ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Looking for how-to on setting up a proxy

    Scheduled Pinned Locked Moved IT Discussion
    screenconnectlets encryptapache 2nginxproxy
    25 Posts 6 Posters 5.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • NashBrydgesN
      NashBrydges @JaredBusch
      last edited by

      @JaredBusch Awesome, thanks. I'll give this a try this weekend.

      1 Reply Last reply Reply Quote 0
      • NashBrydgesN
        NashBrydges
        last edited by

        So I finally got around to giving this a try and I'm getting a bad gateway error.

        I am running ScreenConnect on Ubuntu 16.04.2 and installed Nginx (sudo apt-get install nginx). Nginx is installed on the same host as ScreenConnect.

        I adapted your file details for ScreenConnect as follows (hope this is correct)...

        • created a file named redacted.ca.conf and saved it in /etc/nginx/conf.d/

        Content of the file is...

        server {
        	client_max_body_size 40M;
        	listen 443 ssl;
        	server_name www.redacted.ca redacted.ca;
        	ssl          on;
        	ssl_certificate /etc/letsencrypt/live/redacted.ca/cert.pem;
        	ssl_certificate_key /etc/letsencrypt/live/redacted.ca/privkey.pem;
        
        	location / {
        		proxy_set_header X-Real-IP $remote_addr;
        		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        		proxy_set_header Host $http_host;
        		proxy_set_header X-NginX-Proxy true;
        		proxy_pass https://127.0.0.1:8040;
        		proxy_redirect off;
        	}
        }
        

        I've confirmed that Nginx and ScreenConnect services are running after restarting both.

        When I try to access ScreenConnect, I get a secured HTTPS connection but a bad gateway error. The Nginx error log shows this...

        2017/04/17 19:50:30 [error] 13586#13586: *10 SSL_do_handshake() failed (SSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol) while SSL handshaking to upstream, client: xxx.xxx.xxx.xxx, server: www.redacted.ca, request: "GET /favicon.ico HTTP/1.1", upstream: "https://127.0.0.1:8040/favicon.ico", host: "redacted.ca", referrer: "https://redacted.ca/"

        Any hints on what I'm doing wrong?

        I could blow away the server altogether and rebuild using CentOS to follow the how-to exactly but I'd obviously prefer not having to recreate the proverbial wheel.

        1 Reply Last reply Reply Quote 0
        • NashBrydgesN
          NashBrydges
          last edited by

          I should add that ScreenConnect is fully accessible at www.redacted.ca:8040 so I'm pretty sure I screwed something up somewhere.

          1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller
            last edited by

            Did you reload Nginx after adding the configuration file?

            NashBrydgesN 1 Reply Last reply Reply Quote 0
            • NashBrydgesN
              NashBrydges @scottalanmiller
              last edited by

              @scottalanmiller Sure did. Restarted both Nginx and ScreenConnect services.

              1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller
                last edited by

                Here is a really simple nginx config that I have...

                  server {
                      listen 443 ssl http2;
                      server_name server.com www.server.com;
                
                      ssl on;
                      include ssl.conf;
                      ssl_certificate      /etc/letsencrypt/live/server.com/fullchain.pem;
                      ssl_certificate_key  /etc/letsencrypt/live/server.com/privkey.pem;
                
                      location / {
                        proxy_pass http://127.0.0.1/; }
                  }
                
                NashBrydgesN 1 Reply Last reply Reply Quote 0
                • NashBrydgesN
                  NashBrydges @scottalanmiller
                  last edited by

                  @scottalanmiller said in Looking for how-to on setting up a proxy:

                  server {
                  listen 443 ssl http2;
                  server_name server.com www.server.com;

                    ssl on;
                    include ssl.conf;
                    ssl_certificate      /etc/letsencrypt/live/server.com/fullchain.pem;
                    ssl_certificate_key  /etc/letsencrypt/live/server.com/privkey.pem;
                  
                    location / {
                      proxy_pass http://127.0.0.1/; }
                  

                  }

                  When I use this simplified file, and modify only for my domain, Nginx won't restart. It appears I'm in an even worse spot with this file than before unfortunately.

