Nginx reverse proxy to server with login not working as expected

I have two servers behind an nginx reverse proxy. I am being forwarded correctly to the sites, but one of the sites has a login before it allows you into the site (similar to sharepoint), and the reverse proxy seems to be breaking the login.

I asked a previous question that has a very similar environment here

I am redirected to the login, but I can't login. However, if I remove the reverse proxy from the equation, then I can log in just fine.

The name of the server with the login is server2.mydomain.com

/etc/nginx/sites-available/default

server {
    listen 80 default;
    server_name _;
    return 301 https://$host$request_uri;
}

server {

    listen 443 ssl default_server;
    server_name server1.mydomain.com;

    ssl_certificate /usr/local/nginx/conf/mydomain.com.crt;
    ssl_certificate_key /usr/local/nginx/conf/mydomain.com.key;
    ssl_session_cache shared:SSL:10m;

    ssl_session_timeout 5m;

    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
    ssl_prefer_server_ciphers on;

    location / {
            proxy_pass http://192.168.0.15:80;
            proxy_set_header Host $host;

            proxy_redirect http:// $scheme://;

    }
}

server {
    listen 443 ssl;
    server_name server2.mydomain.com;

    ssl_certificate /usr/local/nginx/conf/mydomain.com.crt;
    ssl_certificate_key /usr/local/nginx/conf/mydomain.com.key;
    ssl_session_cache shared:SSL:10m;

    ssl_session_timeout 5m;

    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
    ssl_prefer_server_ciphers on;

    location / {
            proxy_pass http://192.168.0.20:80;
            proxy_set_header Host $host;

            proxy_redirect http:// $scheme://;

    }
}

When I go to server1.mydomain.com which is basically a static website, everything seems to work. But, when I go to server2.mydomain.com I get the popup window login, but am unable to successfully log in to the service.

The expected behavior would be that I'm able to login and use this site as if the reverse proxy isn't there.

Here is the access log from the reverse proxy when I try to log into server2.mydomain.com

/var/log/nginx/access.log

192.168.0.5 - - [26/Jan/2016:02:23:52 -0600] "GET /test HTTP/1.1" 401 341 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko"
192.168.0.5 - - [26/Jan/2016:02:23:52 -0600] "GET /test HTTP/1.1" 401 1293 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko"

The /test is the section of the site that the login is located, so I was trying to go to server2.mydomain.com/test.

Is there anything that would obviously stop me from logging in? Any other log files I could check? Thanks in advance


EDIT1

I've tried several things, and none of them work.

My original config file, gets me to the login, but it always returns an access denied page.

this config file:

/etc/nginx/sites-available/default

server {
    listen 443 ssl;
    server_name server2.mydomain.com;

    ssl_certificate /usr/local/nginx/conf/mydomain.com.crt;
    ssl_certificate_key /usr/local/nginx/conf/mydomain.com.key;
    ssl_session_cache shared:SSL:10m;

    ssl_session_timeout 5m;

    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
    ssl_prefer_server_ciphers on;

    location / {
            proxy_pass http://192.168.0.20:80;
    }
}

with the proxy_set_header line, and proxy_redirect, just takes me toa straight 403 forbidden access page, but is redirecting.

If I add the proxy_set_header line back, I get to the login again, but any login still fails. I've also tried changing the proxy_set_header to proxy_set_header X-Forwarded-Proto $scheme, and that broke it completely again. Any ideas?


Solution 1:

Your proxy redirect looks suspect. Have a look at the documentation, and also at the nginx beginners guide.

Basically, try removing everything other than proxy_pass from your location. This is mostly a guess, but it's worth a shot.