NGINX SSL in Home Network

Please tell me if you need anymore information.
PS: All IPs and Domains have been altered by me.
PPS: The pastebins have also been used for my certificate question.

EDITS:

  • Pastebin - Reverseproxy has been tweaked regarding the SSL config. (look for the ## in the pastebin). New error message ERR_TOO_MANY_REDIRECTS for access on subdomains. Domain itselfs works partly.
  • Pastebin - Reverseproxy has been tweaked again, to a solution I found. Each change has been commented with ## again
6

2 Answers

Thanks to Richard Smith and Seth giving me things to look at and pointing out flaws, I was able to get my servers running properly.

In the end I had a faulty Reverse-Proxy Configuration - at some settings I must have been blind, but here is what I changed.

Within >sudo nano /etc/nginx/sites-available/apache (apache is the name of my config file, yes I know misleading).

I changed quite a lot actually:

server {
listen 80;
listen 443 ssl; ## Listen on 443 ssl ssl_certificate /etc/letsencrypt/live/ ## use this cert ssl_certificate_key /etc/letsencrypt/live/ ## and this key
server_name example.com; ## react to this name-header
return 301 ## and redirect everything to on https
}

Before I forgot to use the paths for the cert and the key and did use a proxy-pass instead of a redirect.

I also added a new Block on my Config, that will simply listen to all traffic on 80 for and redirect it to https, so basically the same as above with another server-name.

The block of that listens to 443 (https) got changed in the location aswell.

location / { ## in any scenario
root /var/www/html/; ## give this directory
}

I moved the path down and added the root directive. Because if I understood this tutorial correctly, having it at the location / would mean it will only listen to URI requests targeting that directory.

And the final change has been the proxy_pass for the Kanboard and the iRedMail server.
Before:

location / { proxy_pass ... }

After:

location / { proxy_pass ... }

I have to admit, I'm not quite sure why I have to pass the traffic with https, but this simply means I didn't understand the Proxy and/or Reverse-proxy completly.

(I expected sending the pass with https would give me the warning regarding mutliple certificates again and also thought that with the "pass" the communication would go on in my Network, meaning http traffic would be sufficent).

PS: @Seth, the following message is the reason I used example.com

Body cannot contain "My-Fake-Domain".
Please use example.com (or .org or .net) for fake URLs. More Info

The whole config, with commented changes will be available at my pastebin for the next 6 months.

And again, if you need anymore information, if I made a mistake (again) or have a flaw in my changes, please tell me.

The error is often not related to the browser. In our case it was also not a configuration thing of nginx, but a wrong setting of the firewall. So logically, when I say that often has nothing to do with the browser, server-side and not client-side. Accordingly, it was not a proxy or VPN.

1

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like