Websocket is not working with Nginx Reverse Proxy
Sergey A. Osokin
osa at freebsd.org.ru
Sun Sep 19 23:12:10 UTC 2021
Hi,
On Sun, Sep 19, 2021 at 01:35:02PM -0400, blason wrote:
> Hi Team,
>
> I am trying to add nginx reverse proxy behind Check Point Mobile access
> portal which is a SSL VPN portal. Somehow this not working and when I
> captured and analyzed the har file I observed that the portal is accepting
> websocket calls. I tried implementing the same with nginx but I am still
> unable to find the solution.
>
> Here is what I am seeing with Har file and then I have given my config
>
> ################
> General:
> Request URL:
> https://vpn.xxxx.com/7D8B79A2-8974-4D7B-A76A-F4F29624C06BMCNu92Dm4l-Zi00Q9XmCAEP2W0TG236BR4s3ROIfxiy7ICrrEllGkIikmth2jOjkklZMt4z1porwm5BgBNByrQ/websocket?url=https%3A%2F%2Fvpn.xxxx.com%2FPortal%2FMain&nocache=1632059231484HTTP
> Version: HTTP/1.1Request method: GET
> Headers:
> Cache-Control no-cache
> Connection Upgrade
> Cookie selected_realm=ssl_vpn;
> CPCVPN_SESSION_ID=e27df7fe2b0ce359198a5b703b9402d235668bb3;
> CPCVPN_BASE_HOST=vpn.xxxx.com;
> CPCVPN_OBSCURE_KEY=23f63321355ce5d11767b258178d9775
> DNT 1
> Host vpn.xxxx.com
> Origin https://vpn.xxxx.com
> Sec-WebSocket-Key ehTLIcXsKwaddkSug5rN9Q==
> Sec-WebSocket-Version 13
> Upgrade websocket
> User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like
> Gecko
> Query arguments:
> url https://vpn.xxxx.com/Portal/Main
> nocache 1632059231484
> ##############################
>
> And here is my config
>
> *************************
> upstream websocket {
> server vpn.xxxx.com:443;
> }
> server {
> listen 443 ssl;
> server_name vpn.xxxx.com;
> ssl_protocols TLSv1.2;
> ssl_prefer_server_ciphers on;
> ssl_session_cache shared:SSL:10m;
> ssl_certificate /etc/nginx/ssls/labcerts/wild.crt;
> ssl_certificate_key /etc/nginx/ssls/labcerts/wild.key;
> ssl_ciphers
> 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
> ssl_dhparam /etc/ssl/dhparams2048.pem;
> add_header Strict-Transport-Security "max-age=31536000;
> includeSubDomains; preload" always;
> ssl_session_timeout 1d;
> ssl_session_tickets off;
> ssl_stapling on;
> ssl_stapling_verify on;
> resolver 8.8.8.8 8.8.4.4 valid=300s;
> access_log /var/log/nginx/sslvpn/access.log;
> error_log /var/log/nginx/sslvpn/error.log;
> error_page 404 403 /custom_404.html;
> location = /custom_404.html {
> root /usr/share/nginx/html;
> internal;
> }
> location /SNX/ {
> proxy_pass https://websocket;
> proxy_http_version 1.1;
> proxy_set_header Upgrade $http_upgrade;
> proxy_set_header Connection $connection_upgrade;
> proxy_set_header Host $host;
> }
> location / {
> proxy_send_timeout 90;
> proxy_http_version 1.1;
> proxy_read_timeout 90;
> proxy_connect_timeout 30s;
> proxy_pass https://websocket;
> proxy_set_header Upgrade $http_upgrade;
> proxy_set_header Connection $connection_upgrade;
> proxy_ssl_server_name on;
> proxy_redirect off;
> proxy_set_header Host $host;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> }
> }
> ********************************************
Could you try to slightly update your configuration to the
"more sophisticated example" as it's descibed on
http://nginx.org/en/docs/http/websocket.html
--
Sergey Osokin
More information about the nginx
mailing list