PHPFixing
  • Privacy Policy
  • TOS
  • Ask Question
  • Contact Us
  • Home
  • PHP
  • Programming
  • SQL Injection
  • Web3.0

Thursday, September 1, 2022

[FIXED] How to Correct 'nginx: [emerg] "stream" directive is not allowed here'

 September 01, 2022     debian-buster, nginx-config, nginx-reverse-proxy, pass-through, ssl     No comments   

Issue

The Question

Why does the following Nginx configuration return nginx: [emerg] "stream" directive is not allowed here in /etc/nginx/sites-enabled/default:1?

Nginx Configuration...

stream {
  map $ssl_preread_server_name $upstream {
    example.com 1051;
  }
  upstream 1051 {
    server 127.0.0.1:1051;
  }
  server {
    listen 443;
    proxy_pass $upstream;
    ssl_preread on;
  }
}

Version / Build information...

OS: Debian 10

Here is the stripped down nginx -V output confirming the presence of the modules I understand I need...

nginx version: nginx/1.14.2
TLS SNI support enabled
configure arguments: ... --with-stream=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module ...

The Context

I have a single static IP address. At the static IP address, I am setting up a reverse proxy Nginx server to forward traffic to a variety of backend services. Several of the services are websites with unique domain names.

+-----+        +----------------------+        +---------+
| WAN | <----> | Nginx Reverse Proxy  | <----> | Service |
+-----+        +----------------------+        +---------+

At boot, the service uses systemd to run this port forwarding ssh command to connect to the reverse proxy: ssh -N -R 1051:localhost:443 tunnel@example.com (That is working well.)

I want the certificate to reside on the service - not the reverse proxy. From what I understand I need to leverage SNI on Nginx to passthrough the SSL connections bases on domain name. But I cannot get the Nginx reverse proxy to passthrough SSL.

Resources

Here are a few of the resources I have pored over...

  • https://serverfault.com/questions/625362/can-a-reverse-proxy-use-sni-with-ssl-pass-through
  • https://nginx.org/en/docs/stream/ngx_stream_core_module.html
  • https://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html
  • https://www.amitnepal.com/nginx-ssl-passthrough-reverse-proxy
  • https://serverfault.com/questions/1049158/nginx-how-to-combine-ssl-preread-protocol-with-ssl-preread-server-name-ssh-mul

Solution

The problem was I tried to embed a stream block inside an http block. I was not properly accounting for the include in /etc/nginx/nignx.conf file.



Answered By - user371793
Answer Checked By - Willingham (PHPFixing Volunteer)
  • Share This:  
  •  Facebook
  •  Twitter
  •  Stumble
  •  Digg
Newer Post Older Post Home

0 Comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Total Pageviews

Featured Post

Why Learn PHP Programming

Why Learn PHP Programming A widely-used open source scripting language PHP is one of the most popular programming languages in the world. It...

Subscribe To

Posts
Atom
Posts
Comments
Atom
Comments

Copyright © PHPFixing