Nginx reverse proxy without SSL termination

Question

I'm trying to set up Microsoft Remote Desktop Web Services on a Windows 2k12 server. This is fully functional, however I would like (need to) put a reverse proxy (Nginx) in front of it.

I only have 1 external ip (fixed) and I am hosting multiple websites behind it, not all on the same VM. I managed to get Nginx working as a reverse proxy for both HTTP as HTTPS traffic, with vhosts. However, for the remote desktop services, the SSL offloading gives me issues when launching the application. So I would like to pass traffic trough the Nginx server, without SSL offloading and have the Windows server do all the SSL stuff. It seems that even without entering "ssl on;" Nginx puts a certificate from another vhost on the server section of the RD Web. I don't have something like a "default" block anywhere in my configuration.

Here is a little 'sketch' of how the setup looks like:

                                                           -- |server 1 HTTP|
|internet user| -- |Nginx Rev Proxy listening on port 443| -- |windows server|
                                                           -- |server 2 HTTP|

Below is the configuration file that I have (for the RD Web):

server {
        listen 443;
        server_name host.domain.com;

        access_log /var/log/nginx/host.domain.com.access.log;

        location / {
                proxy_set_header        Host $host;
                proxy_set_header        X-Real-IP $remote_addr;
                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header        X-Forwarded-Proto $scheme;
                proxy_pass              https://172.29.0.249;
        }

}

I already tried to have the Windows server accept plain HTTP but this once again gives issues with the remote desktop applications. I can get as far as logging in and there it stops. I already mentioned it before, but when I forward port 443 on my firewall towards the windows server the remote desktop connections work without issues, so that doesn't seem to be the problem.

Any help here would be greatly appreciated. I'm new to Nginx and its configuration (always used apache in the past).

score 14 · Answer 1 · answered Jul 05 '16 at 14:47

14

today, nginx Supports ssl pass thru: https://serversforhackers.com/tcp-load-balancing-with-nginx-ssl-pass-thru

answered Jul 05 '16 at 14:47

Tom

386
3
7

With SSL pass thru can Nginx look at the ip address of the request? – timbram Nov 30 '20 at 16:18

score 5 · Answer 2 · answered Sep 06 '19 at 09:13

5

Since version 1.11.5, nginx supports pass-through SSL proxying with SNI awareness: http://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html

answered Sep 06 '19 at 09:13

ValdikSS

166
2
3

1

Hi and welcome on serverfault. Please provide relevant quotes and a brief summary of the content your are refering : links can become broken. – bgtvfr Sep 06 '19 at 09:43

score 2 · Accepted Answer · answered Dec 29 '14 at 18:24

2

nginx can't pass through SSL without terminating it. Use haproxy in front of nginx, which is capable of this (at least version 1.5), to proxy the RD Web traffic to your terminal server, and everything else to nginx.

answered Dec 29 '14 at 18:24

Michael Hampton

244,070
43
506
972

I'll also note that you need more IP addresses, and you certainly could benefit from IPv6. – Michael Hampton Dec 29 '14 at 18:29
Well my provider does not supply IPv6 and I have a max of 1 external IP. – Goez Dec 30 '14 at 19:12

score 1 · Answer 4 · answered Oct 13 '20 at 19:57

For nginx you need to use stream and not http. You can add this to your /etc/nginx/nginx.conf

stream {

    map $ssl_preread_server_name $targetBackend {
        ~^(?<domain>.+).example.com$ 192.168.1.2:443;
        ~^(?<domain>.+).random.com$ $domain.internal.local:443;
    }

    server {
        listen 443;

        proxy_pass $targetBackend;
        ssl_preread on;
    }
}

Nginx reverse proxy without SSL termination

4 Answers4