Hi Team, I am trying to add nginx reverse proxy behind Check Point Mobile access portal which is a SSL VPN portal. Somehow this not working and when I captured and analyzed the har file I observed that the portal is accepting websocket calls. I tried implementing the same with nginx but I am still unable to find the solution.
Here is what I am seeing with Har file and then I have given my config ################ General: Request URL: https://vpn.xxxx.com/7D8B79A2-8974-4D7B-A76A-F4F29624C06BMCNu92Dm4l-Zi00Q9XmCAEP2W0TG236BR4s3ROIfxiy7ICrrEllGkIikmth2jOjkklZMt4z1porwm5BgBNByrQ/websocket?url=https%3A%2F%2Fvpn.xxxx.com%2FPortal%2FMain&nocache=1632059231484HTTP Version: HTTP/1.1Request method: GET Headers: Cache-Control no-cache Connection Upgrade Cookie selected_realm=ssl_vpn; CPCVPN_SESSION_ID=e27df7fe2b0ce359198a5b703b9402d235668bb3; CPCVPN_BASE_HOST=vpn.xxxx.com; CPCVPN_OBSCURE_KEY=23f63321355ce5d11767b258178d9775 DNT 1 Host vpn.xxxx.com Origin https://vpn.xxxx.com Sec-WebSocket-Key ehTLIcXsKwaddkSug5rN9Q== Sec-WebSocket-Version 13 Upgrade websocket User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Query arguments: url https://vpn.xxxx.com/Portal/Main nocache 1632059231484 ############################## And here is my config ************************* upstream websocket { server vpn.xxxx.com:443; } server { listen 443 ssl; server_name vpn.xxxx.com; ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_certificate /etc/nginx/ssls/labcerts/wild.crt; ssl_certificate_key /etc/nginx/ssls/labcerts/wild.key; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; ssl_dhparam /etc/ssl/dhparams2048.pem; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; ssl_session_timeout 1d; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; access_log /var/log/nginx/sslvpn/access.log; error_log /var/log/nginx/sslvpn/error.log; error_page 404 403 /custom_404.html; location = /custom_404.html { root /usr/share/nginx/html; internal; } location /SNX/ { proxy_pass https://websocket; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host; } location / { proxy_send_timeout 90; proxy_http_version 1.1; proxy_read_timeout 90; proxy_connect_timeout 30s; proxy_pass https://websocket; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_ssl_server_name on; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } ******************************************** Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292420,292420#msg-292420 _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx