Configure NGINX to deny web socket connections except for certain paths

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Configure NGINX to deny web socket connections except for certain paths

zakirenish
This will sound a little odd, but we have an NGINX reverse proxy acting as
an SSL termination point for a remote desktop web gateway from Microsoft.

Currently, the primary Web Client ingress point is protected by SSL Client
Certificates - you must have a valid SSL CLient Certificate to get to the
web component.

However, RDWeb from Microsoft still has to establish WSS connections
(`wss://...`) to the RD Gateway component - a separate server.  The tricky
part about this is it uses *only* `wss`.  This works fine if the web
frontend is open to all, but we want to restrict it so that only one WSS
pathway can actually be used and no other WSS requests work.

When attempting to make this work, we've been trying various configurations
of location matching ultimately ending with the WSS connections all failing
except when passed through directly WITHOUT any restrictions (that is,
`location / { ... }` is globally permitted for the gateway component.)

Is there a way to configure NGINX so that it tests the requested wss path
*first* before it hands off to the backend, thereby determining if it's
permitted or rejected?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,287519,287519#msg-287519

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Configure NGINX to deny web socket connections except for certain paths

zakirenish
teward Wrote:
-------------------------------------------------------
> This works fine if
> the web frontend is open to all, but we want to restrict it so that
> only one WSS pathway can actually be used and no other WSS requests
> work.

To clarify, there's a separate `server { }` block handling the gateway
separate from the RDWeb ingress point.  This is necessary for the wss links
to work.  Unfortunately, we need to control what wss / request paths are
used on there and currently don't have a way to do this that I'm aware of -
can we configure that nginx server block for the gateway component to do
what we need?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,287519,287522#msg-287522

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx