Hi, On Sun, Sep 19, 2021 at 01:35:02PM -0400, blason wrote: > Hi Team, > > I am trying to add nginx reverse proxy behind Check Point Mobile access > portal which is a SSL VPN portal. Somehow this not working and when I > captured and analyzed the har file I observed that the portal is accepting > websocket calls. I tried implementing the same with nginx but I am still > unable to find the solution. > > Here is what I am seeing with Har file and then I have given my config > > ################ > General: > Request URL: > https://vpn.xxxx.com/7D8B79A2-8974-4D7B-A76A-F4F29624C06BMCNu92Dm4l-Zi00Q9XmCAEP2W0TG236BR4s3ROIfxiy7ICrrEllGkIikmth2jOjkklZMt4z1porwm5BgBNByrQ/websocket?url=https%3A%2F%2Fvpn.xxxx.com%2FPortal%2FMain&nocache=1632059231484HTTP > Version: HTTP/1.1Request method: GET > Headers: > Cache-Control no-cache > Connection Upgrade > Cookie selected_realm=ssl_vpn; > CPCVPN_SESSION_ID=e27df7fe2b0ce359198a5b703b9402d235668bb3; > CPCVPN_BASE_HOST=vpn.xxxx.com; > CPCVPN_OBSCURE_KEY=23f63321355ce5d11767b258178d9775 > DNT 1 > Host vpn.xxxx.com > Origin https://vpn.xxxx.com > Sec-WebSocket-Key ehTLIcXsKwaddkSug5rN9Q== > Sec-WebSocket-Version 13 > Upgrade websocket > User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like > Gecko > Query arguments: > url https://vpn.xxxx.com/Portal/Main > nocache 1632059231484 > ############################## > > And here is my config > > ************************* > upstream websocket { > server vpn.xxxx.com:443; > } > server { > listen 443 ssl; > server_name vpn.xxxx.com; > ssl_protocols TLSv1.2; > ssl_prefer_server_ciphers on; > ssl_session_cache shared:SSL:10m; > ssl_certificate /etc/nginx/ssls/labcerts/wild.crt; > ssl_certificate_key /etc/nginx/ssls/labcerts/wild.key; > ssl_ciphers > 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; > ssl_dhparam /etc/ssl/dhparams2048.pem; > add_header Strict-Transport-Security "max-age=31536000; > includeSubDomains; preload" always; > ssl_session_timeout 1d; > ssl_session_tickets off; > ssl_stapling on; > ssl_stapling_verify on; > resolver 8.8.8.8 8.8.4.4 valid=300s; > access_log /var/log/nginx/sslvpn/access.log; > error_log /var/log/nginx/sslvpn/error.log; > error_page 404 403 /custom_404.html; > location = /custom_404.html { > root /usr/share/nginx/html; > internal; > } > location /SNX/ { > proxy_pass https://websocket; > proxy_http_version 1.1; > proxy_set_header Upgrade $http_upgrade; > proxy_set_header Connection $connection_upgrade; > proxy_set_header Host $host; > } > location / { > proxy_send_timeout 90; > proxy_http_version 1.1; > proxy_read_timeout 90; > proxy_connect_timeout 30s; > proxy_pass https://websocket; > proxy_set_header Upgrade $http_upgrade; > proxy_set_header Connection $connection_upgrade; > proxy_ssl_server_name on; > proxy_redirect off; > proxy_set_header Host $host; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > } > } > ********************************************
Could you try to slightly update your configuration to the "more sophisticated example" as it's descibed on http://nginx.org/en/docs/http/websocket.html -- Sergey Osokin _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
