“Bad Gateway” when connecting to old IIS servers over SSL through NGINX reverse proxy The 2019 Stack Overflow Developer Survey Results Are InNginx has ssl module, but thinks it doesn'tNginx proxy pass works for https but not httpnginx ssl proxy for one hostname onlyNginx/Apache: set HSTS only if X-Forwarded-Proto is httpsNginX + WordPress + SSL + non-www + W3TC vhost config file questionsNginx Reverse Proxy 502 Bad Gatewaynginx reverse proxy hide login query also on 301 redirect or full qualified urlConfigure NGINX : How to handle 500 Error on upstream itself, While Nginx handle other 5xx errorsnginx (reverse proxy + ssl): shifting conf-lines destroys configurationNginx reverse proxy to many local servers + webserver duty
Origin of "cooter" meaning "vagina"
Can a flute soloist sit?
Button changing it's text & action. Good or terrible?
Is three citations per paragraph excessive for undergraduate research paper?
Does the shape of a die affect the probability of a number being rolled?
What do the Banks children have against barley water?
What could be the right powersource for 15 seconds lifespan disposable giant chainsaw?
Geography at the pixel level
What is the meaning of Triage in Cybersec world?
For what reasons would an animal species NOT cross a *horizontal* land bridge?
Pokemon Turn Based battle (Python)
Aging parents with no investments
Are spiders unable to hurt humans, especially very small spiders?
Output the Arecibo Message
Am I thawing this London Broil safely?
The difference between dialogue marks
"as much details as you can remember"
Falsification in Math vs Science
Loose spokes after only a few rides
Why didn't the Event Horizon Telescope team mention Sagittarius A*?
Why was M87 targetted for the Event Horizon Telescope instead of Sagittarius A*?
How to save as into a customized destination on macOS?
How to notate time signature switching consistently every measure
Deal with toxic manager when you can't quit
“Bad Gateway” when connecting to old IIS servers over SSL through NGINX reverse proxy
The 2019 Stack Overflow Developer Survey Results Are InNginx has ssl module, but thinks it doesn'tNginx proxy pass works for https but not httpnginx ssl proxy for one hostname onlyNginx/Apache: set HSTS only if X-Forwarded-Proto is httpsNginX + WordPress + SSL + non-www + W3TC vhost config file questionsNginx Reverse Proxy 502 Bad Gatewaynginx reverse proxy hide login query also on 301 redirect or full qualified urlConfigure NGINX : How to handle 500 Error on upstream itself, While Nginx handle other 5xx errorsnginx (reverse proxy + ssl): shifting conf-lines destroys configurationNginx reverse proxy to many local servers + webserver duty
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I am trying to set up an NGINX server as a reverse proxy to make it possible to connect via TLS 1.2 to an old IIS server that is limited to TLS 1.0
Connection on port 80 works fine. But I get 502 Bad Gateway when I try to connect over https. When I look at the NGINX error logs I see this line...
*364 peer closed connection in SSL handshake while SSL handshaking to upstream
Below is the config I have for the reverse proxy. (Note, website url and public IP changed to preserve anonymity)
server
listen 80;
listen [::]:80;
server_name www.mywebsite.com;
location /
proxy_set_header Host "www.mywebsite.com";
proxy_pass http://192.168.201.235:80/;
server
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name www.mywebsite.com;
ssl_certificate "/etc/pki/nginx/mywebsite.crt";
ssl_certificate_key "/etc/pki/nginx/private/mywebsite.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location /
proxy_set_header Host "www.mywebsite.com";
proxy_pass https://192.168.201.235:443/;
Is there anything I can do to resolve the bad gateway issue while still connecting securely between the proxy and the target server?
I can connect to the IP address directly over HTTPS, and if I put in another SSL enabled website after proxy_pass it also works.
I have tried searching for an answer to this on google but none of the hits are so far similar enough to my situation to be helpful.
nginx ssl windows-server-2003 reverse-proxy iis-6
edited 6 hours ago
Lex Li
34829
asked 13 hours ago
MrVimesMrVimes
44311127
add a comment |
I am trying to set up an NGINX server as a reverse proxy to make it possible to connect via TLS 1.2 to an old IIS server that is limited to TLS 1.0
Connection on port 80 works fine. But I get 502 Bad Gateway when I try to connect over https. When I look at the NGINX error logs I see this line...
