In my recent trials and tribulations with ADFS 3.0, I came up against an issue where we were unable to host ADFS 3.0 with Nginx as one of the layers of reverse proxy (the closest layer to ADFS).
When a direct connection, or a cURL request, was made to the ADFS 3.0 endpoints from the machine running Nginx, all seemed well, but as soon as you actually tried to ferry requests through a proxy_pass
statement, users were greeted with HTTP 502 or 503 errors.
The machine running ADFS was offering up no other web services — there was no IIS instance running, or anything like that. It had been configured correctly with a valid TLS certificate for the domain that was trusted by the certificate store on the Nginx machine.
It turns out that despite being the only HTTPS service offered on that machine through HTTP.sys, you need to explicitly configure which certificate to present by default. Apparently, requests that come via Nginx proxy_pass
are missing something (the SNI negotiation?) that allows HTTP.sys to choose the correct certificate to present.
So, if and only if you are sure that ADFS is the only HTTPS service you are serving up on the inner machine, you can force the correct certificate to be presented by default, which resolves this issue and allows the Nginx reverse proxied requests to get through.
With that warning given, let’s jump in to what we need to do:
Retrieve the correct certificate hash and Application ID
netsh http show sslcert
You’ll need to note the appid and the certificate hash for your ADFS 3.0 service.
Set the certificate as the default for HTTP.sys
We’ll use netsh
‘s interactive mode, as I wasn’t in the mood to figure out how to escape curly brackets on Windows’ command line!
You want the curly brackets literally around the appid, but not the certhash.
netsh
netsh> http
netsh http> add sslcert ipport=0.0.0.0:443 appid={appid-from-earlier} certhash=certhash-from-earlier
Verify the proxy_pass settings
Among other configuration parameters, we have the following in our Nginx server stanza for this service:
proxy_redirect off;
proxy_http_version 1.1;
proxy_request_buffering off;
proxy_set_header X-MS-Proxy the-nginx-machine;
proxy_set_header Host the-hostname-in-question
And, with that, we were successfully reverse proxying ADFS 3.0 with Nginx. 🙂