JetProxy with WSUS over HTTPS Configuration Guide

This guide provides step-by-step instructions for configuring JetProxy using the template_intigua.conf NGINX reverse proxy template. JetProxy acts as a local endpoint that forwards client traffic to JetPatch Manager and WSUS

Prerequisites:

• NGINX installed (Linux). Config directory usually /etc/nginx/nginx.conf and /etc/nginx/conf.d/intigua.conf.
• JetProxy client‑facing certificate/key files present on disk (often self‑signed for internal use).
• Backends (Manager/WSUS) reachable over the network; their certificates must present CN/SAN matching the FQDNs you will configure.

Step-by-Step Configuration Instructions:

Step 1: Prepare Your Environment Information

Before editing the template, gather the following information:

Important: 

• The FQDNs must exactly match the Common Name (CN) or Subject Alternative Name (SAN) entries in your backend server certificates.
• If you use a self‑signed JetProxy cert, import it into your clients’ Trusted Root store (Windows/macOS/Linux) to avoid warnings.

Step 2: Replace all placeholder values marked with <REPLACE: ...>:

Copy the template to your NGINX configuration directory: 

cp template_intigua.conf /etc/nginx/conf.d/intigua.conf

In intigua.conf, search for and replace every instance of:
<REPLACE: JETPROXY NAME(S)>
Local names clients will use. Examples: jetproxy JetProxy (short + capitalized) or jetproxy.example.local jetproxy.
<REPLACE: MANAGER_FQDN>
JetPatch Manager backend hostname that matches its server certificate. Example: manager.example.com.
<REPLACE: WSUS_FQDN>
WSUS backend hostname that matches its server certificate. Example: wsus.example.com.
 

Important:

Ports are already set to 80/443 for JetPatch Manager exposure and 8530/8531 for WSUS exposure. Keep them unless you have a special need.

Step 3: If your certificate files are in a different location, update the paths:

1. Ensure the JetProxy cert/key paths in the file point to your actual files (defaults used: intigua.crt / intigua.key).

ssl_certificate    /etc/nginx/ssl/intigua.crt;
ssl_certificate_key    /etc/nginx/ssl/intigua.key;

Step 4: Validate Configuration:

Test the NGINX configuration:

sudo nginx -t  

Expected output if successful:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok  
nginx: configuration file /etc/nginx/nginx.conf test is successful 

If there are errors, review the error messages and check:

• All placeholder values were replaced
• Certificate files exist and are readable
• File paths are correct

Step 5: Deploy the Configuration

1. Reload NGINX to apply the new configuration:

   sudo systemctl reload nginx  
   

2. Verify NGINX is running:

   sudo systemctl status nginx  
   

Step 6: Testing Your Configuration

Replace <YOUR_JETPROXY_NAME> with the actual name you configured:

JetPatch Manager Tests

# HTTP test  
curl -I http://<YOUR_JETPROXY_NAME>/  
  
# HTTPS test    
curl -I https://<YOUR_JETPROXY_NAME>/  

WSUS Tests

# WSUS HTTP test  
curl -I http://<YOUR_JETPROXY_NAME>:8530/  
  
# WSUS HTTPS test  
curl -I https://<YOUR_JETPROXY_NAME>:8531/  

Expected Results

• Successful HTTP tests should return HTTP/1.1 200 OK or similar
• HTTPS tests may show certificate warnings if using self-signed certificates
• Failed connections will show connection refused or timeout errors

Troubleshooting Common Issues and Solutions

1. TLS Handshake Failures

Symptoms: SSL/TLS connection errors when accessing HTTPS endpoints

Solutions:

• Verify backend certificate CN/SAN matches the FQDN in configuration
• Check that proxy_ssl_name matches the backend hostname
• Ensure backend servers are reachable on the specified ports

2. Backend Receives Wrong Host Header

Symptoms: Backend servers return wrong content or errors

Solutions:

• Verify proxy_set_header Host is set to the correct backend FQDN
• Check that backend virtual hosts are configured for the specified hostname

3. HTTP 413 Payload Too Large

Symptoms: File upload failures

Solutions:

• The template sets client_max_body_size 100m

• Increase the value if larger uploads are needed:

  client_max_body_size 500m;  # Allow 500MB uploads  
  

4. Slow WSUS Downloads

Symptoms: WSUS updates download slowly

Solutions:

• The template uses proxy_buffering off for WSUS HTTPS
• Consider enabling caching if bandwidth is limited
• Check network connectivity between proxy and WSUS server

5. Client Certificate Warnings

Symptoms: Browser shows certificate warnings

Solutions:

• Import JetProxy certificate into client trust stores
• For Windows: Add to "Local Computer → Trusted Root Certification Authorities"
• For browsers: Add to browser certificate store

Optional: generate a self‑signed JetProxy certificate with SAN

Generating Self-Signed Certificates
For lab environments, you can generate a self-signed certificate:

# Create SSL directory
sudo mkdir -p /etc/nginx/ssl

# Generate certificate with SAN
sudo openssl req -x509 -nodes -newkey rsa:2048 -days 825 \
    -keyout /etc/nginx/ssl/intigua.key \
    -out /etc/nginx/ssl/intigua.crt \
    -subj "/CN=jetproxy" \
    -addext "subjectAltName=DNS:jetproxy,DNS:jetproxy.company.local"

Import intigua.crt into client trust stores (Windows: Local Computer → Trusted Root Certification Authorities).

 Reference snippets (what to look for)

Host header to Manager

proxy_set_header Host <REPLACE: MANAGER_FQDN>;
proxy_pass https://<REPLACE: MANAGER_FQDN>/;
proxy_ssl_server_name on;
proxy_ssl_name <REPLACE: MANAGER_FQDN>;

Host header to WSUS

proxy_set_header Host <REPLACE: WSUS_FQDN>;
proxy_pass https://<REPLACE: WSUS_FQDN>:8531/;
proxy_ssl_server_name on;
proxy_ssl_name <REPLACE: WSUS_FQDN>;

Attachments:

template_intigua.conf

Next steps:

Configure Endpoint to communicate with WSUS using https://FQDN:8531, same for endpoint readiness.