0

I have a problem with my NGINX configuration. I have two webservers running on windows servers. Which one is called from outside with 443 and then should be forwarded to the server with 41001. The second server block should be called the FQDN and nginx should forward this to FQDN.com/test. Internal and external.

On the first server block this takes forever to load and nothing seems to work. With the second server block I get a 404 back.

This is what my configurations look like and the error logs

server {
    server_name test.example.com;
    return 301 http://test.example.com/test$request_uri;
    }


server {
        listen  443 ssl http2;
        listen  [::]:443 ssl http2;
 
        access_log /var/log/nginx/test_service_access.log;
        error_log /var/log/nginx/test_service_error.log;

        ssl_certificate /etc/nginx/ssl/test.com.pem;
        ssl_certificate_key /etc/nginx/ssl/test.key;
        ssl_session_timeout 1d;
        ssl_session_tickets off;
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-G>        ssl_prefer_server_ciphers off;

        location /test {
        proxy_pass https://10.10.10.10/test/;
        }

        client_max_body_size    0;
        proxy_connect_timeout   90s;
        proxy_send_timeout              90s;
        proxy_read_timeout              90s;
        send_timeout                    90;
    }

server {
        server_name test2.example.com;
        # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
        return 301 https://test2.example.com$request_uri;
}

server {
        listen  443 ssl http2;
        listen  [::]:443 ssl http2;
        server_name test2.example.com;

        access_log /var/log/nginx/test2_service_access.log;
        error_log /var/log/nginx/test2_service_error.log;

        ssl_certificate /etc/nginx/ssl/test2.example.com.pem;
        ssl_certificate_key /etc/nginx/ssl/test2example.key;

#       ssl_session_cache shared:SSL:50m;
        ssl_session_timeout 1d;
        ssl_session_tickets off;
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-G>
        ssl_prefer_server_ciphers off;

        add_header Strict-Transport-Security max-age=15768000;

        location / {

#       resolver 10.150.10.10 8.8.8.8;
        proxy_pass https://test2.example.com:41001/;
        proxy_redirect  https://test2.example.com:41001/ https://test2.example.com/;

        client_max_body_size    0;
        proxy_connect_timeout   90s;
        proxy_send_timeout              90s;
        proxy_read_timeout              90s;
        send_timeout                    90;
        }
    }
}

I looked at the error.logs and this is what came up.

2022/02/13 12:54:58 [error] 2620#2620: *15 open() "/usr/share/nginx/html/DocuWare/Platform/LoginRedirect" failed (2: No such file or directory), client: xxx.xxx.xxx.xxx, server: , request: "GET /DocuWare/Platform/LoginRedirect?returnUrl=%2fdocuware%2fPlatform%2fWebClient%2f HTTP/2.0", host: "test2.domain.com", referrer: "https://test.domain.com/docuware/Platform/WebClient/"

2022/02/13 12:35:17 [error] 2541#2541: *1 upstream timed out (110: Connection timed out) while connecting to upstream, client:

Regarding the first error, I don't understand exactly what is wrong

As I understand it, I need to define an upstream for the server with port 41001, is that correct?

Am I missing something here?

UPDATE

I have adjusted my configuration to the smallest so that I can test this. As follows my configuration looks like this

######################################################################
   upstream abacus {
      server 10.120.50.11; 
   }
   
   server {
      listen 80;
      server_name abacus.example.com;
      return 301 https://abacus.example.com$request_uri;
   }
    
   server {
      listen 443 ssl;
      server_name abacus.example.com;
      ssl_certificate /etc/nginx/ssl/xxx.com.pem;
      ssl_certificate_key /etc/nginx/ssl/xxx.key;
      ssl_protocols TLSv1.2 TLSv1.3;

      access_log /var/log/nginx/abacus_service_access.log;
      error_log /var/log/nginx/abacus_service_error.log;

