Looking for how-to on setting up a proxy



  • Hi All,

    I am one of the (un)lucky bunch to have used StartSSL certs to secure my ScreenConnect webserver. Now that Google no longer recognizes those, I have clients who are getting a message that this website is insecure. I'd like to use Let's Encrypt but ConnectWise hasn't bothered to get off their ass to allow this so I'd like to setup either Nginx or Apache to serve as a proxy so that I can leverage Let's Encrypt.

    I have no experience in this setup and much of the documentation I find online (my google-fu is failing me) seems to be woefully outdated, not to mention that not having done this before, I'm hoping to find something pretty detailed. Here's what I'd like to do...

    I have a new, fresh install of ScreenConnect setup on a Ubuntu server. I've tested it in its native config and everything works using the standard 8040 and 8041 ports.

    Can anyone point me to good documentation on how to setup Apache or Nginx as a reverse proxy? The aim here is that it will only serve to allow the use of Let's Encrypt for certs so the plan is that I only need to secure the web portal. If I understand this correctly, the certs will secure the proxy on port 443 and it will redirect traffic to the standard port 8040 internally.

    Btw I'm really hoping to find documentation that will describe the process in enough detail for a newbie. I like to figure these things out for myself a bit. It's one thing to have someone give you a step by step instruction manual but I also would like to understand what's happening so I can reproduce this later if needed.



  • This is also something i have never done but would like to.





  • I like this article: https://blog.roushtech.net/2014/02/19/pci-compliant-screenconnect-setup-nginx/

    note: It's from 2014, so the config options and recommendations may not be the same today. It also assumes that your NGINX Proxy and the ScreenConnect bits are on the same server.

    I like the article because it goes into a little detail on the why of some of the settings.



  • @dafyre said in Looking for how-to on setting up a proxy:

    I like this article: https://blog.roushtech.net/2014/02/19/pci-compliant-screenconnect-setup-nginx/

    note: It's from 2014, so the config options and recommendations may not be the same today. It also assumes that your NGINX Proxy and the ScreenConnect bits are on the same server.

    I like the article because it goes into a little detail on the why of some of the settings.

    The thing is he suggests you need 2 public IPs which is rediculous. The services are on different ports so that wouldn't be necessary. And you're right, it is very very old.



  • @NashBrydges said in Looking for how-to on setting up a proxy:

    @dafyre said in Looking for how-to on setting up a proxy:

    I like this article: https://blog.roushtech.net/2014/02/19/pci-compliant-screenconnect-setup-nginx/

    note: It's from 2014, so the config options and recommendations may not be the same today. It also assumes that your NGINX Proxy and the ScreenConnect bits are on the same server.

    I like the article because it goes into a little detail on the why of some of the settings.

    The thing is he suggests you need 2 public IPs which is rediculous. The services are on different ports so that wouldn't be necessary. And you're right, it is very very old.

    I'm not sure how I missed that, lol!

    I don't think you need a second IP address for this. I'd start by omitting that or setting it to the current public IP address... but I should also note that, sadly, I do not use ScreenConnect.


  • Service Provider

    I have a guide here on setting up an Nginx reverse proxy on CentOS 7


  • Service Provider


  • Service Provider

    And for let's encrypt just use certbot


  • Service Provider

    I should update that guy now that certbot is normal



  • @JaredBusch Thanks. That was written when i was taking a break from adulting(2015). Ill take alook this weekend.



  • @JaredBusch Thanks for this, I'll have a look. Seeing as it is from 2015, has anything changed with the process since then or would this still apply with the current version of Nginx?


  • Service Provider

    @NashBrydges said in Looking for how-to on setting up a proxy:

    @JaredBusch Thanks for this, I'll have a look. Seeing as it is from 2015, has anything changed with the process since then or would this still apply with the current version of Nginx?

    In the setup? Nope. Only the SSL with certbot



  • @JaredBusch Awesome, thanks. I'll give this a try this weekend.



  • So I finally got around to giving this a try and I'm getting a bad gateway error.

    I am running ScreenConnect on Ubuntu 16.04.2 and installed Nginx (sudo apt-get install nginx). Nginx is installed on the same host as ScreenConnect.

    I adapted your file details for ScreenConnect as follows (hope this is correct)...

    • created a file named redacted.ca.conf and saved it in /etc/nginx/conf.d/

    Content of the file is...

    server {
    	client_max_body_size 40M;
    	listen 443 ssl;
    	server_name www.redacted.ca redacted.ca;
    	ssl          on;
    	ssl_certificate /etc/letsencrypt/live/redacted.ca/cert.pem;
    	ssl_certificate_key /etc/letsencrypt/live/redacted.ca/privkey.pem;
    
    	location / {
    		proxy_set_header X-Real-IP $remote_addr;
    		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    		proxy_set_header Host $http_host;
    		proxy_set_header X-NginX-Proxy true;
    		proxy_pass https://127.0.0.1:8040;
    		proxy_redirect off;
    	}
    }
    

    I've confirmed that Nginx and ScreenConnect services are running after restarting both.