*364 peer closed connection in SSL handshake while SSL handshaking to upstream
Below is the config I have for the reverse proxy. (Note, website url and public IP changed to preserve anonymity)
server
listen 80;
listen [::]:80;
server_name www.mywebsite.com;
location /
proxy_set_header Host "www.mywebsite.com";
proxy_pass http://192.168.201.235:80/;
server
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name www.mywebsite.com;
ssl_certificate "/etc/pki/nginx/mywebsite.crt";
ssl_certificate_key "/etc/pki/nginx/private/mywebsite.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location /
proxy_set_header Host "www.mywebsite.com";
proxy_pass https://192.168.201.235:443/;
Is there anything I can do to resolve the bad gateway issue while still connecting securely between the proxy and the target server?
I can connect to the IP address directly over HTTPS, and if I put in another SSL enabled website after proxy_pass it also works.
I have tried searching for an answer to this on google but none of the hits are so far similar enough to my situation to be helpful.
nginx ssl windows-server-2003 reverse-proxy iis-6
edited 6 hours ago
Lex Li
34829
asked 13 hours ago
MrVimesMrVimes
44311127
It’s likely inability to SSL handshake between proxy and 2k3 box. You may have to try enabling different ciphersuites or SSL/TLS levels to find one that will work with older box, though I don’t know if it’s possible to configure internal/external connections differently to avoid compromising security on external connections. I’m pretty sure that Apache reverse proxy can do this but I’ve never used nginx.
– apocalysque
13 hours ago
1
Did you try to useproxy_ssl_protocols TLSv1;? docs.nginx.com/nginx/admin-guide/security-controls/…
– Lex Li
10 hours ago
@LexLi that worked! Thankyou. If you add it as a reply I will accept it.
– MrVimes
9 hours ago
@MikaelH You are absolutely right, I should migrate/upgrade/solve this properly, but my hands are a bit tied and I at this stage I am merely seeing if it is at least possible to do this the cheap way.
– MrVimes
9 hours ago
add a comment |
I am trying to set up an NGINX server as a reverse proxy to make it possible to connect via TLS 1.2 to an old IIS server that is limited to TLS 1.0
Connection on port 80 works fine. But I get 502 Bad Gateway when I try to connect over https. When I look at the NGINX error logs I see this line...
*364 peer closed connection in SSL handshake while SSL handshaking to upstream
Below is the config I have for the reverse proxy. (Note, website url and public IP changed to preserve anonymity)
server
listen 80;
listen [::]:80;
server_name www.mywebsite.com;
location /
proxy_set_header Host "www.mywebsite.com";
proxy_pass http://192.168.201.235:80/;
server
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name www.mywebsite.com;
ssl_certificate "/etc/pki/nginx/mywebsite.crt";
ssl_certificate_key "/etc/pki/nginx/private/mywebsite.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location /
proxy_set_header Host "www.mywebsite.com";
proxy_pass https://192.168.201.235:443/;
Is there anything I can do to resolve the bad gateway issue while still connecting securely between the proxy and the target server?
I can connect to the IP address directly over HTTPS, and if I put in another SSL enabled website after proxy_pass it also works.
I have tried searching for an answer to this on google but none of the hits are so far similar enough to my situation to be helpful.
nginx ssl windows-server-2003 reverse-proxy iis-6
edited 6 hours ago
Lex Li
34829
asked 13 hours ago
MrVimesMrVimes
44311127
I am trying to set up an NGINX server as a reverse proxy to make it possible to connect via TLS 1.2 to an old IIS server that is limited to TLS 1.0
Connection on port 80 works fine. But I get 502 Bad Gateway when I try to connect over https. When I look at the NGINX error logs I see this line...
*364 peer closed connection in SSL handshake while SSL handshaking to upstream
Below is the config I have for the reverse proxy. (Note, website url and public IP changed to preserve anonymity)
server
listen 80;
listen [::]:80;
server_name www.mywebsite.com;
location /
proxy_set_header Host "www.mywebsite.com";
proxy_pass http://192.168.201.235:80/;
server
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name www.mywebsite.com;
ssl_certificate "/etc/pki/nginx/mywebsite.crt";
ssl_certificate_key "/etc/pki/nginx/private/mywebsite.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location /
proxy_set_header Host "www.mywebsite.com";
proxy_pass https://192.168.201.235:443/;
Is there anything I can do to resolve the bad gateway issue while still connecting securely between the proxy and the target server?
