Looking for how-to on setting up a proxy
-
Hi All,
I am one of the (un)lucky bunch to have used StartSSL certs to secure my ScreenConnect webserver. Now that Google no longer recognizes those, I have clients who are getting a message that this website is insecure. I'd like to use Let's Encrypt but ConnectWise hasn't bothered to get off their ass to allow this so I'd like to setup either Nginx or Apache to serve as a proxy so that I can leverage Let's Encrypt.
I have no experience in this setup and much of the documentation I find online (my google-fu is failing me) seems to be woefully outdated, not to mention that not having done this before, I'm hoping to find something pretty detailed. Here's what I'd like to do...
I have a new, fresh install of ScreenConnect setup on a Ubuntu server. I've tested it in its native config and everything works using the standard 8040 and 8041 ports.
Can anyone point me to good documentation on how to setup Apache or Nginx as a reverse proxy? The aim here is that it will only serve to allow the use of Let's Encrypt for certs so the plan is that I only need to secure the web portal. If I understand this correctly, the certs will secure the proxy on port 443 and it will redirect traffic to the standard port 8040 internally.
Btw I'm really hoping to find documentation that will describe the process in enough detail for a newbie. I like to figure these things out for myself a bit. It's one thing to have someone give you a step by step instruction manual but I also would like to understand what's happening so I can reproduce this later if needed.
-
This is also something i have never done but would like to.
-
https://www.nginx.com/resources/admin-guide/nginx-tcp-ssl-upstreams/
This might be useful.
-
I like this article: https://blog.roushtech.net/2014/02/19/pci-compliant-screenconnect-setup-nginx/
note: It's from 2014, so the config options and recommendations may not be the same today. It also assumes that your NGINX Proxy and the ScreenConnect bits are on the same server.
I like the article because it goes into a little detail on the why of some of the settings.
-
@dafyre said in Looking for how-to on setting up a proxy:
I like this article: https://blog.roushtech.net/2014/02/19/pci-compliant-screenconnect-setup-nginx/
note: It's from 2014, so the config options and recommendations may not be the same today. It also assumes that your NGINX Proxy and the ScreenConnect bits are on the same server.
I like the article because it goes into a little detail on the why of some of the settings.
The thing is he suggests you need 2 public IPs which is rediculous. The services are on different ports so that wouldn't be necessary. And you're right, it is very very old.
-
@NashBrydges said in Looking for how-to on setting up a proxy:
@dafyre said in Looking for how-to on setting up a proxy:
I like this article: https://blog.roushtech.net/2014/02/19/pci-compliant-screenconnect-setup-nginx/
note: It's from 2014, so the config options and recommendations may not be the same today. It also assumes that your NGINX Proxy and the ScreenConnect bits are on the same server.
I like the article because it goes into a little detail on the why of some of the settings.
The thing is he suggests you need 2 public IPs which is rediculous. The services are on different ports so that wouldn't be necessary. And you're right, it is very very old.
I'm not sure how I missed that, lol!
I don't think you need a second IP address for this. I'd start by omitting that or setting it to the current public IP address... but I should also note that, sadly, I do not use ScreenConnect.
-
I have a guide here on setting up an Nginx reverse proxy on CentOS 7
-
-
And for let's encrypt just use certbot
-
I should update that guy now that certbot is normal
-
@JaredBusch Thanks. That was written when i was taking a break from adulting(2015). Ill take alook this weekend.
-
@JaredBusch Thanks for this, I'll have a look. Seeing as it is from 2015, has anything changed with the process since then or would this still apply with the current version of Nginx?
-
@NashBrydges said in Looking for how-to on setting up a proxy:
@JaredBusch Thanks for this, I'll have a look. Seeing as it is from 2015, has anything changed with the process since then or would this still apply with the current version of Nginx?
In the setup? Nope. Only the SSL with certbot
-
@JaredBusch Awesome, thanks. I'll give this a try this weekend.
-
So I finally got around to giving this a try and I'm getting a bad gateway error.
I am running ScreenConnect on Ubuntu 16.04.2 and installed Nginx (sudo apt-get install nginx). Nginx is installed on the same host as ScreenConnect.
I adapted your file details for ScreenConnect as follows (hope this is correct)...
- created a file named redacted.ca.conf and saved it in
/etc/nginx/conf.d/
Content of the file is...
server { client_max_body_size 40M; listen 443 ssl; server_name www.redacted.ca redacted.ca; ssl on; ssl_certificate /etc/letsencrypt/live/redacted.ca/cert.pem; ssl_certificate_key /etc/letsencrypt/live/redacted.ca/privkey.pem; location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_set_header X-NginX-Proxy true; proxy_pass https://127.0.0.1:8040; proxy_redirect off; } }
I've confirmed that Nginx and ScreenConnect services are running after restarting both.
When I try to access ScreenConnect, I get a secured HTTPS connection but a bad gateway error. The Nginx error log shows this...
2017/04/17 19:50:30 [error] 13586#13586: *10 SSL_do_handshake() failed (SSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol) while SSL handshaking to upstream, client: xxx.xxx.xxx.xxx, server: www.redacted.ca, request: "GET /favicon.ico HTTP/1.1", upstream: "https://127.0.0.1:8040/favicon.ico", host: "redacted.ca", referrer: "https://redacted.ca/"
Any hints on what I'm doing wrong?
I could blow away the server altogether and rebuild using CentOS to follow the how-to exactly but I'd obviously prefer not having to recreate the proverbial wheel.
- created a file named redacted.ca.conf and saved it in
-
I should add that ScreenConnect is fully accessible at www.redacted.ca:8040 so I'm pretty sure I screwed something up somewhere.
-
Did you reload Nginx after adding the configuration file?
-
@scottalanmiller Sure did. Restarted both Nginx and ScreenConnect services.
-
Here is a really simple nginx config that I have...
server { listen 443 ssl http2; server_name server.com www.server.com; ssl on; include ssl.conf; ssl_certificate /etc/letsencrypt/live/server.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/server.com/privkey.pem; location / { proxy_pass http://127.0.0.1/; } }
-
@scottalanmiller said in Looking for how-to on setting up a proxy:
server {
listen 443 ssl http2;
server_name server.com www.server.com;ssl on; include ssl.conf; ssl_certificate /etc/letsencrypt/live/server.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/server.com/privkey.pem; location / { proxy_pass http://127.0.0.1/; }
}
When I use this simplified file, and modify only for my domain, Nginx won't restart. It appears I'm in an even worse spot with this file than before unfortunately.