Nginx WAF SNI forwarding

[steilfirn_8000]

Hello everyone,

I tried enabling the Nginx WAF for my webservers.
Unfortunately my main webserver which hosts a couple of sites only shows an error message that no SNI is provided.

Within the location tab I have enabled that TLS SNI forward option - still no luck.


Any ideas?

[Fright]

Hi
try to set your backend SNI in "TLS: Servername override" field in Upstream settings

[steilfirn_8000]

Thanks for the info but unfortunately this also does not work.
I get a 403 Forbidden: You don't have permission to access this resource.Reason: The client software did not provide a hostname using Server Name Indication (SNI), which is required to access this server.

[Fright]

should definitely work (i use several servers with a similar configuration - the backend requires SNI). specified options should give

Code: [Select]

    proxy_ssl_server_name on;
    proxy_ssl_name *backend sni hostname*;
lines in the location part of nginx.conf.

you can use "Packet Capture" to check the SNI extension value on SSL handshake

[steilfirn_8000]

Can you tell me where to find find the nginx config file?

[Fright]

/usr/local/etc/nginx/nginx.conf

[steilfirn_8000]

Thanks - I just checked the config file you've mentioned but the mentioned parameters
```
    proxy_ssl_server_name on;
    proxy_ssl_name *backend sni hostname*;
```
are not there.

Is this something that the GUI will set when I enable something or do I have to add them manually?

[Fright]

Is this something that the GUI will set when I enable something or do I have to add them manually?

should work from gui. may indicate that the settings were not applied for some reason.

[steilfirn_8000]

Interessting:

If I edit `proxy_ssl_name *backend sni hostname*;` and just restart Nginx service then the proxy works out of the box - if I reload it via the tiny reload button the config is gone and the proxy stops working.

Do you know where this parameter is being shown in the GUI?

[Fright]

where this parameter is being shown in the GUI?

"TLS: Servername override" field in Upstream settings
yes, in gui it is located in the upstream parameters.
when applying parameters, the template takes these settings from the upstream parameters and applies them to the location configuration

[steilfirn_8000]

Thanks FINALY I got it running!

Are there any kind of "best practice" things I should keep in mind?

[Fright]

glad it worked!
i don’t think the best practices are different from the nginx best practices 

[steilfirn_8000]

To be honest: My regular webservers are Apache2 - I have never used Nginx before.
But yesterday I found already an issue: My Matrix user was no longer able to decrypt my messages.

So I had to revert it (again) and need to investigate that as soon as I have spare time again.