Добрый день, не можем настроить конфигурацию на следующих условиях:
слушаем 443 ssl
проксируем на 443 ssl.
Проксируемый сервер это IIS 10 на котором https и при этом авторизация клиентов по личным сертификатам. NTLM на IIS выключен. Если верить нашей аналитике мы устанавливаем соединение с проксируемым сервером по https - но запрос сертификата не происходит, подозреваем, что причина в том, что отключено повторное рукопожатие. Может быть чтото не понимаем как настроить?
vovka
June 7, 2023, 11:02am
2
Здравствуйте.
Покажите, пожалуйста, используемую конфигурацию angie (вывод команды sudo angie -T
).
Если честно - пока используем Nginx 1.24 - рассматриваем вариант вашего продукта - т.к. он форк от него, вот и хотим понять - есть ли смысл переходить.
vovka
June 7, 2023, 11:35am
4
Тогда вам нужно использовать sudo nginx -T
для получения конфига)
nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
load_module /opt/wallarm/modules/stable-1240/ngx_http_wallarm_module.so;
events {
worker_connections 1024;
}
http {
include /etc/nginx/wallarm-status.conf;
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format wallarm_combined '$remote_addr - $remote_user [$time_local] '
'"$request" $request_id $status $upstream_status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'$wallarm_request_cpu_time $wallarm_request_mono_time $wallarm_serialized_size $wallarm_is_input_valid $wallarm_attack_type $wallarm_attack_type_list';
access_log /var/log/nginx/access.log wallarm_combined;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
# configuration file /etc/nginx/wallarm-status.conf:
# wallarm-status, required for monitoring purposes.
# Default `wallarm-status` configuration.
# It is strongly advised not to alter any of the existing lines of the default
# wallarm-status configuration as it may corrupt the process of metric data
# upload to the Wallarm cloud.
server {
listen 127.0.0.8:80;
server_name localhost;
allow 127.0.0.0/8;
deny all;
wallarm_mode off;
disable_acl "on";
access_log off;
location ~/wallarm-status$ {
wallarm_status on;
}
}
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/avif avif;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
font/woff woff;
font/woff2 woff2;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/wasm wasm;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/conf.d/default.conf:
server {
server_name wmxsupport.ru;
location / {
proxy_pass https://corpportal.nvk.cloudworkshop.ru:443;
proxy_ssl_server_name on;
proxy_ssl_protocols TLSv1.2;
proxy_ssl_name corpportal.nvk.cloudworkshop.ru;
# proxy_buffering off;
# proxy_ssl_session_reuse on;
# proxy_ssl_verify_depth 2;
# proxy_pass_request_headers off;
# proxy_ssl_verify on;
proxy_ssl_session_reuse off;
# ssl_verify_client optional;
# proxy_ssl_verify off;
proxy_set_header Host corpportal.nvk.cloudworkshop.ru:443;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
# proxy_set_header Upgrade-Insecure-Requests 1;
# proxy_set_header Referer https://corpportal.nvk.cloudworkshop.ru/;
# proxy_set_header Authorization "";
# proxy_set_header VERIFIED $ssl_client_verify;
# proxy_set_header DN $ssl_client_s_dn;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# root /usr/share/nginx/html;
# }
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
listen 443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/wmxsupport.ru/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/wmxsupport.ru/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = wmxsupport.ru) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name wmxsupport.ru;
return 404; # managed by Certbot
}
# configuration file /etc/letsencrypt/options-ssl-nginx.conf:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
Третий день перерываю гугл и яндекс - единственно, что нашел - authentication - Nginx Proxy pass certificate autentificate to MS IIS - Stack Overflow
Но как понимаете - править конфиг iis не могу (
vovka
June 7, 2023, 12:35pm
7
В данном случае вам может помочь stream proxy, но тогда вы не сможете использовать WAF. Плюс придётся всё равно делать настройки на IIS, для той же передачи IP клиента (включение PROXY protocol`а).
Про stream знаю ( и как вы понимаете - мы не сможем продать клиенту waf ) А как фичареквест к вашему продукту такое возможно? Или опция для расширенной версии?
vovka
June 7, 2023, 1:21pm
9
К сожалению, не существует решения, которое не предполагало бы изменение конфигурации IIS.
Понял, спасибо за потраченное время )