Nginx reverse proxy settings for pwreset

20 views
Skip to first unread message

Gexproof

unread,
Apr 2, 2024, 5:25:34 AMApr 2
to RCDevs Security
Hello. I have some troubles with nginx reverse proxy configuration for pwreset application.

when i'm using this conf
location / {
}
The page returns
Screenshot_3.png
If i use this variant
location /webapps/pwreset {
        proxy_pass https://10.13.177.100;
}
the page looks like this
Screenshot_4.png

And i suppose this is because all CSS files located in upper directory.

About other settings:
In pwreset " Publish on Public URL (Proxy) " is turned on Yes.
In webadm.conf
reverse_proxies "10.13.177.53"

Please help. Thx!

And here is my full nginx config

# upstream pass.domain.com {
#         server 10.13.177.100:80;
# }

server {
        listen 80;
        server_name pass.domain.com;
        access_log /var/log/nginx/pass-access.log;
        error_log /var/log/nginx/pass-error.log;
        return 301 https://$host$request_uri;
}

server {
        listen 443 ssl;
        server_name pass.domain.com;
        ssl_certificate /etc/nginx/cert/wildcard.domain.com.fullchain2024.pem;
        ssl_certificate_key /etc/nginx/cert/wildcard.domain.com.privkey2022.pem;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers "ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";

        access_log /var/log/nginx/pass-access.log;
        error_log /var/log/nginx/pass-error.log;

        # add_header X-Content-Type-Options nosniff;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;

        # client_max_body_size 128m; #64m;
        # client_body_buffer_size 256k; #128k;

        # proxy_connect_timeout 600;
        # proxy_send_timeout 360;
        # proxy_read_timeout 360;

        # proxy_buffer_size 16k;
        # proxy_buffers 4 256k;
        # proxy_busy_buffers_size 256k;
        # proxy_temp_file_write_size 256k;
        # proxy_ignore_client_abort Off;

        charset utf-8;

        location /webapps/pwreset {
                # proxy_pass http://pass.domain.com/webapps/pwreset;
                # proxy_pass http://pass.domain.com;
                proxy_pass https://10.13.177.100;
                # proxy_pass https://10.13.177.100/webapps/pwreset;
        }
}

Yoann Traut (RCDevs)

unread,
Apr 2, 2024, 5:36:44 AMApr 2
to RCDevs Security
Hello, 

You right, the CSS is not displayed because some CSS files are located in upper directory. 
You have to allow the /webapps/ folder access from Nginx and control the application publication from WebApps configuration. (Publish on Public URL (Proxy)

You can find here, the Apache configuration of our WAProxy (WebADM Publishing Proxy server):

[root@waproxy1 lib]# cat httpd.ini 


ServerRoot ${ROOT}

PidFile ${ROOT}/temp/waproxy.pid

ServerLimit ${HTTPD_WORKERS}

ThreadsPerChild 64

Listen ${INTERFACE}:${PORT_STD} http

Listen ${INTERFACE}:${PORT_SSL} https

${LISTEN_IPV6_STD}

${LISTEN_IPV6_SSL}

${LISTEN_WEBSRVS4}

${LISTEN_WEBSRVS6}

LoadModule alias_module ${ROOT}/lib/modules/mod_alias.so

LoadModule authz_core_module ${ROOT}/lib/modules/mod_authz_core.so

LoadModule cache_module ${ROOT}/lib/modules/mod_cache.so

LoadModule cache_socache_module ${ROOT}/lib/modules/mod_cache_socache.so

LoadModule deflate_module ${ROOT}/lib/modules/mod_deflate.so

LoadModule dir_module ${ROOT}/lib/modules/mod_dir.so

LoadModule log_config_module ${ROOT}/lib/modules/mod_log_config.so

LoadModule mime_module ${ROOT}/lib/modules/mod_mime.so

LoadModule mime_magic_module ${ROOT}/lib/modules/mod_mime_magic.so

LoadModule rewrite_module ${ROOT}/lib/modules/mod_rewrite.so

LoadModule setenvif_module ${ROOT}/lib/modules/mod_setenvif.so

LoadModule ssl_module ${ROOT}/lib/modules/mod_ssl.so

LoadModule status_module ${ROOT}/lib/modules/mod_status.so

LoadModule headers_module ${ROOT}/lib/modules/mod_headers.so

LoadModule unixd_module ${ROOT}/lib/modules/mod_unixd.so

LoadModule proxy_module ${ROOT}/lib/modules/mod_proxy.so

LoadModule proxy_balancer_module ${ROOT}/lib/modules/mod_proxy_balancer.so

LoadModule proxy_http_module ${ROOT}/lib/modules/mod_proxy_http.so

LoadModule proxy_connect_module ${ROOT}/lib/modules/mod_proxy_connect.so

LoadModule socache_dbm_module ${ROOT}/lib/modules/mod_socache_dbm.so

LoadModule socache_shmcb_module ${ROOT}/lib/modules/mod_socache_shmcb.so

LoadModule slotmem_shm_module ${ROOT}/lib/modules/mod_slotmem_shm.so

LoadModule lbmethod_byrequests_module ${ROOT}/lib/modules/mod_lbmethod_byrequests.so