   location / {
      proxy_pass http://abacus;
   }
}

#######################################################################
   upstream docuware {
      server 10.120.50.10; 
   }
   
   server {
      listen 80;
      server_name docuware.example.com;
      return 301 https://docuware.example.com$request_uri;
   }
   
   server {
      listen 443 ssl;
      server_name docuware.example.com;
      ssl_certificate /etc/nginx/ssl/xxx.pem;
      ssl_certificate_key /etc/nginx/ssl/xxx.key;
      ssl_protocols TLSv1.2 TLSv1.3;

      access_log /var/log/nginx/docuware_service_access.log;
      error_log /var/log/nginx/docuware_service_error.log;
      
   location / {
      proxy_pass http://docuware/docuware;
   }
}
}

When I access the server "abacus.example.com", I get to the IIS homepage. So here I have to define that I come from outside with 443 (HTTPS) and I am redirected to port 23001.

If I access the server "docuware.example.com/docuware", I get a 404 - File or directory was not found. So here I have to define somehow that it can access the server with the subpath.

In the internal network this works without problems. I am redirected to "docuware.example.com/DocuWare/Platform/WebClient/ClientAccount/xxx".

Do you see here what I have to adjust? I've been beating my head against it for hours.

Tero Kilkanen
  • 34,499
  • 3
  • 38
  • 58
Cyanmodex9
  • 3
  • 3
  • proxy_pass is imho wrongly set – djdomi Feb 13 '22 at 15:59
  • Please add example requests, which exact URL you are trying to request, and what is the expected result and actual result. – Tero Kilkanen Feb 13 '22 at 16:04
  • i edited my post for more information – Cyanmodex9 Feb 13 '22 at 17:43
  • @TeroKilkanen Added the updates for the requests – Cyanmodex9 Feb 13 '22 at 19:21
  • Are you using the exact same URL when accessing via internal network and external network? – Tero Kilkanen Feb 13 '22 at 20:24
  • @TeroKilkanen Yes i do. From inside i access with "https://docuware.domain.com/docuware" and "https://abacus.domain.com" and it works. So that's why i'm struggling how i can make that work from external. For the abacus server would a proxypass with ":23001" and redirect work? and for the docuware with the subpath "/docuware" from external..i really have no clue how to solve that. – Cyanmodex9 Feb 13 '22 at 21:01

2 Answers2

0

First error says that nginx cannot find the specific file at the location which he has. One way to solve that is to give nginx a specific folder for files that are requested. That's how web servers work.

I am not sure if you can redirect user with nginx from non-SSL traffic to SSL traffic. Both request and response should be the same encrypted/non-encrypted no matter how many steps there are to access target server from user web browser.

Look into the nginx logs if nginx goes into loop, while request is going to the same server which is redirected.

pbies
  • 159
  • 12
0

One thing that is likely needed is setting proper Host header for the proxied headers:

For abacus:

location / {
    proxy_set_header Host abacus.example.com;
    proxy_pass http://abacus;
}

For docuware:

location /docuware {
    proxy_set_header Host docuware.example.com;
    proxy_pass http://docuware/docuware/;
}
Tero Kilkanen
  • 34,499
  • 3
  • 38
  • 58
  • Thanks a lot! this solved my problem with abacus. It's working now. Still got troubles with docuware. I get a 404 page not found but the url changes to "/Platform/WebClient/". The error log says, "/usr/share/nginx/html/Platform/WebClient/index.html" is not found" – Cyanmodex9 Feb 14 '22 at 12:45
  • What is the full URL that it changes to? – Tero Kilkanen Feb 14 '22 at 16:19
  • hello Tero! Thanks a lot for ur knowledge and help. I managed to get it work. i set the header host and the proxy_pass with / at the end and set the read_timeout. Know everything works! the only last thing is to change the url "docuware.domain.com" to "docuware.domain.com/docuware" automatically when access it via browser. I think i can solve that :) – Cyanmodex9 Feb 14 '22 at 16:31