0

I have two servers behind an nginx reverse proxy. I am being forwarded correctly to the sites, but one of the sites has a login before it allows you into the site (similar to sharepoint), and the reverse proxy seems to be breaking the login.

I asked a previous question that has a very similar environment here

I am redirected to the login, but I can't login. However, if I remove the reverse proxy from the equation, then I can log in just fine.

The name of the server with the login is server2.mydomain.com

/etc/nginx/sites-available/default

server { listen 80 default; server_name _; return 301 https://$host$request_uri; } server { listen 443 ssl default_server; server_name server1.mydomain.com; ssl_certificate /usr/local/nginx/conf/mydomain.com.crt; ssl_certificate_key /usr/local/nginx/conf/mydomain.com.key; ssl_session_cache shared:SSL:10m; ssl_session_timeout 5m; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES"; ssl_prefer_server_ciphers on; location / { proxy_pass http://192.168.0.15:80; proxy_set_header Host $host; proxy_redirect http:// $scheme://; } } server { listen 443 ssl; server_name server2.mydomain.com; ssl_certificate /usr/local/nginx/conf/mydomain.com.crt; ssl_certificate_key /usr/local/nginx/conf/mydomain.com.key; ssl_session_cache shared:SSL:10m; ssl_session_timeout 5m; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES"; ssl_prefer_server_ciphers on; location / { proxy_pass http://192.168.0.20:80; proxy_set_header Host $host; proxy_redirect http:// $scheme://; } }

When I go to server1.mydomain.com which is basically a static website, everything seems to work. But, when I go to server2.mydomain.com I get the popup window login, but am unable to successfully log in to the service.

The expected behavior would be that I'm able to login and use this site as if the reverse proxy isn't there.

Here is the access log from the reverse proxy when I try to log into server2.mydomain.com

/var/log/nginx/access.log

192.168.0.5 - - [26/Jan/2016:02:23:52 -0600] "GET /test HTTP/1.1" 401 341 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko" 192.168.0.5 - - [26/Jan/2016:02:23:52 -0600] "GET /test HTTP/1.1" 401 1293 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko"

The /test is the section of the site that the login is located, so I was trying to go to server2.mydomain.com/test.

Is there anything that would obviously stop me from logging in? Any other log files I could check? Thanks in advance

EDIT1

I've tried several things, and none of them work.

My original config file, gets me to the login, but it always returns an access denied page.

this config file:

/etc/nginx/sites-available/default

server { listen 443 ssl; server_name server2.mydomain.com; ssl_certificate /usr/local/nginx/conf/mydomain.com.crt; ssl_certificate_key /usr/local/nginx/conf/mydomain.com.key; ssl_session_cache shared:SSL:10m; ssl_session_timeout 5m; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES"; ssl_prefer_server_ciphers on; location / { proxy_pass http://192.168.0.20:80; } }

with the proxy_set_header line, and proxy_redirect, just takes me toa straight 403 forbidden access page, but is redirecting.

If I add the proxy_set_header line back, I get to the login again, but any login still fails. I've also tried changing the proxy_set_header to proxy_set_header X-Forwarded-Proto $scheme, and that broke it completely again. Any ideas?

Improve this question

2 Answers 2

Reset to default
1

Your proxy redirect looks suspect. Have a look at the documentation, and also at the nginx beginners guide.

Basically, try removing everything other than proxy_pass from your location. This is mostly a guess, but it's worth a shot.

Improve this answer
8
  • I read through all of the documentation including this stuff specific to reverse proxy. None of my configurations worked. I'll post all the different things I tried in my question. Commented Feb 4, 2016 at 21:00
  • 1
    401 status code means unauthorised. Have a read here digitalocean.com/community/tutorials/…. I would be looking at the logs of the application you're proxying. Can you access the application directly, without the reverse proxy? Commented Feb 4, 2016 at 21:57
  • I can access it if I use server1.mydomain.com, but if I try going there via the ip, I get a 404, I thought maybe the reverse proxy was sending me to the ip, then changing the header after that, but that wouldn't make sense with the 401s. Yeah, I think this is a config problem on the server (it's IIS....bummer). I'll look through that and update you. Thanks again for the help. Commented Feb 4, 2016 at 21:59
  • Access by IP may not be possible if servers and software are configured by domain name. Depends what application it is. Nginx expects domain names in your request. I remove the default_server part and create a dummy default, but that's because I host many domains on my server. Commented Feb 4, 2016 at 22:11
  • Ok, I was mistaken, it isn't giving me a 401. It's still showing the 401 message from me hitting cancel after several failed tries. It was just cached. It look like it's not passing through the credentials correctly. Something like this serverfault.com/questions/478024/… . Unfortunately, that fix doesn't work for me, but I've found some really complicated looking things to try, such as shairosenfeld.blogspot.com/2011/03/… . The second answer has ways to not statically have the credentials Commented Feb 4, 2016 at 22:36
-1

I had a similar problem a while ago, I solved it by fixing folder access for the group that the process was started with.

What user is NGINX configured to use? and does that user have access to those SSL folder locations?

ref: How do I change the NGINX user?

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.