RD Gateway thru Reverse Proxy

classic Classic list List threaded Threaded
2 messages Options
xrd
Reply | Threaded
Open this post in threaded view
|

RD Gateway thru Reverse Proxy

xrd
I have multiple servers internal that need to use port 443 due to
requirements of the applications and vendors.  One is a Windows 2016
Essentials server the other a custom web app on Linux that requires a
communication to the cloud on 443.  I have setup a reverse proxy and it's
excellent.  Only issue I'm having is with Essentials server I login to the
web console and when I click to launch a RD Gateway session it comes up and
I can authenticate but when it's going to launch the actual session it
fails.

Error I get is:

2019/12/10 14:27:48 [error] 27899#27899: *291 upstream prematurely closed
connection while reading response header from upstream, client: <IP I'm at>,
server: <essentials URL>, request: "RDG_OUT_DATA /remoteDesktopGateway/
HTTP/1.1", uupstream: "https:/<internal_ip>:443/remoteDesktopGateway/",
host: "<essentials_URL>"

Below is my custom config settings:

######--------------BEGIN of the script                                    
                         server {
    listen 80;  
    server_name <essentials_URL>;  
    #       redirect http to https        
    return 301 https://$server_name$request_uri;
    client_max_body_size 0;
    proxy_http_version 1.1;
    proxy_buffering off;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
   
    location / {    
        proxy_pass http://<essentials_internal_ip>;
    }
}  

server {  
    listen 80;
    server_name <smartwebsite_url>;
    #       redirect http to https        
    return 301 https://$server_name$request_uri;   
    client_max_body_size 0;
    proxy_http_version 1.1;
    proxy_buffering off;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;

    location / {
        proxy_pass http://<smartwebsite_internal_ip>;
    }
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name <essentials_URL>;
    ssl_certificate /config/user-data/ssl_chain_essentials.pem;
    ssl_certificate_key /config/user-data/ssl_chain_key_essentials.pem;
    access_log /var/log/nginx/<essentials-URL>.access.log;
    error_log /var/log/nginx/<essentials-URL>.error.log;          
    ssl_session_timeout 1d;          
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;        
    ssl_ciphers
"EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
   
    ssl_prefer_server_ciphers on;        
    ssl_session_cache shared:SSL:10m;  
    #dh param        
    ssl_dhparam /config/user-data/dhparam.pem;  
    # Enable HTTP Strict-Transport-Security
    # If you have a subdomain of your site,
    # be careful to use the 'includeSubdomains' options        
    add_header Strict-Transport-Security "max-age=63072000;
    includeSubdomains; preload";  
    # XSS Protection for Nginx web server        
    add_header X-Frame-Options DENY;        
    add_header X-XSS-Protection "1; mode=block";        
    add_header X-Content-Type-Options nosniff;        
    ssl_session_cache shared:SSL:10m;        
    add_header X-Robots-Tag none;    
    client_max_body_size 0;  
    proxy_http_version 1.1;  
    proxy_buffering off;  
    proxy_set_header Upgrade $http_upgrade;  
    proxy_set_header Connection "Upgrade";  
    proxy_set_header Host $host;  
    proxy_set_header X-Real-IP $remote_addr;  
    proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;    
    location / {    
        proxy_pass https://<essentials_internal_ip>;  
    }
}  

server {
    listen 443 ssl;
    server_name <smartwebsite_url>;
    ssl_certificate /config/user-data/ssl_chain_smartweb.pem;
    ssl_certificate_key /config/user-data/ssl_chain_key_smartweb.pem;
    access_log /var/log/nginx/<smartwebsite-URL>.access.log;
    error_log /var/log/nginx/<smartwebsite-URL>.error.log;
    ssl_session_timeout 1d;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers
"EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    #dh param
    ssl_dhparam /config/user-data/dhparam.pem;
    # Enable HTTP Strict-Transport-Security
    # If you have a subdomain of your site,
    # be carefull to use the 'includeSubdomains' options
    add_header Strict-Transport-Security "max-age=63072000;
    includeSubdomains; preload";  
    # XSS Protection for Nginx web server
    add_header X-Frame-Options DENY;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options nosniff;    
    add_header X-Robots-Tag none;
    client_max_body_size 0;
    proxy_http_version 1.1;
    proxy_buffering off;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
    location / {
       proxy_pass https://<smartwebsite_internal_ip>:8123;
    }
}  
#######-----------------end of script----------------------------  


Thoughts?

Thanks.

JR

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,286440,286440#msg-286440

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: RD Gateway thru Reverse Proxy

Moshe Katz
RD Gateway isn't a real HTTP(S) connection, so you need to use a `stream` block.

