GS1200-8 Webinterface behind nginx reverse proxy
I'm running a local nginx reverse proxy as gateway between my home network and the management network. The switch webinterface is reachable from the management network, the Idea is to use nginx to have secure access to the switches webinterface from the home network.
This is my nginx config:
#/etc/nginx/conf.d/switch.conf; server { listen 80; listen [::]:80; server_name switch.lan; # Enforce HTTPS return 301 https://$server_name$request_uri; } server { listen 443 ssl; listen [::]:443 ssl; server_name switch.lan; include /etc/nginx/ssl.conf; auth_basic "Restricted Access!"; auth_basic_user_file /etc/nginx/.htpasswd; client_max_body_size 0; location / { proxy_pass http://192.168.10.10; include /etc/nginx/proxy.conf; } ssl_certificate /etc/nginx/cert.pem; ssl_certificate_key /etc/nginx/key.pem; }
#/etc/nginx/proxy.conf; # Timeout if the real server is dead proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Proxy Connection Settings proxy_buffers 32 4k; proxy_connect_timeout 240; proxy_headers_hash_bucket_size 128; proxy_headers_hash_max_size 1024; proxy_http_version 1.1; proxy_read_timeout 240; proxy_redirect http:// $scheme://; proxy_send_timeout 240; # Proxy Cache and Cookie Settings proxy_cache_bypass $cookie_session; #proxy_cookie_path / "/; Secure"; # enable at your own risk, may break certain apps proxy_no_cache $cookie_session; # Proxy Header Settings proxy_set_header Connection $connection_upgrade; #proxy_set_header Early-Data $ssl_early_data; proxy_set_header Host $host; proxy_set_header Upgrade $http_upgrade; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Ssl on; proxy_set_header X-Real-IP $remote_addr;
I can get to the login screen, but after entering the password, I'm redircted to https://switch.lan/login.cgi which looks like this:
When entering the password again I'll get this message:
"If a user is logged in already, other users will not be able to access the webpage."
The nginx error.log is empty. I guess some redirect gets lost, perhabs you guys know what I'm missing.
Cheers
Accepted Solution
-
Solved! Just use Caddy:
sudo caddy reverse-proxy --from https://switch.lan --to 192.168.10.10 --change-host-header
It works out of the box, documantation is really good and configuration is dead simple. Bye bye
nginx
👋0
All Replies
-
Dear @mietz
Thank you for reaching out to us regarding the issue you are experiencing with accessing the switch web interface through the nginx reverse proxy.
The webpage screenshot you provided above may appear due to cache problem. We recommend trying the following solutions to resolve the problem:
- Since the GS1200-8 Switch does not allow multiple users to log in at the same time, it's possible that there is an issue with caching or the browser. Clearing the cache and trying a different browser may help to resolve the issue.
- Please also check the caching settings on the nginx reverse proxy to see if it is configured properly.
Please contact us if you have any further concerns.
Best Regards,
Nami
Nami
0 -
Although I am not familiar with nginx reverse proxy, I pasted your code to ChatGPT and here is the answer :), you may check if it works.
Firstly, it looks like the redirect from http to https is working correctly, so that's a good sign. However, it's possible that there is an issue with the redirect after the login form is submitted.
One thing to try is to add the following line to your nginx config, just before the
proxy_pass
line in thelocation /
block:proxy_set_header Referer https://switch.lan;
This sets the
Referer
header in the request to the same value as the current URL (https://switch.lan
). This can sometimes help with redirect issues.0 -
I nailed it down to SSL. This works:
#/etc/nginx/conf.d/switch.conf; server { listen 80; listen [::]:80; server_name switch.lan; auth_basic "Restricted Access!"; auth_basic_user_file /etc/nginx/.htpasswd; client_max_body_size 0; location / { proxy_pass http://192.168.10.10; include /etc/nginx/proxy.conf; } }
I guess there is some cgi specific stuff I need to set when upgrading the connection from http to https.
Edit:
Adding:
proxy_set_header Referer https://switch.lan;
also didn't help.
0 -
My best guess now is that the cookie isn't trasnimmted proberly, since after the login every GET Request is answered with:
<script type="text/javascript"> \t\talert("If a user is logged in already, other users will not be able to access the webpage.");\n
I tried,
proxy_cookie_path / "/; HTTPOnly; Secure";
but that also didn't work.0 -
Solved! Just use Caddy:
sudo caddy reverse-proxy --from https://switch.lan --to 192.168.10.10 --change-host-header
It works out of the box, documantation is really good and configuration is dead simple. Bye bye
nginx
👋0 -
A long time later and I encountered the problem again. Solved it, though, even with nginx. The cookie needs to be passed through, it's the same on some Net.gear switches so I tried the solution I found for these products on the Zyxel GS1200-8 as well. Turns out, this works like a charm:
server {
listen 443 ssl;
server_name host.some.domain;
ssl_certificate /some/directory/certfile.crt;
ssl_certificate_key /some/directory/keyfile.key;client_max_body_size 0;
location / {
proxy_pass http://xyz.xyz.xyz.xyz;
proxy_set_header Cookie $http_cookie; #MAGIC
}location ~* \.(?:jpg|jpeg|gif|bmp|ico|swf)$ {
proxy_pass http://xyz.xyz.xyz.xyz;
access_log off; #make image ressources like logout-button work
}
}0 -
I found a solution WITH nginx while solving basically the same issue with a different brand switch.
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 152 Nebula Ideas
- 100 Nebula Status and Incidents
- 5.8K Security
- 286 USG FLEX H Series
- 278 Security Ideas
- 1.5K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.5K Consumer Product
- 251 Service & License
- 396 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 86 About Community
- 75 Security Highlight