Running ssl on custom port and its not working

blason nginx-forum at forum.nginx.org
Wed Nov 16 18:04:45 UTC 2022 

Hi Team,

I have current URL as https://xxx.xxx.xxx:8081/neutrino-sso-web/ which is
directly natted on firewall on pot 8081
However I now would like to put this URL behind nginx reverse proxy. Since
the above URL is given to lot many customers it would not be possible to
change the URL. we are planning to change it graudally.

However mean time I installed the nginx and trying to relay the same setup;
so that from internet if some accessed
https://xx.xxxx.xxx:8081/neutrino-sso-web/ it would proxy_pass to orignial
server

My stanza is as  below; however this is not working and I am getting 

##########
This site can’t provide a secure connection 
xxx.xxxx..xxx sent an invalid response.
ERR_SSL_PROTOCOL_ERROR
##############


server {
        listen 443;
        listen 8081 ssl;
        server_name  xx.xxxx.xxxx;
        ssl_protocols  TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_certificate  /etc/nginx/certs/xx.xx/216560a7cbdc5937.crt;
        ssl_certificate_key   /etc/nginx/certs/xx.xx/xxxx.key;
ssl_ciphers
'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA
-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:
ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256
-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3
-SHA:!DSS';
        ssl_dhparam /etc/nginx/certs/dhparam.pem;
        add_header Strict-Transport-Security "max-age=31536000;
includeSubDomains; preload" always;
        ssl_session_timeout 1d;
        ssl_session_tickets off;
        ssl_stapling on;
        ssl_stapling_verify on;
        keepalive_timeout 70;
        if ( $request_method !~ ^(GET|POST|HEAD)$ ) {
        return 403;
        break;
      }
        access_log /var/log/nginx/xxx.xxxx/access.log;
        error_log /var/log/nginx/xxx.xxx/error.log;
{
location / {
        client_max_body_size    700m;
        client_body_buffer_size 128k;
        proxy_send_timeout   90;
        proxy_http_version 1.1;
        proxy_read_timeout   90;
        proxy_buffer_size    128k;
        proxy_buffers     4 256k;
        proxy_busy_buffers_size 256k;
        proxy_temp_file_write_size 256k;
        proxy_connect_timeout 30s;
        proxy_pass https://xxx.xxx.xxx:8081/neutrino-sso-web/login;
        proxy_ssl_server_name on;
        proxy_redirect off;
        proxy_set_header   Host   $host;
        proxy_set_header   X-Real-IP  $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        add_header Strict-Transport-Security "max-age=31536000;
includeSubDomains" always;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header Referrer-Policy "no-referrer-when-downgrade";
        add_header X-Frame-Options "SAMEORIGIN" always;
        }
}

Am I doing anything wroing?

TIA 
Blason R

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,295782,295782#msg-295782

More information about the nginx mailing list