Welcome! Log In Create A New Profile

Advanced

need help reverse-proxy config

Posted by Thierry 
Thierry
need help reverse-proxy config
January 09, 2017 07:20PM
Dear,

I have a reverse-proxy in front of my two servers: web (apache2) and
email (nginx-iredmail).
The proxy-reverse is perfectly working with my web server running
Apache2, but I am not able to make it working for my email server.
The reverse-proxy and the email server are both running with the same
version of Nginx (1.9).

I have tried many configs without any success.
My last one:

***********************************************************************

server {
listen 446;
server_name email.domain.ltd;

location / {
proxy_pass https://email_server_ip:446;

proxy_ssl_certificate /etc/ssl/certs/cert.chained.crt;
proxy_ssl_certificate_key /etc/ssl/private/private.key;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_ciphers HIGH:!aNULL:!MD5;
proxy_ssl_trusted_certificate /etc/ssl/certs/cert.chained.crt;

proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_ssl_session_reuse on;
error_log /var/log/nginx/error-proxy.log;
access_log /var/log/nginx/access-proxy.log;
}
}

Can I please have some help ??
Thx


--
Cordialement,
Thierry e-mail : lenaigst@maelenn.org
PGP Key: 0xB7E3B9CD

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
itpp2012
Re: need help reverse-proxy config
January 09, 2017 07:50PM
stream {
limit_conn_zone $binary_remote_addr zone=straddr:10m;

upstream backendsmtp {
server smtp1.local:25;
server smtp2.local:25;
}

server {
listen 2025 ssl;
error_log /logging/stream_local_smtp.log debug;
ssl_certificate /nginx/crts/sdom.cert;
ssl_certificate_key /nginx/crts/sdom.key;
include /nginx/conf/sslciphers.conf;
ssl_session_timeout 60m;
ssl_handshake_timeout 10s;
proxy_connect_timeout 10s;
proxy_timeout 300s;
proxy_pass backendsmtp;
limit_conn straddr 15;
limit_conn_log_level error;
}

}

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,271891,271892#msg-271892

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Thierry
Re: need help reverse-proxy config
January 10, 2017 05:50AM
proxy nginx[20076]: nginx: [emerg] "stream" directive is not allowed here in
/etc/nginx/conf.d/reverse-proxy.conf:47

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,271891,271897#msg-271897

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Anoop Alias
Re: need help reverse-proxy config
January 10, 2017 06:00AM
http://nginx.org/en/docs/stream/ngx_stream_core_module.html#stream

stream should be in the main context.

On Tue, Jan 10, 2017 at 10:17 AM, Thierry <nginx-forum@forum.nginx.org>
wrote:

> proxy nginx[20076]: nginx: [emerg] "stream" directive is not allowed here
> in
> /etc/nginx/conf.d/reverse-proxy.conf:47
>
> Posted at Nginx Forum: https://forum.nginx.org/read.
> php?2,271891,271897#msg-271897
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>



--
*Anoop P Alias*
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Thierry
Re: need help reverse-proxy config
January 10, 2017 07:10AM
error_log /var/log/nginx/error.log info;

events {
worker_connections 1024;
}

stream {
upstream backend {
hash xxx.xxx.xxx.xxx consistent;

server email.domain.tld:448;
}


server {
listen 448;
proxy_connect_timeout 1s;
proxy_timeout 3s;
proxy_pass backend;
}
}

I have difficulties to understand the "main context" idea .... With this
exemple, is my "stream" in the right context ?? Seems not.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,271891,271899#msg-271899

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Anoop Alias
Re: need help reverse-proxy config
January 10, 2017 07:20AM
main context means it come directly in nginx.conf

http context means it should be put inside http{ }
server context means it should be in server { }

likewise..

You can search the directive like http://nginx.org/r/xxxxx_xxxx

For eg: http://nginx.org/r/stream

check the context where that directive is applicable ..since stream says
main..if you put like

http{
stream
...
...
}

it will be invalid syntax .

On Tue, Jan 10, 2017 at 11:34 AM, Thierry <nginx-forum@forum.nginx.org>
wrote:

> error_log /var/log/nginx/error.log info;
>
> events {
> worker_connections 1024;
> }
>
> stream {
> upstream backend {
> hash xxx.xxx.xxx.xxx consistent;
>
> server email.domain.tld:448;
> }
>
>
> server {
> listen 448;
> proxy_connect_timeout 1s;
> proxy_timeout 3s;
> proxy_pass backend;
> }
> }
>
> I have difficulties to understand the "main context" idea .... With this
> exemple, is my "stream" in the right context ?? Seems not.
>
> Posted at Nginx Forum: https://forum.nginx.org/read.
> php?2,271891,271899#msg-271899
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>



--
*Anoop P Alias*
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Thierry
Re: need help reverse-proxy config
January 10, 2017 08:00AM
Thx a lot ... I do understand better now.