                  1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller
                    last edited by

                    What error does it give you when Nginx fails? Maybe your cert paths is bad.

                    1 Reply Last reply Reply Quote 0
                    • NashBrydgesN
                      NashBrydges
                      last edited by

                      Thanks Scott. The error was because of the include ssl.conf; reference. I removed this line and now it connects and HTTPS is enabled. All seems to work. I'll have to test some more but...awesome! Thanks for your help!

                      1 Reply Last reply Reply Quote 2
                      • NashBrydgesN
                        NashBrydges
                        last edited by

                        Only thing left to do now is to figure out how to redirect HTTP traffic to HTTPS and I'm done.

                        JaredBuschJ 1 Reply Last reply Reply Quote 0
                        • JaredBuschJ
                          JaredBusch @NashBrydges
                          last edited by

                          @NashBrydges said in Looking for how-to on setting up a proxy:

                          Only thing left to do now is to figure out how to redirect HTTP traffic to HTTPS and I'm done.

                          Your traffic is already SSL on port 443. There is nothing on http.

                          The connection from the proxy to ScreenConnect can be non SSL is it is all behind a firewall because nothing comes from the firewall to ScreenConnect.

                          Here is my Nginx ScreenConnect conf file.

                          [root@nginxproxy ~]# cat /etc/nginx/conf.d/support.bundystl.com.conf
                          server {
                              client_max_body_size 40M;
                              listen 443 ssl;
                              server_name support.bundystl.com;
                              server_tokens off;
                              ssl          on;
                              ssl_certificate /etc/letsencrypt/live/daerma.com/fullchain.pem;
                              ssl_certificate_key /etc/letsencrypt/live/daerma.com/privkey.pem;
                              ssl_stapling on;
                              ssl_stapling_verify on;
                              ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
                              ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
                              ssl_prefer_server_ciphers on;
                              ssl_session_cache shared:SSL:10m;
                              ssl_dhparam /etc/ssl/certs/dhparam.pem;
                              add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
                          
                              location / {
                                  proxy_set_header X-Real-IP $remote_addr;
                                  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                                  proxy_set_header Host $http_host;
                                  proxy_set_header X-NginX-Proxy true;
                                  proxy_pass http://10.254.0.36:8040;
                                  proxy_redirect off;
                          
                                  # Socket.IO Support
                                  proxy_http_version 1.1;
                                  proxy_set_header Upgrade $http_upgrade;
                                  proxy_set_header Connection "upgrade";
                          
                              }
                          }
                          
                          server {
                              client_max_body_size 40M;
                              listen 80;
                              server_name support.bundystl.com;
                              rewrite        ^ https://$server_name$request_uri? permanent;
                          }
                          

                          NOw you will need port 8041 forwarded through your router directly to the ScreenConnect server because that port is the pre encrypted relay port.

                          NashBrydgesN 1 Reply Last reply Reply Quote 0
                          • NashBrydgesN
                            NashBrydges @JaredBusch
                            last edited by

                            @JaredBusch said in Looking for how-to on setting up a proxy:

                            server {
                            client_max_body_size 40M;
                            listen 80;
                            server_name support.bundystl.com;
                            rewrite ^ https://$server_name$request_uri? permanent;
                            }

                            Yep, got all that done and it's working well. What I was referring to was redirecting traffic to HTTPS. Essentially this is the part of the file I was missing...

                            server {
                                client_max_body_size 40M;
                                listen 80;
                                server_name support.bundystl.com;
                                rewrite        ^ https://$server_name$request_uri? permanent;
                            }
                            
                            1 Reply Last reply Reply Quote 0
                            • 1
                            • 2
                            • 2 / 2
                            • First post
                              Last post