0

I have two servers behind an nginx reverse proxy. I am being forwarded correctly to the sites, but one of the sites has a login before it allows you into the site (similar to sharepoint), and the reverse proxy seems to be breaking the login.

I asked a previous question that has a very similar environment here

I am redirected to the login, but I can't login. However, if I remove the reverse proxy from the equation, then I can log in just fine.

The name of the server with the login is server2.mydomain.com

/etc/nginx/sites-available/default

server {
    listen 80 default;
    server_name _;
    return 301 https://$host$request_uri;
}

server {

    listen 443 ssl default_server;
    server_name server1.mydomain.com;

    ssl_certificate /usr/local/nginx/conf/mydomain.com.crt;
    ssl_certificate_key /usr/local/nginx/conf/mydomain.com.key;
    ssl_session_cache shared:SSL:10m;

    ssl_session_timeout 5m;

    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
    ssl_prefer_server_ciphers on;

    location / {
            proxy_pass http://192.168.0.15:80;
            proxy_set_header Host $host;

            proxy_redirect http:// $scheme://;

    }
}

server {
    listen 443 ssl;
    server_name server2.mydomain.com;

    ssl_certificate /usr/local/nginx/conf/mydomain.com.crt;
    ssl_certificate_key /usr/local/nginx/conf/mydomain.com.key;
    ssl_session_cache shared:SSL:10m;

    ssl_session_timeout 5m;

    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
    ssl_prefer_server_ciphers on;

    location / {
            proxy_pass http://192.168.0.20:80;
            proxy_set_header Host $host;

            proxy_redirect http:// $scheme://;

    }
}

When I go to server1.mydomain.com which is basically a static website, everything seems to work. But, when I go to server2.mydomain.com I get the popup window login, but am unable to successfully log in to the service.

The expected behavior would be that I'm able to login and use this site as if the reverse proxy isn't there.

Here is the access log from the reverse proxy when I try to log into server2.mydomain.com

/var/log/nginx/access.log

192.168.0.5 - - [26/Jan/2016:02:23:52 -0600] "GET /test HTTP/1.1" 401 341 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko"
192.168.0.5 - - [26/Jan/2016:02:23:52 -0600] "GET /test HTTP/1.1" 401 1293 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko"

The /test is the section of the site that the login is located, so I was trying to go to server2.mydomain.com/test.

Is there anything that would obviously stop me from logging in? Any other log files I could check? Thanks in advance

EDIT1

I've tried several things, and none of them work.

My original config file, gets me to the login, but it always returns an access denied page.

this config file:

/etc/nginx/sites-available/default

server {
    listen 443 ssl;
    server_name server2.mydomain.com;

    ssl_certificate /usr/local/nginx/conf/mydomain.com.crt;
    ssl_certificate_key /usr/local/nginx/conf/mydomain.com.key;
    ssl_session_cache shared:SSL:10m;

    ssl_session_timeout 5m;

    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
    ssl_prefer_server_ciphers on;

    location / {
            proxy_pass http://192.168.0.20:80;
    }
}

with the proxy_set_header line, and proxy_redirect, just takes me toa straight 403 forbidden access page, but is redirecting.

If I add the proxy_set_header line back, I get to the login again, but any login still fails. I've also tried changing the proxy_set_header to proxy_set_header X-Forwarded-Proto $scheme, and that broke it completely again. Any ideas?

Community
  • 1
trueCamelType
  • 1,016
  • 5
  • 19
  • 41

2 Answers2

1

Your proxy redirect looks suspect. Have a look at the documentation, and also at the nginx beginners guide.

Basically, try removing everything other than proxy_pass from your location. This is mostly a guess, but it's worth a shot.

Tim
  • 30,383
  • 6
  • 47
  • 77
  • I read through all of the documentation including [this](https://www.nginx.com/resources/admin-guide/reverse-proxy/) stuff specific to reverse proxy. None of my configurations worked. I'll post all the different things I tried in my question. – trueCamelType Feb 04 '16 at 21:00
  • 1
    401 status code means unauthorised. Have a read here https://www.digitalocean.com/community/tutorials/how-to-troubleshoot-common-http-error-codes. I would be looking at the logs of the application you're proxying. Can you access the application directly, without the reverse proxy? – Tim Feb 04 '16 at 21:57
  • I can access it if I use ```server1.mydomain.com```, but if I try going there via the ip, I get a 404, I thought maybe the reverse proxy was sending me to the ip, then changing the header after that, but that wouldn't make sense with the 401s. Yeah, I think this is a config problem on the server (it's IIS....bummer). I'll look through that and update you. Thanks again for the help. – trueCamelType Feb 04 '16 at 21:59
  • Access by IP may not be possible if servers and software are configured by domain name. Depends what application it is. Nginx expects domain names in your request. I remove the default_server part and create a dummy default, but that's because I host many domains on my server. – Tim Feb 04 '16 at 22:11
  • Ok, I was mistaken, it isn't giving me a 401. It's still showing the 401 message from me hitting cancel after several failed tries. It was just cached. It look like it's not passing through the credentials correctly. Something like this http://serverfault.com/questions/478024/nginx-reverse-proxy-passthrough-basic-authenication . Unfortunately, that fix doesn't work for me, but I've found some really complicated looking things to try, such as http://shairosenfeld.blogspot.com/2011/03/authorization-header-in-nginx-for.html . The second answer has ways to not statically have the credentials – trueCamelType Feb 04 '16 at 22:36
  • The access logs you posted have a 401 return code. If your post is out of date you should update or add to it. – Tim Feb 04 '16 at 23:55
  • Disregard that last comment. It is a 401, but it bounces to login again, and doesn't show the 401 in the browser. I think one of those links I posted holds the answer. Sorry for the confusion. – trueCamelType Feb 04 '16 at 23:58
  • I have posted another question that is more relevant to the current problem [here](http://serverfault.com/questions/754351/what-is-a-correct-ways-to-allow-login-to-an-iis-site-through-a-reverse-proxy). I will revisit this question, once I have confirmed that my problem is related to the other question. Thanks again for the help, and I'll definitely revisit this, and mark this as the answer for this question if it turns out to be correct after I fix my other problem. – trueCamelType Feb 05 '16 at 21:40
-1

I had a similar problem a while ago, I solved it by fixing folder access for the group that the process was started with.

What user is NGINX configured to use? and does that user have access to those SSL folder locations?

ref: How do I change the NGINX user?

Community
  • 1
JtD
  • 1