Hallo, ich weiß nicht, ob das hier das richtige Forum ist. Wenn dem so sein sollte, hänge ich die Frage gerne um.
Auf einer Proxmox Umgebung habe ich einen nginx Reverse Proxy (192.168.178.103), der Anfragen per https an einen nginx Backend Server (192.168.178.105) sendet. Auf dem Backend Server ist shellinabox installiert. Anfragen aus dem Internet sind mit einem Letsencrypt Zertifikat verschlüsselt. Für die Weiterleitung an den Backend Server nutze ich ein selbst-sginiertes Zertifikat.
Wenn ich next-shell.example.com aufrufe erhalte ich einen 502 Bad Gateway Fehler.
Auf dem Reverse Proxy sind die folgenden conf Dateien vorhanden.
HttpGateway
server { listen 80 default_server; listen [::]:80 default_server; server_name nextcloud.example.com shellinabox.example.com netdata.example.com px.example.com proxy-shell.example.com next-shell.example.com 192.168.178.103; root /var/www; location ^~ /.well-known/acme-challenge { default_type text/plain; root /var/www/letsencrypt; } location / { return 301 https://$host$request_uri; } }
next-shell.example.com
server { listen 443 ssl server_name next-shell.example.com; # SSL configuration # RSA certificates ssl_certificate /etc/letsencrypt/next-shell.example.com/rsa/fullchain.pem; ssl_certificate_key /etc/letsencrypt/next-shell.example.com/rsa/key.pem; # ECC certificates ssl_certificate /etc/letsencrypt/next-shell.example.com/ecc/fullchain.pem; ssl_certificate_key /etc/letsencrypt/next-shell.example.com/ecc/key.pem; # # SSL Configuration # # Not using TLSv1 will break: # Android <= 4.4.40 IE <= 10 IE mobile <=10 # Removing TLSv1.1 breaks nothing else! ssl_protocols TLSv1.2 TLSv1.3; # SSL ciphers: RSA + ECDSA # Two certificate types (ECDSA, RSA) are needed. ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384'; # Diffie-Hellman parameter for DHE ciphersuites, recommended 4096 bits ssl_dhparam /etc/nginx/dhparams/dhparams.pem; # Use multiple curves. ssl_ecdh_curve secp521r1:secp384r1; # Server should determine the ciphers, not the client ssl_prefer_server_ciphers on; # SSL session handling ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; # DNS resolver resolver 192.168.178.1; # # Header configuration # # HSTS (ngx_http_headers_module is required) In order to be recoginzed by SSL test, there must be an index.hmtl in the server's root add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload;" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header X-Robots-Tag none always; add_header X-Download-Options noopen always; add_header X-Permitted-Cross-Domain-Policies none always; add_header Referrer-Policy no-referrer always; add_header X-Frame-Options "SAMEORIGIN" always; # Disable FLoC add_header Permissions-Policy "interest-cohort=()"; # Remove X-Powered-By, which is an information leak fastcgi_hide_header X-Powered-By; location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_ssl_certificate /etc/selfcerts/stern-example-cert-chain.pem; proxy_ssl_certificate_key /etc/selfcerts/stern-example-key.pem; proxy_ssl_verify off; proxy_pass https://192.168.178.105:4200; } }
Auf dem Backend Server ist die folgende Konfiguration vorhanden.
next-shell.example.com
server { listen 192.168.178.105:4200; server_name next-shell.example.com; # # Header configuration # # HSTS (ngx_http_headers_module is required) In order to be recoginzed by SSL test, there must be an index.hmtl in the server's root add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload;" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header X-Robots-Tag none always; add_header X-Download-Options noopen always; add_header X-Permitted-Cross-Domain-Policies none always; add_header Referrer-Policy no-referrer always; add_header X-Frame-Options "SAMEORIGIN" always; # Disable FLoC add_header Permissions-Policy "interest-cohort=()"; # Remove X-Powered-By, which is an information leak fastcgi_hide_header X-Powered-By; ssl_certificate /etc/selfcerts/stern-example-cert-chain.pem; ssl_certificate_key /etc/selfcerts/stern-example-key.pem; location / { rewrite ^/shellinabox/(.*) /$1 break; proxy_pass http://127.0.0.1:4200; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_read_timeout 350; proxy_connect_timeout 350; } }
Wenn ich die Seite next-shell.example.com öffne erhalte ich folgende Fehlermeldung auf dem Reverse Proxy Server
[error] 1103#1103: *1 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number) while SSL handshaking to upstream, client: 95.116.52.151, server: next-shell.example.com, request: "GET /f avicon.ico HTTP/2.0", upstream: "https://192.168.178.105:4200/favicon.ico", host: "next-shell.example.com"
Hat jemand eine Idee?