Reverse Proxy configuration for cnMaestro

JeremyH1 · August 5, 2022, 2:31am

Hello,

Can anyone share an example of a working reverse web proxy configuration (in any proxying solution eg nginx, caddy…) for on-prem cnMaestro?

Thanks

Wilbur · October 25, 2022, 7:46am

Tried the following using Nginx however the login process fails to complete (gets in and then boots back out), if anyone has a working configuration would be greatly appreciated. Or if anyone knows how to see the logs of the web server on the Cambium device as that would help too. Tried all the comments out options as well with no success.

nginx example

server {
    listen 80;
    listen [::]:80;
    server_name ap1.example.com;

    location / {
        proxy_pass http://127.0.0.1:58522;
        # proxy_buffering off;
        # proxy_set_header   "Connection" "";
        # include proxy_params;
        # proxy_http_version 1.1;
        # proxy_read_timeout 300;
        # proxy_set_header Upgrade $http_upgrade;
        # proxy_set_header Connection "upgrade";
        # proxy_set_header Host $http_host;
        # proxy_set_header X-Real-IP $remote_addr;
        # proxy_set_header X-Real-PORT $remote_port;
    }
}

JeremyH1 · October 25, 2022, 8:10am

Yes, I think this is the same experience I had (login form submits, page reloads, then user is redirected back to the login page).

I tried nginx and Caddy and played around with every configuration or setting I could think to try.

Wilbur · October 26, 2022, 7:27pm

Works ok, if just a nginx server on the same network. Example:

PC: 192.168.1.2
Ubuntu /w Nginx: 192.168.1.3
Cambium: 192.168.1.4

http://192.168.1.3:1234 (works)
http://192.168.1.4 (works)

nginx configuration:

upstream server_2 {
    server 192.168.1.4:80;
}

server {
    listen 1234 default_server;
    listen [::]:1234 default_server;
    server_name _;

    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header Host $host;

    location / {
        proxy_pass http://server2;
    }
}

The issue i have is that i am doing a reverse SSH tunnel from the Ubuntu server to a public Ubuntu server.

Cloud Nginx through SSH tunnel to Local /w SSH redirect to Cambian, same issue.
Cloud Nginx through SSH tunnel to Local Nginx to Cambian, same issue.

Simon_King · October 27, 2022, 10:58am

I would start by looking at the requests and responses in your browser developer tools. In particular, look at any Set-Cookie headers that come back in the login response. If they have a Domain attribute that doesn’t match the host of the SSH tunnel, that might explain the problem.

Wilbur · October 27, 2022, 10:48pm

Thanks Simon, was not the Domain, rather the port. The cloud server was using https on standard 443, however the cambium and local nginx is using http and port 80. the cookie name was sysauth_example.com_80 … rather than sysauth_example.com_443

To test i changed the cloud server to http / port 80 and can now login. Would really like it to be https, so will try and change the header information somehow. Was trying “proxy_set_header X-Real-PORT 80” on both cloud and local nginx servers, will keep researching… (with little luck: )

Wilbur · October 27, 2022, 11:00pm

Big thanks Simon. Set the web port on the Cambium to 443 (still keep http). Then only needed the cloud Nginx with the following configuration. Have a reverse ssh proxy locally on site, which simply forwards port 58522 to the Cambium on port 443.

upstream server_2 {
    server 127.0.0.1:58522;
    keepalive 2;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    
    server_name ap1.example.com;
    server_name_in_redirect off;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header Host $host;

    location / {
        proxy_pass http://server_2;
    }
}