Looking for how-to on setting up a proxy
-
This is also something i have never done but would like to.
-
https://www.nginx.com/resources/admin-guide/nginx-tcp-ssl-upstreams/
This might be useful.
-
I like this article: https://blog.roushtech.net/2014/02/19/pci-compliant-screenconnect-setup-nginx/
note: It's from 2014, so the config options and recommendations may not be the same today. It also assumes that your NGINX Proxy and the ScreenConnect bits are on the same server.
I like the article because it goes into a little detail on the why of some of the settings.
-
@dafyre said in Looking for how-to on setting up a proxy:
I like this article: https://blog.roushtech.net/2014/02/19/pci-compliant-screenconnect-setup-nginx/
note: It's from 2014, so the config options and recommendations may not be the same today. It also assumes that your NGINX Proxy and the ScreenConnect bits are on the same server.
I like the article because it goes into a little detail on the why of some of the settings.
The thing is he suggests you need 2 public IPs which is rediculous. The services are on different ports so that wouldn't be necessary. And you're right, it is very very old.
-
@NashBrydges said in Looking for how-to on setting up a proxy:
@dafyre said in Looking for how-to on setting up a proxy:
I like this article: https://blog.roushtech.net/2014/02/19/pci-compliant-screenconnect-setup-nginx/
note: It's from 2014, so the config options and recommendations may not be the same today. It also assumes that your NGINX Proxy and the ScreenConnect bits are on the same server.
I like the article because it goes into a little detail on the why of some of the settings.
The thing is he suggests you need 2 public IPs which is rediculous. The services are on different ports so that wouldn't be necessary. And you're right, it is very very old.
I'm not sure how I missed that, lol!
I don't think you need a second IP address for this. I'd start by omitting that or setting it to the current public IP address... but I should also note that, sadly, I do not use ScreenConnect.
-
I have a guide here on setting up an Nginx reverse proxy on CentOS 7
-
-
And for let's encrypt just use certbot
-
I should update that guy now that certbot is normal
-
@JaredBusch Thanks. That was written when i was taking a break from adulting(2015). Ill take alook this weekend.
-
@JaredBusch Thanks for this, I'll have a look. Seeing as it is from 2015, has anything changed with the process since then or would this still apply with the current version of Nginx?
-
@NashBrydges said in Looking for how-to on setting up a proxy:
@JaredBusch Thanks for this, I'll have a look. Seeing as it is from 2015, has anything changed with the process since then or would this still apply with the current version of Nginx?
In the setup? Nope. Only the SSL with certbot
-
@JaredBusch Awesome, thanks. I'll give this a try this weekend.
-
So I finally got around to giving this a try and I'm getting a bad gateway error.
I am running ScreenConnect on Ubuntu 16.04.2 and installed Nginx (sudo apt-get install nginx). Nginx is installed on the same host as ScreenConnect.
I adapted your file details for ScreenConnect as follows (hope this is correct)...
- created a file named redacted.ca.conf and saved it in
/etc/nginx/conf.d/
Content of the file is...
server { client_max_body_size 40M; listen 443 ssl; server_name www.redacted.ca redacted.ca; ssl on; ssl_certificate /etc/letsencrypt/live/redacted.ca/cert.pem; ssl_certificate_key /etc/letsencrypt/live/redacted.ca/privkey.pem; location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_set_header X-NginX-Proxy true; proxy_pass https://127.0.0.1:8040; proxy_redirect off; } }I've confirmed that Nginx and ScreenConnect services are running after restarting both.
When I try to access ScreenConnect, I get a secured HTTPS connection but a bad gateway error. The Nginx error log shows this...
2017/04/17 19:50:30 [error] 13586#13586: *10 SSL_do_handshake() failed (SSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol) while SSL handshaking to upstream, client: xxx.xxx.xxx.xxx, server: www.redacted.ca, request: "GET /favicon.ico HTTP/1.1", upstream: "https://127.0.0.1:8040/favicon.ico", host: "redacted.ca", referrer: "https://redacted.ca/"Any hints on what I'm doing wrong?
I could blow away the server altogether and rebuild using CentOS to follow the how-to exactly but I'd obviously prefer not having to recreate the proverbial wheel.
- created a file named redacted.ca.conf and saved it in
-
I should add that ScreenConnect is fully accessible at www.redacted.ca:8040 so I'm pretty sure I screwed something up somewhere.
-
Did you reload Nginx after adding the configuration file?
-
@scottalanmiller Sure did. Restarted both Nginx and ScreenConnect services.
-
Here is a really simple nginx config that I have...
server { listen 443 ssl http2; server_name server.com www.server.com; ssl on; include ssl.conf; ssl_certificate /etc/letsencrypt/live/server.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/server.com/privkey.pem; location / { proxy_pass http://127.0.0.1/; } } -
@scottalanmiller said in Looking for how-to on setting up a proxy:
server {
listen 443 ssl http2;
server_name server.com www.server.com;ssl on; include ssl.conf; ssl_certificate /etc/letsencrypt/live/server.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/server.com/privkey.pem; location / { proxy_pass http://127.0.0.1/; }}
When I use this simplified file, and modify only for my domain, Nginx won't restart. It appears I'm in an even worse spot with this file than before unfortunately.
-
What error does it give you when Nginx fails? Maybe your cert paths is bad.