This has been discussed on this email list several years ago: https://forum.nginx.org/read.php?11,266872

Moshe

On Tue, Dec 10, 2019, 4:11 PM jriker1 <[hidden email]> wrote:
I have multiple servers internal that need to use port 443 due to
requirements of the applications and vendors.  One is a Windows 2016
Essentials server the other a custom web app on Linux that requires a
communication to the cloud on 443.  I have setup a reverse proxy and it's
excellent.  Only issue I'm having is with Essentials server I login to the
web console and when I click to launch a RD Gateway session it comes up and
I can authenticate but when it's going to launch the actual session it
fails.

Error I get is:

2019/12/10 14:27:48 [error] 27899#27899: *291 upstream prematurely closed
connection while reading response header from upstream, client: <IP I'm at>,
server: <essentials URL>, request: "RDG_OUT_DATA /remoteDesktopGateway/
HTTP/1.1", uupstream: "https:/<internal_ip>:443/remoteDesktopGateway/",
host: "<essentials_URL>"

Below is my custom config settings:

######--------------BEGIN of the script                                     
                         server {
    listen 80;   
    server_name <essentials_URL>; 
    #       redirect http to https         
    return 301 https://$server_name$request_uri;
    client_max_body_size 0;
    proxy_http_version 1.1;
    proxy_buffering off;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;

    location / {     
        proxy_pass http://<essentials_internal_ip>;
    }
}   

server {   
    listen 80;
    server_name <smartwebsite_url>;
    #       redirect http to https         
    return 301 https://$server_name$request_uri;   
    client_max_body_size 0;
    proxy_http_version 1.1;
    proxy_buffering off;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;

    location / {
        proxy_pass http://<smartwebsite_internal_ip>;
    }
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name <essentials_URL>;
    ssl_certificate /config/user-data/ssl_chain_essentials.pem;
    ssl_certificate_key /config/user-data/ssl_chain_key_essentials.pem;
    access_log /var/log/nginx/<essentials-URL>.access.log;
    error_log /var/log/nginx/<essentials-URL>.error.log;         
    ssl_session_timeout 1d;         
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;         
    ssl_ciphers
"EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

    ssl_prefer_server_ciphers on;         
    ssl_session_cache shared:SSL:10m; 
    #dh param         
    ssl_dhparam /config/user-data/dhparam.pem; 
    # Enable HTTP Strict-Transport-Security
    # If you have a subdomain of your site,
    # be careful to use the 'includeSubdomains' options         
    add_header Strict-Transport-Security "max-age=63072000;
    includeSubdomains; preload"; 
    # XSS Protection for Nginx web server         
    add_header X-Frame-Options DENY;         
    add_header X-XSS-Protection "1; mode=block";         
    add_header X-Content-Type-Options nosniff;         
    ssl_session_cache shared:SSL:10m;         
    add_header X-Robots-Tag none;   
    client_max_body_size 0;   
    proxy_http_version 1.1;   
    proxy_buffering off;   
    proxy_set_header Upgrade $http_upgrade;   
    proxy_set_header Connection "Upgrade";   
    proxy_set_header Host $host;   
    proxy_set_header X-Real-IP $remote_addr;   
    proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;   
    location / {     
        proxy_pass https://<essentials_internal_ip>;   
    }
}   

server {
    listen 443 ssl;
    server_name <smartwebsite_url>;
    ssl_certificate /config/user-data/ssl_chain_smartweb.pem;
    ssl_certificate_key /config/user-data/ssl_chain_key_smartweb.pem;
    access_log /var/log/nginx/<smartwebsite-URL>.access.log;
    error_log /var/log/nginx/<smartwebsite-URL>.error.log;
    ssl_session_timeout 1d;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers
"EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    #dh param
    ssl_dhparam /config/user-data/dhparam.pem;
    # Enable HTTP Strict-Transport-Security
    # If you have a subdomain of your site,
    # be carefull to use the 'includeSubdomains' options
    add_header Strict-Transport-Security "max-age=63072000;
    includeSubdomains; preload"; 
    # XSS Protection for Nginx web server
    add_header X-Frame-Options DENY;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options nosniff;   
    add_header X-Robots-Tag none;
    client_max_body_size 0;
    proxy_http_version 1.1;
    proxy_buffering off;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
    location / {
       proxy_pass https://<smartwebsite_internal_ip>:8123;
    }

#######-----------------end of script---------------------------- 


Thoughts?

Thanks.

JR

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,286440,286440#msg-286440

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx