[SOLVED] Configuring nginx plus to work with ssrs (and ntlm) as a reverse proxy

Configuring nginx plus to work with ssrs (and ntlm) as a reverse proxy

I'm attempting to use an nginx plus server as a reverse proxy for an ssrs instance running on a separate machine. Nginx is hosted on a linux (Ubuntu) server; ssrs is (of course) on a Windows server. Accessing ssrs directly (without going through the reverse proxy) works fine.

My question is how to properly configure Nginx Plus for this situation. Here is the relevant part of my nginx configuration file:

upstream reports_backend {
    server a.b.c.d:443;
    ntlm;
}

server {
    ...
    location /Reports {
        rewrite ^/Reports/(.*)? /Reports/$1 break;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        proxy_set_header Host a.b.c.d;
        proxy_pass https://reports_backend/Reports;
    }

    ...
}

This does connect to ssrs on server a.b.c.d (not its real name) successfully and I can navigate the report folders in the ssrs web portal just fine. The problem comes when clicking on a report. The URI changes from "Reports" to "ReportServer" which gives me a 404 (not found) from Nginx.

I've tried putting in another location defined similarly to the above:

location /ReportServer {
    rewrite ^/ReportServer/(.*)? /ReportServer/$1 break;
    proxy_http_version 1.1;
    proxy_set_header Connection "";
    proxy_set_header Host a.b.c.d;
    proxy_pass https://reports_backend/ReportServer;
}

The problem with this approach is that it makes a new connection when following the /ReportServer proxy pass, which doesn't contain the NTLM authentication information from the /Reports connection.

I've tried putting the /Reports and /ReportServer endpoints together in one location, and that didn't help (I couldn't get the rewrites to work properly).

Any ideas?

Solution

Well, after a few days of pulling my hair out I finally got it to work. Turns out it wasn't an NGINX setting, it was an SSRS setting. In rsreportserver.config I had to have the following settings (similar to custom authentication):

<Authentication>
    <AuthenticationTypes>
        <RSWindowsNTLM/>
    </AuthenticationTypes>
    <RSWindowsExtendedProtectionLevel>Off</RSWindowsExtendedProtectionLevel>
    <RSWindowsExtendedProtectionScenario>Proxy</RSWindowsExtendedProtectionScenario>
    <EnableAuthPersistence>true</EnableAuthPersistence>
</Authentication>

The key for me was to set RSWindowsExtendedProtectionLevel to Off, now everything works.