GS1200-8 Webinterface behind nginx reverse proxy

mietz
mietz Posts: 7  Freshman Member
First Comment Friend Collector First Anniversary

I'm running a local nginx reverse proxy as gateway between my home network and the management network. The switch webinterface is reachable from the management network, the Idea is to use nginx to have secure access to the switches webinterface from the home network.

This is my nginx config:

#/etc/nginx/conf.d/switch.conf;
server {
    listen 80;
    listen [::]:80;
    server_name switch.lan;

    # Enforce HTTPS
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name switch.lan;

    include /etc/nginx/ssl.conf;
    auth_basic           	"Restricted Access!";
    auth_basic_user_file 	/etc/nginx/.htpasswd; 

    client_max_body_size 0;

    location / {
        proxy_pass http://192.168.10.10;
        include /etc/nginx/proxy.conf;
    }

    ssl_certificate /etc/nginx/cert.pem;
    ssl_certificate_key /etc/nginx/key.pem; 
}
#/etc/nginx/proxy.conf;

# Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

# Proxy Connection Settings
proxy_buffers 32 4k;
proxy_connect_timeout 240;
proxy_headers_hash_bucket_size 128;
proxy_headers_hash_max_size 1024;
proxy_http_version 1.1;
proxy_read_timeout 240;
proxy_redirect  http://  $scheme://;
proxy_send_timeout 240;

# Proxy Cache and Cookie Settings
proxy_cache_bypass $cookie_session;
#proxy_cookie_path / "/; Secure"; # enable at your own risk, may break certain apps
proxy_no_cache $cookie_session;

# Proxy Header Settings
proxy_set_header Connection $connection_upgrade;
#proxy_set_header Early-Data $ssl_early_data;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Real-IP $remote_addr;

I can get to the login screen, but after entering the password, I'm redircted to https://switch.lan/login.cgi which looks like this:

When entering the password again I'll get this message:
"If a user is logged in already, other users will not be able to access the webpage."

The nginx error.log is empty. I guess some redirect gets lost, perhabs you guys know what I'm missing.

Cheers

Accepted Solution

  • mietz
    mietz Posts: 7  Freshman Member
    First Comment Friend Collector First Anniversary
    Answer ✓

    Solved! Just use Caddy:

    sudo caddy reverse-proxy --from https://switch.lan --to 192.168.10.10 --change-host-header
    

    It works out of the box, documantation is really good and configuration is dead simple. Bye bye nginx 👋

    https://caddyserver.com/docs/

All Replies

  • Zyxel_Nami
    Zyxel_Nami Posts: 657  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Engineer Level 1 - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Dear @mietz

    Thank you for reaching out to us regarding the issue you are experiencing with accessing the switch web interface through the nginx reverse proxy. 

    The webpage screenshot you provided above may appear due to cache problem. We recommend trying the following solutions to resolve the problem: 

    1. Since the GS1200-8 Switch does not allow multiple users to log in at the same time, it's possible that there is an issue with caching or the browser. Clearing the cache and trying a different browser may help to resolve the issue. 
    2. Please also check the caching settings on the nginx reverse proxy to see if it is configured properly. 

    Please contact us if you have any further concerns.

    Best Regards,

    Nami

    See how you've made an impact in Zyxel Community this year!

    https://bit.ly/Your2024Moments_Community

    Nami

  • Caroll
    Caroll Posts: 14  Freshman Member
    First Comment Friend Collector First Anniversary

    Although I am not familiar with nginx reverse proxy, I pasted your code to ChatGPT and here is the answer :), you may check if it works.

    Firstly, it looks like the redirect from http to https is working correctly, so that's a good sign. However, it's possible that there is an issue with the redirect after the login form is submitted.

    One thing to try is to add the following line to your nginx config, just before the proxy_pass line in the location / block:

    proxy_set_header Referer https://switch.lan;
    

    This sets the Referer header in the request to the same value as the current URL (https://switch.lan). This can sometimes help with redirect issues.

  • mietz
    mietz Posts: 7  Freshman Member
    First Comment Friend Collector First Anniversary
    edited April 2023

    I nailed it down to SSL. This works:

    #/etc/nginx/conf.d/switch.conf;
    server {
        listen 80;
        listen [::]:80;
        server_name switch.lan;
    
        auth_basic           	"Restricted Access!";
        auth_basic_user_file 	/etc/nginx/.htpasswd; 
    
        client_max_body_size 0;
    
        location / {
            proxy_pass http://192.168.10.10;
            include /etc/nginx/proxy.conf;
        }
    }
    

    I guess there is some cgi specific stuff I need to set when upgrading the connection from http to https.

    Edit:

    Adding:

    proxy_set_header Referer https://switch.lan;
    

    also didn't help.

  • mietz
    mietz Posts: 7  Freshman Member
    First Comment Friend Collector First Anniversary
    edited April 2023
    My best guess now is that the cookie isn't trasnimmted proberly, since after the login every GET Request is answered with:
    <script type="text/javascript"> \t\talert("If a user is logged in already, other users will not be able to access the webpage.");\n
    

    I tried, proxy_cookie_path / "/; HTTPOnly; Secure"; but that also didn't work.

  • mietz
    mietz Posts: 7  Freshman Member
    First Comment Friend Collector First Anniversary
    Answer ✓

    Solved! Just use Caddy:

    sudo caddy reverse-proxy --from https://switch.lan --to 192.168.10.10 --change-host-header
    

    It works out of the box, documantation is really good and configuration is dead simple. Bye bye nginx 👋

    https://caddyserver.com/docs/

  • bkodenkt
    bkodenkt Posts: 4  Freshman Member
    First Comment

    A long time later and I encountered the problem again. Solved it, though, even with nginx. The cookie needs to be passed through, it's the same on some Net.gear switches so I tried the solution I found for these products on the Zyxel GS1200-8 as well. Turns out, this works like a charm:

    server {
    listen 443 ssl;
    server_name host.some.domain;
    ssl_certificate /some/directory/certfile.crt;
    ssl_certificate_key /some/directory/keyfile.key;

    client_max_body_size 0;

    location / {
    proxy_pass http://xyz.xyz.xyz.xyz;
    proxy_set_header Cookie $http_cookie; #MAGIC
    }

    location ~* \.(?:jpg|jpeg|gif|bmp|ico|swf)$ {
    proxy_pass http://xyz.xyz.xyz.xyz;
    access_log off; #make image ressources like logout-button work
    }
    }

  • bkodenkt
    bkodenkt Posts: 4  Freshman Member
    First Comment

    I found a solution WITH nginx while solving basically the same issue with a different brand switch.