In my nginx.conf I do have:

*****
stream {
limit_conn_zone $binary_remote_addr zone=straddr:10m;

upstream backendmail {
server email.domain.tld:448;
}
}

*****

In my server.conf I do have:

*****
server {
listen 448 ssl;
error_log /var/log/nginx/error-proxy_mail.log debug;
ssl on;
ssl_certificate /etc/ssl/certs/cert.org.chained.crt;
ssl_certificate_key /etc/ssl/private/iRedMail.key;
include /etc/nginx/sslciphers.conf;
ssl_session_timeout 60m;
ssl_handshake_timeout 10s;
proxy_connect_timeout 10s;
proxy_timeout 300s;
proxy_pass backendmail;
limit_conn straddr 15;
limit_conn_log_level error;
}

******
When tying to run the server:

nginx: [emerg] "ssl_handshake_timeout" directive is not allowed

If removing this directive :

nginx: [emerg] "proxy_timeout" directive is not allowed here

etc ...

I did respect the context this time.

Thx

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,271891,271901#msg-271901

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Thierry
Re: need help reverse-proxy config
January 10, 2017 05:30PM
I am still debugging a bit:

2017/01/10 18:17:59 [debug] 5174#5174: accept mutex lock failed: 0
2017/01/10 18:17:59 [debug] 5174#5174: epoll timer: 500
2017/01/10 18:17:59 [debug] 5172#5172: epoll: fd:13 ev:0005
d:00007F81B6D351D0
2017/01/10 18:17:59 [debug] 5172#5172: *1 http keepalive handler
2017/01/10 18:17:59 [debug] 5172#5172: *1 malloc: 00007F81B7A8B320:1024
2017/01/10 18:17:59 [debug] 5172#5172: *1 SSL_read: 461
2017/01/10 18:17:59 [debug] 5172#5172: *1 SSL_read: -1
2017/01/10 18:17:59 [debug] 5172#5172: *1 SSL_get_error: 2
2017/01/10 18:17:59 [debug] 5172#5172: *1 reusable connection: 0
2017/01/10 18:17:59 [debug] 5172#5172: *1 posix_memalign:
00007F81B7A98570:4096 @16
2017/01/10 18:17:59 [debug] 5172#5172: *1 event timer del: 13:
1484065126843
2017/01/10 18:17:59 [debug] 5172#5172: *1 http process request line
2017/01/10 18:17:59 [debug] 5172#5172: *1 http request line: "GET /SOGo/
HTTP/1.1"
2017/01/10 18:17:59 [debug] 5172#5172: *1 http uri: "/SOGo/"
2017/01/10 18:17:59 [debug] 5172#5172: *1 http args: ""
2017/01/10 18:17:59 [debug] 5172#5172: *1 http exten: ""
2017/01/10 18:17:59 [debug] 5172#5172: *1 posix_memalign:
00007F81B7A8D750:4096 @16
2017/01/10 18:17:59 [debug] 5172#5172: *1 http process request header line
2017/01/10 18:17:59 [debug] 5172#5172: *1 http header: "Host:
email_server.domain.tld:port_number"
2017/01/10 18:17:59 [debug] 5172#5172: *1 http header: "Connection:
keep-alive"
2017/01/10 18:17:59 [debug] 5172#5172: *1 http header: "Cache-Control:
max-age=0"
2017/01/10 18:17:59 [debug] 5172#5172: *1 http header:
"Upgrade-Insecure-Requests: 1"
2017/01/10 18:17:59 [debug] 5172#5172: *1 http header: "User-Agent:
Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5 Build/MMB29T) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/54.0.2840.85 Mobile Safari/537.36"
2017/01/10 18:17:59 [debug] 5172#5172: *1 http header: "Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"
2017/01/10 18:17:59 [debug] 5172#5172: *1 http header: "Accept-Encoding:
gzip, deflate, sdch, br"
2017/01/10 18:17:59 [debug] 5172#5172: *1 http header: "Accept-Language:
fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4"
2017/01/10 18:17:59 [debug] 5172#5172: *1 http header done
2017/01/10 18:17:59 [debug] 5172#5172: *1 generic phase: 0
2017/01/10 18:17:59 [debug] 5172#5172: *1 rewrite phase: 1
2017/01/10 18:17:59 [debug] 5172#5172: *1 test location: "/"
2017/01/10 18:17:59 [debug] 5172#5172: *1 using configuration "/"
2017/01/10 18:17:59 [debug] 5172#5172: *1 http cl:-1 max:1048576
2017/01/10 18:17:59 [debug] 5172#5172: *1 rewrite phase: 3
2017/01/10 18:17:59 [debug] 5172#5172: *1 post rewrite phase: 4
2017/01/10 18:17:59 [debug] 5172#5172: *1 generic phase: 5
2017/01/10 18:17:59 [debug] 5172#5172: *1 generic phase: 6

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,271891,271909#msg-271909

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Thierry
Re: need help reverse-proxy config
January 11, 2017 07:10AM
seems to be link to my ssl certificate ...

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,271891,271919#msg-271919

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Thierry
Re: need help reverse-proxy config
January 11, 2017 06:40PM
I gave up ... No fresh ideas anymore :(

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,271891,271940#msg-271940

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Sorry, only registered users may post in this forum.

Click here to login