Reverse Proxy - API call errors with Sign in failed because the number of sessions has reached the licensed limit

[grrusaps]

We have Laserfiche (document management system) installed on a Windows
server with IIS.  
We have another system that makes calls to our Docusign subscription and
triggers a pull of the signed documents into the Laserfiche repository when
new docs are available with an authenticated API call.  Additionally users
can log into this site and access the user interactive document management
system through authentication within the application.

Currently this has traffic going to the web ports directly to IIS without
any issue.

We are looking to add in Nginx with ModSecurity for added protection of this
service.  The Nginx is setup with HTTPS and the backend IIS server also uses
HTTPS.

Working on just the reverse proxy portion at this point and we have the user
interactive site working fine where users can log in and do all normal
functions within the platform.

The issue we have is when we trigger a download of the Docusign documents. 
We can get 2 of the documents to load before we start getting the message
"Sign in failed because the number of sessions has reached the licensed
limit, or the user account has reached its session limit, or no named user
license has been allocated to the user account. [9030]" from the
LaserFiche.HandlerService.  

At this point it appears that the way we have Nginx setup, it is making each
document/call from Docusign as a separate connection to the backend
IIS/Laserfiche server, which we believe is why we are seeing the account
have too many sessions.  Going straight to the IIS server, this works
without error.

Looking for any pointers of what we are doing wrong or things we can try
correct our config and have this working.


sitename.conf

server {
        # SSL configuration
        #
        listen 443 ssl http2 default_server;
        listen [::]:443 ssl http2;
        ssl_certificate /etc/nginx/ssl/wildcard_domain_net.crt;
        ssl_certificate_key /etc/nginx/ssl/wildcard_domain_net.key;

        gzip off;

        server_name lf.domain.net;

        # Tell client which ciphers are available
        ssl_prefer_server_ciphers on;
        ssl_ecdh_curve secp521r1:secp384r1;
        ssl_ciphers
TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

        # Set HSTS to 365 days
        add_header Strict-Transport-Security 'max-age=31536000;
includeSubDomains; preload' always;

        location / {
                proxy_pass https://backend_server_ip/;
                        proxy_set_header   Host             $host;
                        proxy_set_header   X-Real-IP        $remote_addr;
                        proxy_set_header   X-Forwarded-For 
$proxy_add_x_forwarded_for;
                        proxy_set_header   X-Forwarded-Proto $scheme;
                        proxy_set_header   X-Forwarded-User
$http_authorization;
                        proxy_set_header   Authorization
$http_authorization;
                        proxy_pass_header  Authorization;
        }
        location /mobile/ {
        # set mobile to forbidden to protect it
        return 403 ;
        #root /var/www/html ;
        }
}

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292487,292487#msg-292487