<div dir="auto">RD Gateway isn't a real HTTP(S) connection, so you need to use a `stream` block.<div dir="auto"><br></div><div dir="auto">This has been discussed on this email list several years ago: <a href="https://forum.nginx.org/read.php?11,266872">https://forum.nginx.org/read.php?11,266872</a></div><div dir="auto"><br></div><div dir="auto">Moshe</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Dec 10, 2019, 4:11 PM jriker1 <<a href="mailto:nginx-forum@forum.nginx.org">nginx-forum@forum.nginx.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I have multiple servers internal that need to use port 443 due to<br>
requirements of the applications and vendors.  One is a Windows 2016<br>
Essentials server the other a custom web app on Linux that requires a<br>
communication to the cloud on 443.  I have setup a reverse proxy and it's<br>
excellent.  Only issue I'm having is with Essentials server I login to the<br>
web console and when I click to launch a RD Gateway session it comes up and<br>
I can authenticate but when it's going to launch the actual session it<br>
fails.<br>
<br>
Error I get is:<br>
<br>
2019/12/10 14:27:48 [error] 27899#27899: *291 upstream prematurely closed<br>
connection while reading response header from upstream, client: <IP I'm at>,<br>
server: <essentials URL>, request: "RDG_OUT_DATA /remoteDesktopGateway/<br>
HTTP/1.1", uupstream: "https:/<internal_ip>:443/remoteDesktopGateway/",<br>
host: "<essentials_URL>"<br>
<br>
Below is my custom config settings:<br>
<br>
######--------------BEGIN of the script                                     <br>
                         server {<br>
    listen 80;   <br>
    server_name <essentials_URL>;  <br>
    #       redirect http to https         <br>
    return 301 https://$server_name$request_uri;<br>
    client_max_body_size 0;<br>
    proxy_http_version 1.1;<br>
    proxy_buffering off;<br>
    proxy_set_header Upgrade $http_upgrade;<br>
    proxy_set_header Connection "Upgrade";<br>
    proxy_set_header Host $host;<br>
    proxy_set_header X-Real-IP $remote_addr;<br>
    proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;<br>
<br>
    location / {     <br>
        proxy_pass http://<essentials_internal_ip>;<br>
    } <br>
}   <br>
<br>
server {   <br>
    listen 80;<br>
    server_name <smartwebsite_url>;<br>
    #       redirect http to https         <br>
    return 301 https://$server_name$request_uri;    <br>
    client_max_body_size 0;<br>
    proxy_http_version 1.1;<br>
    proxy_buffering off;<br>
    proxy_set_header Upgrade $http_upgrade;<br>
    proxy_set_header Connection "Upgrade";<br>
    proxy_set_header Host $host;<br>
    proxy_set_header X-Real-IP $remote_addr;<br>
    proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;<br>
<br>
    location / {<br>
        proxy_pass http://<smartwebsite_internal_ip>;<br>
    } <br>
} <br>
<br>
server {<br>
    listen 443 ssl;<br>
    listen [::]:443 ssl;<br>
    server_name <essentials_URL>;<br>
    ssl_certificate /config/user-data/ssl_chain_essentials.pem;<br>
    ssl_certificate_key /config/user-data/ssl_chain_key_essentials.pem;<br>
    access_log /var/log/nginx/<essentials-URL>.access.log;<br>
    error_log /var/log/nginx/<essentials-URL>.error.log;          <br>
    ssl_session_timeout 1d;          <br>
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;         <br>
    ssl_ciphers<br>
"EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";<br>
<br>
    ssl_prefer_server_ciphers on;         <br>
    ssl_session_cache shared:SSL:10m;  <br>
    #dh param         <br>
    ssl_dhparam /config/user-data/dhparam.pem;  <br>
    # Enable HTTP Strict-Transport-Security <br>
    # If you have a subdomain of your site, <br>
    # be careful to use the 'includeSubdomains' options         <br>
    add_header Strict-Transport-Security "max-age=63072000; <br>
    includeSubdomains; preload";  <br>
    # XSS Protection for Nginx web server         <br>
    add_header X-Frame-Options DENY;         <br>
    add_header X-XSS-Protection "1; mode=block";         <br>
    add_header X-Content-Type-Options nosniff;         <br>
    ssl_session_cache shared:SSL:10m;         <br>
    add_header X-Robots-Tag none;    <br>
    client_max_body_size 0;   <br>
    proxy_http_version 1.1;   <br>
    proxy_buffering off;   <br>
    proxy_set_header Upgrade $http_upgrade;   <br>
    proxy_set_header Connection "Upgrade";   <br>
    proxy_set_header Host $host;   <br>
    proxy_set_header X-Real-IP $remote_addr;   <br>
    proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;    <br>
    location / {     <br>
        proxy_pass https://<essentials_internal_ip>;   <br>
    } <br>
}   <br>
<br>
server {<br>
    listen 443 ssl;<br>
    server_name <smartwebsite_url>;<br>
    ssl_certificate /config/user-data/ssl_chain_smartweb.pem;<br>
    ssl_certificate_key /config/user-data/ssl_chain_key_smartweb.pem;<br>
    access_log /var/log/nginx/<smartwebsite-URL>.access.log;<br>
    error_log /var/log/nginx/<smartwebsite-URL>.error.log;<br>
    ssl_session_timeout 1d;<br>
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;<br>
    ssl_ciphers<br>
"EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";<br>
    ssl_prefer_server_ciphers on;<br>
    ssl_session_cache shared:SSL:10m;<br>
    #dh param<br>
    ssl_dhparam /config/user-data/dhparam.pem;<br>
    # Enable HTTP Strict-Transport-Security<br>
    # If you have a subdomain of your site,<br>
    # be carefull to use the 'includeSubdomains' options<br>
    add_header Strict-Transport-Security "max-age=63072000;<br>
    includeSubdomains; preload";  <br>
    # XSS Protection for Nginx web server<br>
    add_header X-Frame-Options DENY;<br>
    add_header X-XSS-Protection "1; mode=block"; <br>
    add_header X-Content-Type-Options nosniff;    <br>
    add_header X-Robots-Tag none;<br>
    client_max_body_size 0;<br>
    proxy_http_version 1.1;<br>
    proxy_buffering off;<br>
    proxy_set_header Upgrade $http_upgrade;<br>
    proxy_set_header Connection "Upgrade";<br>
    proxy_set_header Host $host;<br>
    proxy_set_header X-Real-IP $remote_addr;<br>
    proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;<br>
    location / {<br>
       proxy_pass https://<smartwebsite_internal_ip>:8123;<br>
    }<br>
}  <br>
#######-----------------end of script----------------------------  <br>
<br>
<br>
Thoughts?<br>
<br>
Thanks.<br>
<br>
JR<br>
<br>
Posted at Nginx Forum: <a href="https://forum.nginx.org/read.php?2,286440,286440#msg-286440" rel="noreferrer noreferrer" target="_blank">https://forum.nginx.org/read.php?2,286440,286440#msg-286440</a><br>
<br>
_______________________________________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org" target="_blank" rel="noreferrer">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer noreferrer" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a><br>
</blockquote></div>