Nginx reverse proxy on windows help please

[JCBiggs]

Hey guys. So I have the address sub.domain.com:port working and i'm getting a valid SSL cert. 

 

Now im trying to make sub.domain.com  go to that address with the port. 

 

I have nginx running but I can't seem to get the syntax right to make proxy pass work.  

 

Could anyone give me some help? 

 

Ps. Could I forward both http and https request? (Forcing security for non default https users) 

[Denned]

server {
        listen 80;
        server_name test.youtube.com;
        return 301 https://$host$request_uri;
}

server {
		listen 443 ssl http2;
        server_name test.youtube.com;
        
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        
        location / {
                proxy_pass http://127.0.0.1:<PORT>;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Host $server_name;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Forwarded-Ssl on;
                proxy_redirect off;
                proxy_buffering off;

}

This is snippets of my config. I assume it's the same on Windows.

Obviously the ssl stuff is missing, so that would need to be added

[JCBiggs]

Im not sure what you mean by ssl stuff?  Im not using nginx for encryption just redirection.  Is there something im missing? 

[JCBiggs]

2 hours ago, Denned said:

server {
        listen 80;
        server_name test.youtube.com;
        return 301 https://$host$request_uri;
}

server {
		listen 443 ssl http2;
        server_name test.youtube.com;
        
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        
        location / {
                proxy_pass http://127.0.0.1:<PORT>;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Host $server_name;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Forwarded-Ssl on;
                proxy_redirect off;
                proxy_buffering off;

}

This is snippets of my config. I assume it's the same on Windows.

Obviously the ssl stuff is missing, so that would need to be added

so im def getting redirects from 80 to 443, but the page still wont load.  err:connection closed unexpectedly.   

im not sure what to do at this point.

 

[JCBiggs]

OK so I think i understand what you mean now. from what Im reading Nginx terminates the https connection and requires its own certificates to complete the connection.     

 

I have a certificate on my server already, and the app requires a  https connection.  So how can I ensure the security of the NginX server?  Im under the assumption that the end user will still see the app server certificate in the address bar, but will there be another certificate added?   can this be a self signed cert or does it need to be from a CA?  

This whole part has me confused. 

[Denned]

2 minutes ago, JCBiggs said:

OK so I think i understand what you mean now. from what Im reading Nginx terminates the https connection and requires its own certificates to complete the connection.     

 

I have a certificate on my server already, and the app requires a  https connection.  So how can I ensure the security of the NginX server?  Im under the assumption that the end user will still see the app server certificate in the address bar, but will there be another certificate added?   can this be a self signed cert or does it need to be from a CA?  

This whole part has me confused. 

In the config I posted, you need to change the <PORT> if I wasn't clear about that part

 

In regards to ssl. I use letsencrypt. So my ssl config would look similar to:

    ssl_certificate /etc/letsencrypt/live/my-domain/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/my-domain/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;

But if you use letsencrypt, it should be added to the config automatically.

I have no clue if there's any differences on on Windows, and I also don't know how that would work with other certificates.

[JCBiggs]

10 minutes ago, Denned said:

In the config I posted, you need to change the <PORT> if I wasn't clear about that part

 

In regards to ssl. I use letsencrypt. So my ssl config would look similar to:

    ssl_certificate /etc/letsencrypt/live/my-domain/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/my-domain/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;

But if you use letsencrypt, it should be added to the config automatically.

I have no clue if there's any differences on on Windows, and I also don't know how that would work with other certificates.

yes I did change the port.  I tried many many different cominations of host names and ports and prox_pass, and proxy_redirect trying to get it to work. 

 

Im fine using lets encrypt, I just dont understand what its doing here.  if the client to server app is encrypted, then why do i need nginx to re-encrypt?  why cant is just pass the traffic? 

[hugot]

Can you paste your nginx config here? Also, is your certificate self-signed or did you acquire it through a certificate authority like letsencrypt?

[JCBiggs]

On 2/24/2019 at 3:43 AM, hugot said:

Can you paste your nginx config here? Also, is your certificate self-signed or did you acquire it through a certificate authority like letsencrypt?

I ended up getting it working. I had to use the "stream" argument to completely pass through  the ssl traffic to get e2e encryption. works great.    I knew there had to be a way to just pass traffic and not terminate it. 

 

[Mikensan]

I think we need a clearer understanding of what you're doing minus the ambiguity.

You don't need to reveal the domain, but just make it clearer what you're trying to achieve.

 

Is this a website or application? (Not every application uses SSL encryption even though they use certificates)

Are you trying to go from http(s)://sub.domain.com to https://sub.domain.com:PORTB or to http://sub.domain.com:PORTB or just simply to sub.domain.com:PORTB? The latter is a little more configuration.

 

I'm using haproxy so I can speak directly to the config you need but I certainly understand the process. I'm hosting 3-4 different websites that are https - for those I just pass the traffic through. I have 1 application that doesn't properly use SSL (horizon) and I have to decrypt to pull header/host information so I can properly route traffic. 

[JCBiggs]

20 hours ago, Mikensan said:

I think we need a clearer understanding of what you're doing minus the ambiguity.

You don't need to reveal the domain, but just make it clearer what you're trying to achieve.

 

Is this a website or application? (Not every application uses SSL encryption even though they use certificates)

Are you trying to go from http(s)://sub.domain.com to https://sub.domain.com:PORTB or to http://sub.domain.com:PORTB or just simply to sub.domain.com:PORTB? The latter is a little more configuration.

 

I'm using haproxy so I can speak directly to the config you need but I certainly understand the process. I'm hosting 3-4 different websites that are https - for those I just pass the traffic through. I have 1 application that doesn't properly use SSL (horizon) and I have to decrypt to pull header/host information so I can properly route traffic. 

I posted directly above yours. I got it working.

 

[Mikensan]

3 hours ago, JCBiggs said:

I posted directly above yours. I got it working.

 

Awesome, glad you got it working.