Looking for how-to on setting up a proxy

scottalanmiller

What error does it give you when Nginx fails? Maybe your cert paths is bad.

NashBrydges

Thanks Scott. The error was because of the include ssl.conf; reference. I removed this line and now it connects and HTTPS is enabled. All seems to work. I'll have to test some more but...awesome! Thanks for your help!

NashBrydges

Only thing left to do now is to figure out how to redirect HTTP traffic to HTTPS and I'm done.

JaredBusch

@NashBrydges said in Looking for how-to on setting up a proxy:

Only thing left to do now is to figure out how to redirect HTTP traffic to HTTPS and I'm done.

Your traffic is already SSL on port 443. There is nothing on http.

The connection from the proxy to ScreenConnect can be non SSL is it is all behind a firewall because nothing comes from the firewall to ScreenConnect.

Here is my Nginx ScreenConnect conf file.

[root@nginxproxy ~]# cat /etc/nginx/conf.d/support.bundystl.com.conf
server {
    client_max_body_size 40M;
    listen 443 ssl;
    server_name support.bundystl.com;
    server_tokens off;
    ssl          on;
    ssl_certificate /etc/letsencrypt/live/daerma.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/daerma.com/privkey.pem;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://10.254.0.36:8040;
        proxy_redirect off;

        # Socket.IO Support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

    }
}

server {
    client_max_body_size 40M;
    listen 80;
    server_name support.bundystl.com;
    rewrite        ^ https://$server_name$request_uri? permanent;
}

NOw you will need port 8041 forwarded through your router directly to the ScreenConnect server because that port is the pre encrypted relay port.

NashBrydges

@JaredBusch said in Looking for how-to on setting up a proxy:

server {
client_max_body_size 40M;
listen 80;
server_name support.bundystl.com;
rewrite ^ https://$server_name$request_uri? permanent;
}

Yep, got all that done and it's working well. What I was referring to was redirecting traffic to HTTPS. Essentially this is the part of the file I was missing...

server {
    client_max_body_size 40M;
    listen 80;
    server_name support.bundystl.com;
    rewrite        ^ https://$server_name$request_uri? permanent;
}