Nginx WAF SNI forwarding

Started by steilfirn_8000, January 02, 2022, 01:27:08 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 02, 2022, 01:27:08 PM
Hello everyone,

I tried enabling the Nginx WAF for my webservers.
Unfortunately my main webserver which hosts a couple of sites only shows an error message that no SNI is provided.

Within the location tab I have enabled that TLS SNI forward option - still no luck.


Any ideas?
January 02, 2022, 04:45:17 PM #1
Hi
try to set your backend SNI in "TLS: Servername override" field in Upstream settings
January 02, 2022, 06:06:01 PM #2
Thanks for the info but unfortunately this also does not work.
I get a 403 Forbidden: You don't have permission to access this resource.Reason: The client software did not provide a hostname using Server Name Indication (SNI), which is required to access this server.
January 02, 2022, 07:28:53 PM #3
should definitely work (i use several servers with a similar configuration - the backend requires SNI). specified options should give
Code Select

    proxy_ssl_server_name on;
    proxy_ssl_name *backend sni hostname*;

lines in the location part of nginx.conf.

you can use "Packet Capture" to check the SNI extension value on SSL handshake
January 02, 2022, 07:57:45 PM #4
Can you tell me where to find find the nginx config file?
January 02, 2022, 08:03:22 PM #5
/usr/local/etc/nginx/nginx.conf
January 02, 2022, 08:35:51 PM #6
Thanks - I just checked the config file you've mentioned but the mentioned parameters
```
    proxy_ssl_server_name on;
    proxy_ssl_name *backend sni hostname*;
```
are not there.

Is this something that the GUI will set when I enable something or do I have to add them manually?
January 02, 2022, 08:44:12 PM #7
QuoteIs this something that the GUI will set when I enable something or do I have to add them manually?
should work from gui. may indicate that the settings were not applied for some reason.
January 02, 2022, 09:01:24 PM #8
Interessting:

If I edit `proxy_ssl_name *backend sni hostname*;` and just restart Nginx service then the proxy works out of the box - if I reload it via the tiny reload button the config is gone and the proxy stops working.

Do you know where this parameter is being shown in the GUI?
January 02, 2022, 09:06:48 PM #9
Quotewhere this parameter is being shown in the GUI?
"TLS: Servername override" field in Upstream settings
yes, in gui it is located in the upstream parameters.
when applying parameters, the template takes these settings from the upstream parameters and applies them to the location configuration
January 02, 2022, 09:18:31 PM #10
Thanks FINALY I got it running!

Are there any kind of "best practice" things I should keep in mind?
January 03, 2022, 05:35:36 AM #11
glad it worked!
i don't think the best practices are different from the nginx best practices  ;)
January 03, 2022, 06:51:53 AM #12
To be honest: My regular webservers are Apache2 - I have never used Nginx before.
But yesterday I found already an issue: My Matrix user was no longer able to decrypt my messages.

So I had to revert it (again) and need to investigate that as soon as I have spare time again.
Print
Go Up Pages1
User actions