ubuntuusers.de

Hallo, ich weiß nicht, ob das hier das richtige Forum ist. Wenn dem so sein sollte, hänge ich die Frage gerne um.

Auf einer Proxmox Umgebung habe ich einen nginx Reverse Proxy (192.168.178.103), der Anfragen per https an einen nginx Backend Server (192.168.178.105) sendet. Auf dem Backend Server ist shellinabox installiert. Anfragen aus dem Internet sind mit einem Letsencrypt Zertifikat verschlüsselt. Für die Weiterleitung an den Backend Server nutze ich ein selbst-sginiertes Zertifikat.

Wenn ich next-shell.example.com aufrufe erhalte ich einen 502 Bad Gateway Fehler.

Auf dem Reverse Proxy sind die folgenden conf Dateien vorhanden.

HttpGateway

server {
       listen 80 default_server;
       listen [::]:80 default_server;
       server_name nextcloud.example.com shellinabox.example.com netdata.example.com px.example.com proxy-shell.example.com next-shell.example.com 192.168.178.103;

       root /var/www;

       location ^~ /.well-known/acme-challenge {
       default_type text/plain;
       root /var/www/letsencrypt;
       }

   location / {
        return 301 https://$host$request_uri;
   }
}

next-shell.example.com

server {
       listen 443 ssl 
       server_name next-shell.example.com;

       # SSL configuration

       # RSA certificates
       ssl_certificate /etc/letsencrypt/next-shell.example.com/rsa/fullchain.pem;
       ssl_certificate_key /etc/letsencrypt/next-shell.example.com/rsa/key.pem;
       # ECC certificates
       ssl_certificate /etc/letsencrypt/next-shell.example.com/ecc/fullchain.pem;
       ssl_certificate_key /etc/letsencrypt/next-shell.example.com/ecc/key.pem;


#
# SSL Configuration
#

# Not using TLSv1 will break:
# Android <= 4.4.40 IE <= 10 IE mobile <=10
# Removing TLSv1.1 breaks nothing else!
ssl_protocols TLSv1.2 TLSv1.3;

# SSL ciphers: RSA + ECDSA
# Two certificate types (ECDSA, RSA) are needed.
ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384';

# Diffie-Hellman parameter for DHE ciphersuites, recommended 4096 bits
ssl_dhparam /etc/nginx/dhparams/dhparams.pem;

# Use multiple curves.
ssl_ecdh_curve secp521r1:secp384r1;

# Server should determine the ciphers, not the client
ssl_prefer_server_ciphers on;

# SSL session handling
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

# DNS resolver
resolver 192.168.178.1;



#
# Header configuration
#   

# HSTS (ngx_http_headers_module is required) In order to be recoginzed by SSL test, there must be an index.hmtl in the server's root
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload;" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Robots-Tag none always;
add_header X-Download-Options noopen always;
add_header X-Permitted-Cross-Domain-Policies none always;
add_header Referrer-Policy no-referrer always;
add_header X-Frame-Options "SAMEORIGIN" always;

# Disable FLoC
add_header Permissions-Policy "interest-cohort=()";

# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;


	location / {
    	proxy_set_header Host $host;
    	proxy_set_header X-Real-IP $remote_addr;
    	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    	proxy_ssl_certificate /etc/selfcerts/stern-example-cert-chain.pem;
    	proxy_ssl_certificate_key /etc/selfcerts/stern-example-key.pem;
    	proxy_ssl_verify off;
proxy_pass https://192.168.178.105:4200;
	}
}

Auf dem Backend Server ist die folgende Konfiguration vorhanden.

next-shell.example.com

server {
       listen 192.168.178.105:4200;
       server_name next-shell.example.com;

#
# Header configuration
#   

# HSTS (ngx_http_headers_module is required) In order to be recoginzed by SSL test, there must be an index.hmtl in the server's root
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload;" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Robots-Tag none always;
add_header X-Download-Options noopen always;
add_header X-Permitted-Cross-Domain-Policies none always;
add_header Referrer-Policy no-referrer always;
add_header X-Frame-Options "SAMEORIGIN" always;

# Disable FLoC
add_header Permissions-Policy "interest-cohort=()";

# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;

       ssl_certificate /etc/selfcerts/stern-example-cert-chain.pem;
       ssl_certificate_key /etc/selfcerts/stern-example-key.pem;


       location / {
               rewrite ^/shellinabox/(.*) /$1 break;
               proxy_pass http://127.0.0.1:4200;
               proxy_set_header Host $host;
               proxy_set_header X-Real-IP $remote_addr;
               proxy_read_timeout 350;
               proxy_connect_timeout 350;

       }
}

Wenn ich die Seite next-shell.example.com öffne erhalte ich folgende Fehlermeldung auf dem Reverse Proxy Server

[error] 1103#1103: *1 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version
number) while SSL handshaking to upstream, client: 95.116.52.151, server: next-shell.example.com, request: "GET /f
avicon.ico HTTP/2.0", upstream: "https://192.168.178.105:4200/favicon.ico", host: "next-shell.example.com"

Hat jemand eine Idee?

Dein nginx sagt wrong version number.

Unterstuetzt dein Backend Server eine der geforderten TLS-Versionen (1.2, 1.3)?

Beide nginx Server basieren auf 22.04. Daher nehme ich an, dass er das tut.

nginx -v
nginx version: nginx/1.18.0 (Ubuntu)