Websocket is not working with Nginx Reverse Proxy
blason
nginx-forum at forum.nginx.org
Sun Sep 19 17:35:02 UTC 2021
Hi Team,
I am trying to add nginx reverse proxy behind Check Point Mobile access
portal which is a SSL VPN portal. Somehow this not working and when I
captured and analyzed the har file I observed that the portal is accepting
websocket calls. I tried implementing the same with nginx but I am still
unable to find the solution.
Here is what I am seeing with Har file and then I have given my config
################
General:
Request URL:
https://vpn.xxxx.com/7D8B79A2-8974-4D7B-A76A-F4F29624C06BMCNu92Dm4l-Zi00Q9XmCAEP2W0TG236BR4s3ROIfxiy7ICrrEllGkIikmth2jOjkklZMt4z1porwm5BgBNByrQ/websocket?url=https%3A%2F%2Fvpn.xxxx.com%2FPortal%2FMain&nocache=1632059231484HTTP
Version: HTTP/1.1Request method: GET
Headers:
Cache-Control no-cache
Connection Upgrade
Cookie selected_realm=ssl_vpn;
CPCVPN_SESSION_ID=e27df7fe2b0ce359198a5b703b9402d235668bb3;
CPCVPN_BASE_HOST=vpn.xxxx.com;
CPCVPN_OBSCURE_KEY=23f63321355ce5d11767b258178d9775
DNT 1
Host vpn.xxxx.com
Origin https://vpn.xxxx.com
Sec-WebSocket-Key ehTLIcXsKwaddkSug5rN9Q==
Sec-WebSocket-Version 13
Upgrade websocket
User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like
Gecko
Query arguments:
url https://vpn.xxxx.com/Portal/Main
nocache 1632059231484
##############################
And here is my config
*************************
upstream websocket {
server vpn.xxxx.com:443;
}
server {
listen 443 ssl;
server_name vpn.xxxx.com;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_certificate /etc/nginx/ssls/labcerts/wild.crt;
ssl_certificate_key /etc/nginx/ssls/labcerts/wild.key;
ssl_ciphers
'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_dhparam /etc/ssl/dhparams2048.pem;
add_header Strict-Transport-Security "max-age=31536000;
includeSubDomains; preload" always;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
access_log /var/log/nginx/sslvpn/access.log;
error_log /var/log/nginx/sslvpn/error.log;
error_page 404 403 /custom_404.html;
location = /custom_404.html {
root /usr/share/nginx/html;
internal;
}
location /SNX/ {
proxy_pass https://websocket;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
}
location / {
proxy_send_timeout 90;
proxy_http_version 1.1;
proxy_read_timeout 90;
proxy_connect_timeout 30s;
proxy_pass https://websocket;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_ssl_server_name on;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
********************************************
Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292420,292420#msg-292420
More information about the nginx
mailing list