Looking for how-to on setting up a proxy
-
@dafyre said in Looking for how-to on setting up a proxy:
I like this article: https://blog.roushtech.net/2014/02/19/pci-compliant-screenconnect-setup-nginx/
note: It's from 2014, so the config options and recommendations may not be the same today. It also assumes that your NGINX Proxy and the ScreenConnect bits are on the same server.
I like the article because it goes into a little detail on the why of some of the settings.
The thing is he suggests you need 2 public IPs which is rediculous. The services are on different ports so that wouldn't be necessary. And you're right, it is very very old.
-
@NashBrydges said in Looking for how-to on setting up a proxy:
@dafyre said in Looking for how-to on setting up a proxy:
I like this article: https://blog.roushtech.net/2014/02/19/pci-compliant-screenconnect-setup-nginx/
note: It's from 2014, so the config options and recommendations may not be the same today. It also assumes that your NGINX Proxy and the ScreenConnect bits are on the same server.
I like the article because it goes into a little detail on the why of some of the settings.
The thing is he suggests you need 2 public IPs which is rediculous. The services are on different ports so that wouldn't be necessary. And you're right, it is very very old.
I'm not sure how I missed that, lol!
I don't think you need a second IP address for this. I'd start by omitting that or setting it to the current public IP address... but I should also note that, sadly, I do not use ScreenConnect.
-
I have a guide here on setting up an Nginx reverse proxy on CentOS 7
-
-
And for let's encrypt just use certbot
-
I should update that guy now that certbot is normal
-
@JaredBusch Thanks. That was written when i was taking a break from adulting(2015). Ill take alook this weekend.
-
@JaredBusch Thanks for this, I'll have a look. Seeing as it is from 2015, has anything changed with the process since then or would this still apply with the current version of Nginx?
-
@NashBrydges said in Looking for how-to on setting up a proxy:
@JaredBusch Thanks for this, I'll have a look. Seeing as it is from 2015, has anything changed with the process since then or would this still apply with the current version of Nginx?
In the setup? Nope. Only the SSL with certbot
-
@JaredBusch Awesome, thanks. I'll give this a try this weekend.
-
So I finally got around to giving this a try and I'm getting a bad gateway error.
I am running ScreenConnect on Ubuntu 16.04.2 and installed Nginx (sudo apt-get install nginx). Nginx is installed on the same host as ScreenConnect.
I adapted your file details for ScreenConnect as follows (hope this is correct)...
- created a file named redacted.ca.conf and saved it in
/etc/nginx/conf.d/
Content of the file is...
server { client_max_body_size 40M; listen 443 ssl; server_name www.redacted.ca redacted.ca; ssl on; ssl_certificate /etc/letsencrypt/live/redacted.ca/cert.pem; ssl_certificate_key /etc/letsencrypt/live/redacted.ca/privkey.pem; location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_set_header X-NginX-Proxy true; proxy_pass https://127.0.0.1:8040; proxy_redirect off; } }
I've confirmed that Nginx and ScreenConnect services are running after restarting both.
When I try to access ScreenConnect, I get a secured HTTPS connection but a bad gateway error. The Nginx error log shows this...
2017/04/17 19:50:30 [error] 13586#13586: *10 SSL_do_handshake() failed (SSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol) while SSL handshaking to upstream, client: xxx.xxx.xxx.xxx, server: www.redacted.ca, request: "GET /favicon.ico HTTP/1.1", upstream: "https://127.0.0.1:8040/favicon.ico", host: "redacted.ca", referrer: "https://redacted.ca/"
Any hints on what I'm doing wrong?
I could blow away the server altogether and rebuild using CentOS to follow the how-to exactly but I'd obviously prefer not having to recreate the proverbial wheel.
- created a file named redacted.ca.conf and saved it in
-
I should add that ScreenConnect is fully accessible at www.redacted.ca:8040 so I'm pretty sure I screwed something up somewhere.
-
Did you reload Nginx after adding the configuration file?
-
@scottalanmiller Sure did. Restarted both Nginx and ScreenConnect services.
-
Here is a really simple nginx config that I have...
server { listen 443 ssl http2; server_name server.com www.server.com; ssl on; include ssl.conf; ssl_certificate /etc/letsencrypt/live/server.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/server.com/privkey.pem; location / { proxy_pass http://127.0.0.1/; } }
-
@scottalanmiller said in Looking for how-to on setting up a proxy:
server {
listen 443 ssl http2;
server_name server.com www.server.com;ssl on; include ssl.conf; ssl_certificate /etc/letsencrypt/live/server.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/server.com/privkey.pem; location / { proxy_pass http://127.0.0.1/; }
}
When I use this simplified file, and modify only for my domain, Nginx won't restart. It appears I'm in an even worse spot with this file than before unfortunately.
-
What error does it give you when Nginx fails? Maybe your cert paths is bad.
-
Thanks Scott. The error was because of the
include ssl.conf;
reference. I removed this line and now it connects and HTTPS is enabled. All seems to work. I'll have to test some more but...awesome! Thanks for your help! -
Only thing left to do now is to figure out how to redirect HTTP traffic to HTTPS and I'm done.
-
@NashBrydges said in Looking for how-to on setting up a proxy:
Only thing left to do now is to figure out how to redirect HTTP traffic to HTTPS and I'm done.
Your traffic is already SSL on port 443. There is nothing on http.
The connection from the proxy to ScreenConnect can be non SSL is it is all behind a firewall because nothing comes from the firewall to ScreenConnect.
Here is my Nginx ScreenConnect conf file.
[root@nginxproxy ~]# cat /etc/nginx/conf.d/support.bundystl.com.conf server { client_max_body_size 40M; listen 443 ssl; server_name support.bundystl.com; server_tokens off; ssl on; ssl_certificate /etc/letsencrypt/live/daerma.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/daerma.com/privkey.pem; ssl_stapling on; ssl_stapling_verify on; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_dhparam /etc/ssl/certs/dhparam.pem; add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_set_header X-NginX-Proxy true; proxy_pass http://10.254.0.36:8040; proxy_redirect off; # Socket.IO Support proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } server { client_max_body_size 40M; listen 80; server_name support.bundystl.com; rewrite ^ https://$server_name$request_uri? permanent; }
NOw you will need port 8041 forwarded through your router directly to the ScreenConnect server because that port is the pre encrypted relay port.