I cant use module in nginx reverse proxy with port 443

[ChuongTran97]

Hi
Can you help me config ntlm to website using port 443 . Same configuration with website using port 80 but it is not working. please help me to debug this issue. Thanks

[gabihodoroaga]

Hi @ChuongTran97,

Please share you nginx configuration used. Leave out all private and sensitive information.

[ChuongTran97]

upstream upstream_test {
server 1.1.1.1:443 max_fails=3;
ntlm;
}

server {
listen 443 ssl;
listen [::]:443 ssl;
server_name server.name.com;
proxy_next_upstream http_404 http_502 http_504;
ssl_certificate ssl/1.crt;
ssl_certificate_key ssl/1.key;
ssl_protocols TLSv1.2 TLSv1.3;

location / {
    proxy_pass https://upstream_test;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
client_body_buffer_size 128k;
proxy_buffer_size   128k;
proxy_buffers   4 256k;
proxy_busy_buffers_size   256k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_set_header Connection "";
    proxy_http_version 1.1;
}

}

this is my config. something wrong ?

[gabihodoroaga]

proxy_set_header Connection "Upgrade";
...
proxy_set_header Connection "";

You must clear the Connection header.
I don't know how nginx behaves if you have the same setting twice.
Try to remove the first one and see if it works.
Also the proxy_http_version 1.1; is twice.

g.

[ChuongTran97]

i have removed "proxy_set_header Connection "Upgrade";" before, but it still not work.Do you have another idea for this ?

[gabihodoroaga]

Hi,

I tested you configuration locally and is working fine.
You could try to enable debug logging and try to find error in errors log

update the log level

error_log  ./logs/error.log debug;

in your nginx.conf file

[ChuongTran97]

Hi,
I tried the configuration but it's still not work. The website always in "pending" status and doesn't response anything. I didn't see any access.log and error.log. Can you tell me how my configuration work in your locally system. I'm having no idea now.

[gabihodoroaga]

Hi,

You should see logs related to the ntlm module in logs.

It does not seem to be related with the module itself.

Try to debug the ssl connection issues from outside to your proxy and from proxy to backend.

openssl s_client -connect example.com:443 -tls1_3 -status -msg -debug

try multiple protocols tls1_1, tls1_2

[gabihodoroaga]

HI @ChuongTran97,

If you still have issues you can write me an email and we can take it from there.

g.

[duylong]

Hi,

I have a similar problem. To solve the blocking problem I had to put a "keepalived" option on the upstream. However, I am facing the error below:

Secure Connection Failed
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.

Everything works without the ntlm option, I have no problem with certificates. Can you reproduce the problem?

Example nginx conf:

upstream http_backend {
    server 1.1.1.1:443;
    keepalive 16;
    ntlm;
}

server {
...
location / {
       proxy_pass https://http_backend/;
       proxy_http_version 1.1;
       proxy_set_header Connection "";
    ...
    }
 }