How to stop nginx pass through from resolving upstream to IP - nginx

I am new to nginx reverse proxy configuration. We have a requirement to setup a proxy server to route requests to a remote server that requires IP whitelisting. Two way SSL is also in place.
We have been trying to it up hit a roadblock. Following is the configuration :
server {
listen 80;
server_name myserver.com;
return 302 https://myserver.com;
}
server {
listen 443;
server_name myserver.com;
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_certificate /etc/nginx/keys/my-net.crt;
ssl_certificate_key /etc/nginx/keys/my-net.key;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
location / {
resolver 8.8.8.8;
set $backend "https://remoteserver.com";
proxy_pass $backend;
proxy_ssl_server_name on;
proxy_ssl_trusted_certificate /home/ubuntu/myfile.pem;
proxy_ssl_session_reuse off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwared-For $proxy_add_x_forwarded_for;
}
}
The problem we are facing is that the proxy server is resolving the domain name to IP because of which SSLhandshake is failing. We need to stop this and hit the domain name because the certificate is on the domain name.
Error from error.log
2022/03/02 14:10:02 [error] 27012#27012: *8 SSL_do_handshake() failed (SSL: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:SSL alert number 40) while SSL handshaking to upstream, client: <>, server: <>, request: "POST <> HTTP/1.1", upstream: "https:<>", host: "<>"
2022/03/02 14:10:02 [alert] 27012#27012: *8 socket() failed (97: Address family not supported by protocol) while connecting to upstream, client: <>, server: <>, request: "POST /gateway/api/txb/v1/payments/transfer-payment HTTP/1.1", upstream: "https://[IPv6]:443/", host: "<>"
Already tried the solution here but no luck - How to stop nginx from resolving upstream to ip?

You need to off proxy_pass_request_headers after that set headers with proxy_set_heder and listen ssl listen 443 ssl;
server {
listen 80;
server_name myserver.com;
return 302 https://myserver.com;
}
server {
listen 443 ssl;
server_name myserver.com;
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_certificate /etc/nginx/keys/my-net.crt;
ssl_certificate_key /etc/nginx/keys/my-net.key;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
location / {
resolver 8.8.8.8;
set $backend "https://remoteserver.com";
proxy_pass $backend;
proxy_ssl_server_name on;
proxy_ssl_trusted_certificate /home/ubuntu/myfile.pem;
proxy_ssl_session_reuse off;
proxy_pass_request_headers off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwared-For $proxy_add_x_forwarded_for;
}
}

Related

Kuzzle is not establishing socket connection

This is nginx conf for Kuzzle console:
server {
listen 80;
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/ *****;
ssl_certificate_key /etc/nginx/ssl *****
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_session_cache shared:SSL:10m;
# ssl_session_timeout 10m;
server_name *****
root /home/ubuntu/kuzzle-compose/kuzzle-admin-console/dist/;
index index.html;
location / {
# kill cache
add_header Last-Modified $date_gmt;
add_header Cache-Control 'no-store, no-cache';
if_modified_since off;
expires off;
etag off;
#try_files $uri $uri/ =404;
try_files $uri$args $uri$args/ /index.html;
}
}
This is Socket connection Nginx Conf which is not establishing the connection:
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream kuzzle {
server localhost:7512;
}
server {
listen 443 ssl;
proxy_read_timeout 3600s;
ssl_certificate /etc/nginx/ssl/***;
ssl_certificate_key /etc/nginx/ssl/****;
# error_page 497 https://$host:17512$request_uri;
location / {
proxy_pass http://kuzzle;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
On IP it is connecting and establishing connection over http and in case if socket connection after adding ip and port in Kuzzle Console it doesn't connecting with kuzzle backend.
note: Kuzzle console (nginx conf) is working fine and connection with SSL too.

GitLab behind nginx reverse proxy

I have problems getting GitLab to work behind an nginx reverse proxy.
nginx version: nginx/1.14.0 (Ubuntu)
gitlab-ce 11.3.6-ce.0
in /etc/gitlab/gitlab.rb I have set (according to documentation):
external_url 'https://gitlab.mydomain.io'
nginx['listen_port'] = 81
nginx['listen_https'] = false
I used port 81 so the reverse proxy can bind to 80 so it's easier to get LetsEncrypt certificates. This is my virtual host for the gitlab subdomain:
upstream gitlab {
server localhost:81 fail_timeout=0;
}
server {
listen 82;
listen [::]:82;
server_name gitlab.mydomain.io;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name gitlab.mydomain.io;
ssl_certificate /etc/nginx/ssl/gitlab.mydomain.io.crt;
ssl_certificate_key /etc/nginx/ssl/gitlab.mydomain.io.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
location / {
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_redirect off;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_pass https://gitlab;
}
}
When I navigate to my subdomain, I get a 502 Bad Gateway with the following error in the nginx log:
[error] 6301#6301: *6 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 88.217.180.123, server: gitlab.mydomain.io, request: "GET / HTTP/1.1", upstream: "https://127.0.0.1:81/", host: "gitlab.mydomain.io"
I tried using different protocols with nginx but to no avail. Does anyone have an idea?

