I have an application behind a Nginx reverse proxy that I am trying to access from an external client. Both the client and the application only support http. Therefore I am using Stunnel on the client side to map http to https and nginix on the server side to map https back to http for the application (which is hosted on a different server). Web browser access works as expected. That is a web browser can access the http server resource as https. However the Stunnel client fails with the following in the Nginx log:
/usr/share/nginx/html/r3/metadata" failed (2: No such file or directory), client: x.x.x.x, server: _, request: "GET /r3/metadata HTTP/1.1", host: "127.0.0.1:9080"
My Nginix config is as follows:
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_pass http://192.168.1.2:9080/;
#proxy_redirect http:// https://;
}
And Stunnel
verify = 0
debug = 7
foreground = yes
[MyApp]
client = yes
accept = 127.0.0.1:9080
connect = foo.bar.com:443
The Stunnel logs give no indication of what is going wrong. It seems that for some reason the Nginx server is looking it the local server (that is itself) for the resource rather than the internal application server - but this only happens with Stunnel on the remote client - not web browser.
In case somebody else stumbles across this obscure issue.
The Problem: The Mirth integration engine community version only supports http for FHIR, not https. Stunnel is an obvious choice to solve this problem. Install Stunnel on the source and destination servers and map http to https across the secure tunnel. However, if we wish the client Mirth instance to hit a Nginx reverse proxy Stunnel does not function correctly out of the box. To clarify the issue, consider the following Stunnel config:
However, if Mirth connects the FHIR client to localhost which is then mapped to host.foo.bar, then only the 'localhost' host name is forwarded to the host.foo.bar server in the https request. This is an issue for the reverse proxy as it will try to forward a virtual host as 'localhost' rather than our internal Mirth server and port.
The Solution: The solution is cool. There are a bunch of DNS servers out there that return an embeded IP address from a hostname. For example, a look up on the host 'host.127.0.0.1.xip.io' will return '127.0.0.1'. This is useful as we can now tell the Mirth client to connect to host.127.0.0.1.xip.io. Stunnel will see this as 127.0.0.1, however our Nginx reverse proxy will read it as host.127.0.0.1.xip.io and be able to intelligently map it to the internal FHIR listener.