    When I try to access ScreenConnect, I get a secured HTTPS connection but a bad gateway error. The Nginx error log shows this...

    2017/04/17 19:50:30 [error] 13586#13586: *10 SSL_do_handshake() failed (SSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol) while SSL handshaking to upstream, client: xxx.xxx.xxx.xxx, server: www.redacted.ca, request: "GET /favicon.ico HTTP/1.1", upstream: "https://127.0.0.1:8040/favicon.ico", host: "redacted.ca", referrer: "https://redacted.ca/"

    Any hints on what I'm doing wrong?

    I could blow away the server altogether and rebuild using CentOS to follow the how-to exactly but I'd obviously prefer not having to recreate the proverbial wheel.



  • I should add that ScreenConnect is fully accessible at www.redacted.ca:8040 so I'm pretty sure I screwed something up somewhere.


  • Service Provider

    Did you reload Nginx after adding the configuration file?



  • @scottalanmiller Sure did. Restarted both Nginx and ScreenConnect services.


  • Service Provider

    Here is a really simple nginx config that I have...

      server {
          listen 443 ssl http2;
          server_name server.com www.server.com;
    
          ssl on;
          include ssl.conf;
          ssl_certificate      /etc/letsencrypt/live/server.com/fullchain.pem;
          ssl_certificate_key  /etc/letsencrypt/live/server.com/privkey.pem;
    
          location / {
            proxy_pass http://127.0.0.1/; }
      }
    


  • @scottalanmiller said in Looking for how-to on setting up a proxy:

    server {
    listen 443 ssl http2;
    server_name server.com www.server.com;

      ssl on;
      include ssl.conf;
      ssl_certificate      /etc/letsencrypt/live/server.com/fullchain.pem;
      ssl_certificate_key  /etc/letsencrypt/live/server.com/privkey.pem;
    
      location / {
        proxy_pass http://127.0.0.1/; }
    

    }

    When I use this simplified file, and modify only for my domain, Nginx won't restart. It appears I'm in an even worse spot with this file than before unfortunately.


  • Service Provider

    What error does it give you when Nginx fails? Maybe your cert paths is bad.



  • Thanks Scott. The error was because of the include ssl.conf; reference. I removed this line and now it connects and HTTPS is enabled. All seems to work. I'll have to test some more but...awesome! Thanks for your help!



  • Only thing left to do now is to figure out how to redirect HTTP traffic to HTTPS and I'm done.


  • Service Provider

    @NashBrydges said in Looking for how-to on setting up a proxy:

    Only thing left to do now is to figure out how to redirect HTTP traffic to HTTPS and I'm done.

    Your traffic is already SSL on port 443. There is nothing on http.

    The connection from the proxy to ScreenConnect can be non SSL is it is all behind a firewall because nothing comes from the firewall to ScreenConnect.

    Here is my Nginx ScreenConnect conf file.

    [[email protected] ~]# cat /etc/nginx/conf.d/support.bundystl.com.conf
    server {
        client_max_body_size 40M;
        listen 443 ssl;
        server_name support.bundystl.com;
        server_tokens off;
        ssl          on;
        ssl_certificate /etc/letsencrypt/live/daerma.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/daerma.com/privkey.pem;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    
        location / {
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_set_header X-NginX-Proxy true;
            proxy_pass http://10.254.0.36:8040;
            proxy_redirect off;
    
            # Socket.IO Support
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
    
        }
    }
    
    server {
        client_max_body_size 40M;
        listen 80;
        server_name support.bundystl.com;
        rewrite        ^ https://$server_name$request_uri? permanent;
    }
    

    NOw you will need port 8041 forwarded through your router directly to the ScreenConnect server because that port is the pre encrypted relay port.



  • @JaredBusch said in Looking for how-to on setting up a proxy:

    server {
    client_max_body_size 40M;
    listen 80;
    server_name support.bundystl.com;
    rewrite ^ https://$server_name$request_uri? permanent;
    }

    Yep, got all that done and it's working well. What I was referring to was redirecting traffic to HTTPS. Essentially this is the part of the file I was missing...

    server {
        client_max_body_size 40M;
        listen 80;
        server_name support.bundystl.com;
        rewrite        ^ https://$server_name$request_uri? permanent;
    }
    


Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.