TFS behind Nginx reverse proxy

Trying to configure Team Foundation Server behind Nginx reverse proxy.
Also, I'm using a self-signed SSL Certificate.
Getting ERR_TOO_MANY_REDIRECTS
Here is my nginx configuration:
server {
listen 80 default;
server_name tfs.domain.com;
return 301 https://$host$request_uri;
}
upstream tfs.domain.com {
server 12.34.56.78:80; #local tfs address
keepalive 16;
}
server {
listen 443 ssl;
server_name tfs.domain.com;
ssl_certificate /etc/nginx/ssl/tfs.domain.com.pem;
ssl_certificate_key /etc/nginx/ssl/tfs.domain.com.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://12.34.56.78:80; #local tfs address
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect http:// $scheme://;
}
access_log /var/log/nginx/tfs.domain.com/443-access.log;
error_log /var/log/nginx/tfs.domain.com/443-error.log;
}
What I'm doing wrong?
Just try to set the proxy_redirect explicitly:
e.g.:
proxy_redirect http://localhost:8080 https://tfs.domain.com;
You can reference below article to configure the nginx (It should be similar with TFS):
How To Configure Nginx with SSL as a Reverse Proxy for Jenkins
And this thread may helps: https://serverfault.com/questions/754351/what-is-a-correct-ways-to-allow-login-to-an-iis-site-through-a-reverse-proxy
Besides, you can reference below articles to troubleshoot the ERR_TOO_MANY_REDIRECTS issue:
How to Fix ERR_TOO_MANY_REDIRECTS on Your WordPress Site
How to Fix Err Too Many Redirects Error

Artifactory bad gateway error

I am trying to use artifactory as a docker registry. But pushing docker images gives a Bad Gateway error.
Following is my nginx configuration
upstream artifactory_lb {
server artifactory01.mycomapany.com:8081;
server artifactory01.mycomapany.com:8081 backup;
server myLoadBalancer.mycompany.com:8081;
}
log_format upstreamlog '[$time_local] $remote_addr - $remote_user - $server_name to: $upstream_addr: $request upstream_response_time $upstream_response_time msec $msec request_time $request_time';
server {
listen 80;
listen 443 ssl;
client_max_body_size 2048M;
location / {
proxy_set_header Host $host:$server_port;
proxy_pass http://artifactory_lb;
proxy_read_timeout 90;
}
access_log /var/log/nginx/access.log upstreamlog;
location /basic_status {
stub_status on;
allow all;
}
}
# Server configuration
server {
listen 2222 ssl default_server;
ssl_certificate /etc/nginx/ssl/self-signed/self.crt;
ssl_certificate_key /etc/nginx/ssl/self-signed/self.key;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
server_name myloadbalancer.mycompany.com;
if ($http_x_forwarded_proto = '') {
set $http_x_forwarded_proto $scheme;
}
rewrite ^/(v1|v2)/(.*) /api/docker/docker_repo/$1/$2;
client_max_body_size 0;
chunked_transfer_encoding on;
location / {
proxy_read_timeout 900;
proxy_pass_header Server;
proxy_cookie_path ~*^/.* /;
proxy_set_header X-Artifactory-Override-Base-Url $http_x_forwarded_proto://$host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for
proxy_pass http://myloadbalancer.company.com:8081/artifactory/;
}
}
The docker command I use to push images is
docker push myloadbalancer:2222/image_name
Nginx error logs show the following error 24084 connect() failed (111: Connection refused) while connecting to upstream, client: internal_ip, server: , request: "GET /artifactory/inhouse HTTP/1.0", upstream: "http:/internal_ip:8081/artifactory/repo"
What am I missing?
This can be fixed by changing the proxy pass to point to any of the upstream servers.
proxy_pass http://artifactory_lb;

Nginx Proxy for github.io is returning 404

I'm trying to use Nginx as a reverse-proxy for my pages at github pages. Based on info from here: https://pascal.io/github-pages-https/, and others, my config looks like this:
server {
listen 80 default_server;
server_name leepope.com www.leepope.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name leepope.com;
ssl on;
ssl_certificate <my cert>;
ssl_certificate_key <my key>;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:10m;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
location / {
proxy_pass https://leepope.github.io;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_intercept_errors on;
expires off;
}
}
When I make a request to the server root, I get a github page, but it's a 404.
I've enabled nginx debugging, but I can't see what the request going to github looks like - their headers are in the log, but there's no info about what's going out.
Can anyone help me troubleshoot this?
Thanks.

Resources