LoadModule evasive24_module ${ROOT}/lib/modules/mod_evasive24.so

LoadModule reqtimeout_module ${ROOT}/lib/modules/mod_reqtimeout.so

User ${USER}

Group ${USER}

ServerName ${HOSTNAME}

UseCanonicalName Off

DocumentRoot ${ROOT}/lib/htdocs/

<Directory />

    Require all denied

    AllowOverride None

    Options FollowSymLinks

</Directory>

DirectoryIndex index.php

AccessFileName ${ROOT}/lib/.htaccess

TypesConfig ${ROOT}/lib/httpd.mimes

ExtendedStatus Off

HostnameLookups Off

EnableMMAP On

EnableSendfile On

AcceptFilter http none

AcceptFilter https none

ErrorLog ${ROOT}/logs/waproxy.log

ErrorLogFormat "[%{c}t] [%a] %M"

LogLevel warn

LogFormat "%a %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined

LogFormat "%a %t \"%r\" %>s %b" common

${CUSTOM_LOG}

ServerTokens Prod

ServerSignature Off

TraceEnable Off

DOSHashTableSize 2048

DOSPageCount 5

DOSSiteCount 100

DOSPageInterval 1

DOSSiteInterval 1

DOSBlockingPeriod 10

DOSLogDir ${ROOT}/temp

RequestReadTimeout header=10 body=20

CacheSocache shmcb:${ROOT}/temp/page_cache(512000)

CacheSocacheMaxSize 102400

CacheSocacheMaxTime 86400

CacheSocacheMinTime 600

SSLRandomSeed startup builtin

SSLRandomSeed connect builtin

AddType application/x-x509-ca-cert .crt

AddType application/x-pkcs7-crl    .crl

SSLSessionCache shmcb:${ROOT}/temp/ssl_cache(512000)

SSLSessionCacheTimeout  300

SSLUseStapling On

SSLStaplingCache shmcb:${ROOT}/temp/ssl_stapling(128000)

SSLProtocol ${SSL_PROTOCOL}

SSLHonorCipherOrder On

SSLCipherSuite ${SSL_CIPHERSUITE}

SSLCompression Off

SSLSessionTickets Off

SSLCertificateFile ${ROOT}/conf/waproxy.crt

SSLCertificateKeyFile ${ROOT}/conf/waproxy.key

SSLCACertificateFile ${ROOT}/conf/trusted.crt

SSLProxyCACertificateFile ${ROOT}/conf/ca.crt

SSLVerifyClient None

SSLVerifyDepth  10

<VirtualHost *:${PORT_STD}>

    DirectorySlash On

    RewriteEngine On

    SSLProxyEngine On

    SSLProxyVerify None

    SSLProxyCheckPeerCN Off

    SSLProxyCheckPeerName Off    

    SetOutputFilter DEFLATE

    RewriteCond ${PORT_SSL} ^443$

    RewriteRule !^/(cacert|calist|ocsp|crl)(/.*)?$ https://%{SERVER_NAME}%{REQUEST_URI} [L]

    RewriteRule !^/(cacert|calist|ocsp|crl)(/.*)?$ https://%{SERVER_NAME}:${PORT_SSL}%{REQUEST_URI}

    

    <Location /cacert/>

        ProxyPass balancer://backend_cluster/cacert/

        ProxyPassReverse balancer://backend_cluster/cacert/

    </Location>

    

    <Location /calist/>

        ProxyPass balancer://backend_cluster/calist/

        ProxyPassReverse balancer://backend_cluster/calist/

    </Location>

    

    <Location /ocsp/>

        ProxyPass balancer://backend_cluster/ocsp/

        ProxyPassReverse balancer://backend_cluster/ocsp/

    </Location>

    

    <Location /crl/>

        ProxyPass balancer://backend_cluster/crl/

        ProxyPassReverse balancer://backend_cluster/crl/

    </Location>

    

    <Proxy balancer://backend_cluster>

        BalancerMember https://${SERVER_ADDR1}/ responsefieldsize=200000 connectiontimeout=5 timeout=60 retry=10

        ${WEBAPPS_CLUSTER_EXT}

    </Proxy>

</VirtualHost>


<VirtualHost *:${PORT_SSL}>

    DirectorySlash On

    KeepAlive On

    SSLEngine On

    SSLProxyEngine On

    SSLProxyVerify None

    SSLProxyCheckPeerCN Off

    SSLProxyCheckPeerName Off

    

