I am trying to get my fortigate router's web interface behind my reverse proxy, not to be accessible from the internet, but to use my LetsEncrypt cert on my internal network. This is the config I'm using:
upstream websockets {
server 192.168.1.99:443;
}
server {
listen 443 ssl;
allow 192.168.1.0/24;
deny all;
server_name f60e.*;
include /config/nginx/ssl.conf;
client_max_body_size 0;
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Authorization "";
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Origin "";
proxy_pass_header X-XSRF-TOKEN;
proxy_pass https://192.168.1.99;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
client_max_body_size 1000m;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /websockets/ {
proxy_pass https://websockets;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header Origin "";
}
}
Everything appears to work except for the "Edit in CLI" button. When I attempt to use it, the interface window comes up blank and after a few seconds it says "Connection lost" and I get this error in my browser console
GET https://f60e.walnuthomelab.com/favicon/site.webmanifest net::ERR_CONNECTION_TIMED_OUT
main.js:1
WebSocket connection to 'wss://f60e.walnuthomelab.com/ws/cli/open?cols=66&rows=34' failed:
createWebSocket @ main.js:1
I was able to get this working without specifying a
websockets
block for the reverse proxy config. I've also got buffering disabled because the console seemed to be a bit laggy while it was enabled, but this could be in my head.The SSL/TLS configuration on this will severely limit your ability to connect with older clients, limit your connection to
{{ ADMIN_IP }}
and will lock you out of the hostname if you break your certificate configuration, or want to remove TLS in the future. So make sure you're using modern browsers, and your LetsEncrypt setup is working properly.I've tested this both with the default FortiGate self-signed certificate, one from a private trusted CA, and with a LetsEncrypt cert through the FortiGate's built-in ACME engine. This is working across three Nginx servers listening on a
keepalived
vIP.