Accessing TP-LINK TL-SG1016PE switch behind reverse proxy

Question

I am trying to access my switch through my Nginx reverse proxy. I can access the switch fine using the local ip over http, but when I try with the domain name through my reverse proxy with over https, I can get the login page, but when I enter my credentials and click login the page times out (error 502). The issue seems to be with the logon.cgi page.

Would anyone know how to correctly configure a reverse proxy for this switch? (I have similar configuration working for my TP-Link router and many other services)

Here is my simple reverse proxy configuration:

server {    
    listen 80 default_server;
    listen [::]:80 default_server;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name switch.example.com

    ssl_certificate ...
    ssl_certificate_key ...

    access_log            /var/log/nginx/switch.access.log;
    error_log            /var/log/nginx/switch.error.log;


    location / {

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_buffering off;
        client_max_body_size 0;
        proxy_connect_timeout  3600s;
        proxy_read_timeout  3600s;
        proxy_send_timeout  3600s;
        send_timeout  3600s;

        proxy_set_header X-NginX-Proxy true;

 

      proxy_pass  http://192.168.1.2;
      proxy_redirect http://192.168.1.2 https://switch.example.com;
    }

I have tried to debug using the browser dev tools but I really don't understand what is wrong. Using hard DNS mapping from switch.example.com to 192.168.1.2 works, and here is what I see in the dev tools for the login script:

Request URL: http://switch.example.com/logon.cgi
Request Method: POST
Status Code: 200 OK
Remote Address: 192.168.1.2:80
Referrer Policy: strict-origin-when-cross-origin
Connection: close
Content-Type: text/html
Transfer-Encoding: chunked
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cache-Control: max-age=0
Connection: keep-alive
Content-Length: 53
Content-Type: application/x-www-form-urlencoded
Host: switch.example.com
Origin: http://switch.example.com
Referer: http://switch.example.com/
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.67 Safari/537.36 OPR/87.0.4390.45

But when I try to access the switch through my reverse proxy (setting a CNAME that points to my nginx server), here's what I see:

Request URL: https://switch.example.com/logon.cgi
Referrer Policy: strict-origin-when-cross-origin
:authority: switch.example.com
:method: POST
:path: /logon.cgi
:scheme: https
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cache-control: max-age=0
content-length: 53
content-type: application/x-www-form-urlencoded
origin: https://switch.example.com
referer: https://switch.example.com/
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="101", "Opera";v="87"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: same-origin
sec-fetch-user: ?1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.67 Safari/537.36 OPR/87.0.4390.45

Also, I have used WireShark to capture the request when I successfully login using the local ip address (http://192.168.1.2): Wireshark screenshot (Sorry for the link, not enough rep)

Looking at the Nginx error log, I see it is a timeout error:

the error from the Nginx reverse proxy is a timeout error:

2022/06/10 16:53:54 [error] 3630#3630: *29 upstream timed out (110: Unknown error) while reading response header from upstream, client:
192.168.1.123, server: switch.example.com, request: "POST /logon.cgi HTTP/2.0", upstream: "http://192.168.1.2:80/logon.cgi", host: "switch.example.com", referrer: "https://switch.example.com/"

There is no "generic reverse proxy configuration for a managed switch". Each of them could require own unique quirks. My suggestion would be to enable developer tools in the browser and look to the "network" page see what requests it sends when it works correctly and what it is different with the reverse proxy. — Nikita Kipriyanov, Jun 10 '22 at 07:51
Thanks for the suggestion @NikitaKipriyanov, I have updated my post with that information — Remz1337, Jun 10 '22 at 17:08

Accessing TP-LINK TL-SG1016PE switch behind reverse proxy

0 Answers0