Context:
In a test environment I’m putting NGINX as a reverse proxy in front of IIS. One of our web apps has a client with its own updater. When going through NGINX, the updater fails to download the .vup package (it’s basically an archive). The client “dies” even before it actually performs the GET. A direct link to the package works via curl/browser through NGINX, and with a direct NAT to IIS the updater also works.
Environment
-
NGINX 1.24.0 on Ubuntu 24.04, TLS termination, wildcard
*.example.com -
Backend: IIS 2016 (HTTPS; site for
my.example.com) -
App (.NET 4.x):
-
UpdateServer.asmx(SOAP) – checks version and returns package URL -
PackageDownload.ashx– streams the binary update package.vup— the request never reaches this endpoint when failing
-
-
ModSecurity/CRS disabled or detection-only on these paths to rule WAF out
What is actually called during a successful update (IIS log – direct NAT)
2025-08-12 08:40:53 W3SVC4 192.168.20.50 POST /my-app/UpdateServer.asmx - 443 - 192.168.20.1 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.42000) - 200 0 0 109 - -
2025-08-12 08:40:55 W3SVC4 192.168.20.50 GET /my-app/PackageDownload.ashx vup=202507231045&appType=Client&hwid=71rtpywQ258iMB3zW9XjYg%3d%3d 443 - 192.168.20.1 - - 200 0 0 141 - -
Config
server {
listen 80;
server_name *.example.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name *.example.com;
ssl_certificate /etc/nginx/ssl/mycert.pem;
ssl_certificate_key /etc/nginx/ssl/mycert.key;
#ssl_protocols TLSv1.2 TLSv1.1; - i did tried this
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
proxy_pass https://192.168.20.50;
include /etc/nginx/proxy_params;
proxy_ssl_verify off;
proxy_ssl_server_name on;
proxy_http_version 1.1;
proxy_buffering off;
gzip off;
proxy_set_header Accept-Encoding "";
proxy_max_temp_file_size 0;
proxy_cache off;
proxy_ssl_name $host;
Any ideas?