I can connect to the IP address directly over HTTPS, and if I put in another SSL enabled website after proxy_pass it also works.
I have tried searching for an answer to this on google but none of the hits are so far similar enough to my situation to be helpful.
nginx ssl windows-server-2003 reverse-proxy iis-6
nginx ssl windows-server-2003 reverse-proxy iis-6
edited 6 hours ago
Lex Li
34829
asked 13 hours ago
MrVimesMrVimes
44311127
edited 6 hours ago
Lex Li
34829
asked 13 hours ago
MrVimesMrVimes
44311127
edited 6 hours ago
Lex Li
34829
edited 6 hours ago
Lex Li
34829
edited 6 hours ago
Lex Li
34829
34829
asked 13 hours ago
MrVimesMrVimes
44311127
asked 13 hours ago
MrVimesMrVimes
44311127
asked 13 hours ago
MrVimesMrVimes
44311127
44311127
It’s likely inability to SSL handshake between proxy and 2k3 box. You may have to try enabling different ciphersuites or SSL/TLS levels to find one that will work with older box, though I don’t know if it’s possible to configure internal/external connections differently to avoid compromising security on external connections. I’m pretty sure that Apache reverse proxy can do this but I’ve never used nginx.
– apocalysque
13 hours ago
1
Did you try to useproxy_ssl_protocols TLSv1;? docs.nginx.com/nginx/admin-guide/security-controls/…
– Lex Li
10 hours ago
@LexLi that worked! Thankyou. If you add it as a reply I will accept it.
– MrVimes
9 hours ago
@MikaelH You are absolutely right, I should migrate/upgrade/solve this properly, but my hands are a bit tied and I at this stage I am merely seeing if it is at least possible to do this the cheap way.
– MrVimes
9 hours ago
add a comment |
It’s likely inability to SSL handshake between proxy and 2k3 box. You may have to try enabling different ciphersuites or SSL/TLS levels to find one that will work with older box, though I don’t know if it’s possible to configure internal/external connections differently to avoid compromising security on external connections. I’m pretty sure that Apache reverse proxy can do this but I’ve never used nginx.
– apocalysque
13 hours ago
1
Did you try to useproxy_ssl_protocols TLSv1;? docs.nginx.com/nginx/admin-guide/security-controls/…
– Lex Li
10 hours ago
@LexLi that worked! Thankyou. If you add it as a reply I will accept it.
– MrVimes
9 hours ago
@MikaelH You are absolutely right, I should migrate/upgrade/solve this properly, but my hands are a bit tied and I at this stage I am merely seeing if it is at least possible to do this the cheap way.
– MrVimes
9 hours ago
It’s likely inability to SSL handshake between proxy and 2k3 box. You may have to try enabling different ciphersuites or SSL/TLS levels to find one that will work with older box, though I don’t know if it’s possible to configure internal/external connections differently to avoid compromising security on external connections. I’m pretty sure that Apache reverse proxy can do this but I’ve never used nginx.
– apocalysque
13 hours ago
It’s likely inability to SSL handshake between proxy and 2k3 box. You may have to try enabling different ciphersuites or SSL/TLS levels to find one that will work with older box, though I don’t know if it’s possible to configure internal/external connections differently to avoid compromising security on external connections. I’m pretty sure that Apache reverse proxy can do this but I’ve never used nginx.
– apocalysque
13 hours ago
1
1
Did you try to use
proxy_ssl_protocols TLSv1;? docs.nginx.com/nginx/admin-guide/security-controls/…– Lex Li
10 hours ago
Did you try to use
proxy_ssl_protocols TLSv1;? docs.nginx.com/nginx/admin-guide/security-controls/…– Lex Li
10 hours ago
@LexLi that worked! Thankyou. If you add it as a reply I will accept it.
– MrVimes
9 hours ago
@LexLi that worked! Thankyou. If you add it as a reply I will accept it.