    SSLCertificateFile ${WAPROXY_CRT}

    SSLCertificateKeyFile ${WAPROXY_KEY}

    

    SetOutputFilter DEFLATE

    

    CacheEnable socache /

    

    <Location />

        ProxyPass balancer://backend_cluster/webapps/

        ProxyPassReverse balancer://backend_cluster/webapps/

ProxyAddHeaders on

    </Location> 


    <Location "/admin/>

        ProxyPass balancer://backend_cluster/admin/

        ProxyPassReverse balancer://backend_cluster/admin/

        ProxyAddHeaders on

    </Location>

    

    ProxyPass /robots.txt !

    ProxyPass /favicon.png !

    ProxyPass /favicon.ico !

    ProxyPass /.well-known/acme-challenge/ !

    

    <LocationMatch "^/\w+/.+_pki.php$">

        SSLVerifyClient Optional

    </LocationMatch>


    <Location /.well-known/openid-configuration/>

        ProxyPass balancer://backend_cluster/webapps/openid/.well-known/openid-configuration/

ProxyPassReverse balancer://backend_cluster/webapps/openid/.well-known/openid-configuration/

    </Location>


    <Location /cacert/>

        ProxyPass balancer://backend_cluster/cacert/

        ProxyPassReverse balancer://backend_cluster/cacert/

    </Location>


    <Location /calist/>

        ProxyPass balancer://backend_cluster/calist/

        ProxyPassReverse balancer://backend_cluster/calist/

    </Location>

    

    <Location /ocsp/>

        ProxyPass balancer://backend_cluster/ocsp/

        ProxyPassReverse balancer://backend_cluster/ocsp/

    </Location>


    <Location /crl/>

        ProxyPass balancer://backend_cluster/crl/

        ProxyPassReverse balancer://backend_cluster/crl/

    </Location>

    

    <Location /ws/>

        ProxyPass balancer://backend_cluster/ws/

        ProxyPassReverse balancer://backend_cluster/ws/

    </Location>

    

    <Proxy balancer://backend_cluster>

        BalancerMember https://${SERVER_ADDR1}/ responsefieldsize=200000 connectiontimeout=5 timeout=60 retry=10

        ${WEBAPPS_CLUSTER_EXT}

    </Proxy>

</VirtualHost>


<VirtualHost *:${PORT_SRV}>

    DirectorySlash Off

    KeepAlive Off

    SSLEngine On

    SSLProxyEngine On

    SSLProxyVerify Optional

    SSLProxyCheckPeerCN Off

    SSLProxyCheckPeerName Off

    SSLVerifyClient Optional

    <Location />

        ProxyPass balancer://websrvs_cluster/

        ProxyPassReverse balancer://websrvs_cluster/

    ProxyAddHeaders on

RequestHeader unset WA-API-Version

#RequestHeader unset X-Forwarded-for

    </Location>

    

    <Proxy balancer://websrvs_cluster>

        BalancerMember https://${WEBSRV_ADDR1}/ responsefieldsize=200000 connectiontimeout=5 timeout=60 retry=10

        ${WEBSRVS_CLUSTER_EXT}

    </Proxy>

</VirtualHost>




Regards

Gexproof

unread,
Apr 3, 2024, 3:48:40 AMApr 3
to RCDevs Security
Thanks for your response!
I've found how to make it work. Here is configuration witch works and i hope securely.

server {
        listen 80;
        server_name pass.domain.com;
        access_log /var/log/nginx/pass-access.log;
        error_log /var/log/nginx/pass-error.log;
        return 301 https://$host$request_uri;
}

server {
        listen 443 ssl;
        server_name pass.domain.com;
        ssl_certificate /etc/nginx/cert/wildcard.domain.com.fullchain2024.pem;
        ssl_certificate_key /etc/nginx/cert/wildcard.domain.com.privkey2022.pem;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers "ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";

        access_log /var/log/nginx/pass-access.log;
        error_log /var/log/nginx/pass-error.log;

        add_header X-Content-Type-Options nosniff;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;

        charset utf-8;

        location /webapps/pwreset {
                proxy_pass https://10.13.177.100;
        }

        location ~* /webapps/.*.(css|svg|php|js|png|woff)$ {
                proxy_pass https://10.13.177.100;
        }


}
вторник, 2 апреля 2024 г. в 12:36:44 UTC+3, Yoann Traut (RCDevs):

Yoann Traut (RCDevs)

unread,
Apr 3, 2024, 3:58:14 AMApr 3
to RCDevs Security
Happy to see that you make it works. 
Thanks for sharing your config with the community. 

Regards
Reply all
Reply to author
Forward
0 new messages