– MrVimes
9 hours ago
@MikaelH You are absolutely right, I should migrate/upgrade/solve this properly, but my hands are a bit tied and I at this stage I am merely seeing if it is at least possible to do this the cheap way.
– MrVimes
9 hours ago
@MikaelH You are absolutely right, I should migrate/upgrade/solve this properly, but my hands are a bit tied and I at this stage I am merely seeing if it is at least possible to do this the cheap way.
– MrVimes
9 hours ago
add a comment |
1 Answer
1
active
oldest
votes
The setting proxy_ssl_protocols seems to control the connection between nginx and the upstream server (Windows Server 2003 in your case),
https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/
Its default setting today might block TLS 1.0, so you need to set proxy_ssl_protocols TLSv1; to enable TLS 1.0.
answered 9 hours ago
Lex LiLex Li
34829
Thankyou again. This worked, and I am able to connect to the website externally over TLS 1.2.
– MrVimes
9 hours ago
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f962427%2fbad-gateway-when-connecting-to-old-iis-servers-over-ssl-through-nginx-reverse%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
The setting proxy_ssl_protocols seems to control the connection between nginx and the upstream server (Windows Server 2003 in your case),
https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/
Its default setting today might block TLS 1.0, so you need to set proxy_ssl_protocols TLSv1; to enable TLS 1.0.
answered 9 hours ago
Lex LiLex Li
34829
Thankyou again. This worked, and I am able to connect to the website externally over TLS 1.2.
– MrVimes
9 hours ago
add a comment |
The setting proxy_ssl_protocols seems to control the connection between nginx and the upstream server (Windows Server 2003 in your case),
https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/
Its default setting today might block TLS 1.0, so you need to set proxy_ssl_protocols TLSv1; to enable TLS 1.0.
answered 9 hours ago
Lex LiLex Li
34829
Thankyou again. This worked, and I am able to connect to the website externally over TLS 1.2.
– MrVimes
9 hours ago
add a comment |
The setting proxy_ssl_protocols seems to control the connection between nginx and the upstream server (Windows Server 2003 in your case),
https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/
Its default setting today might block TLS 1.0, so you need to set proxy_ssl_protocols TLSv1; to enable TLS 1.0.
answered 9 hours ago
Lex LiLex Li
34829
The setting proxy_ssl_protocols seems to control the connection between nginx and the upstream server (Windows Server 2003 in your case),
https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/
Its default setting today might block TLS 1.0, so you need to set proxy_ssl_protocols TLSv1; to enable TLS 1.0.
answered 9 hours ago
Lex LiLex Li
34829
answered 9 hours ago
Lex LiLex Li
34829
answered 9 hours ago
Lex LiLex Li
34829
answered 9 hours ago
Lex LiLex Li
34829
34829
Thankyou again. This worked, and I am able to connect to the website externally over TLS 1.2.
– MrVimes
9 hours ago
add a comment |
Thankyou again. This worked, and I am able to connect to the website externally over TLS 1.2.
– MrVimes
9 hours ago
Thankyou again. This worked, and I am able to connect to the website externally over TLS 1.2.
– MrVimes
9 hours ago
Thankyou again. This worked, and I am able to connect to the website externally over TLS 1.2.
– MrVimes
9 hours ago
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f962427%2fbad-gateway-when-connecting-to-old-iis-servers-over-ssl-through-nginx-reverse%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
It’s likely inability to SSL handshake between proxy and 2k3 box. You may have to try enabling different ciphersuites or SSL/TLS levels to find one that will work with older box, though I don’t know if it’s possible to configure internal/external connections differently to avoid compromising security on external connections. I’m pretty sure that Apache reverse proxy can do this but I’ve never used nginx.
– apocalysque
13 hours ago
1
Did you try to use
proxy_ssl_protocols TLSv1;? docs.nginx.com/nginx/admin-guide/security-controls/…– Lex Li
10 hours ago
@LexLi that worked! Thankyou. If you add it as a reply I will accept it.
– MrVimes
9 hours ago
@MikaelH You are absolutely right, I should migrate/upgrade/solve this properly, but my hands are a bit tied and I at this stage I am merely seeing if it is at least possible to do this the cheap way.
– MrVimes
9 hours ago