I have problems getting GitLab to work behind an nginx reverse proxy.
nginx version: nginx/1.14.0 (Ubuntu)
gitlab-ce 11.3.6-ce.0
in /etc/gitlab/gitlab.rb I have set (according to documentation):
external_url 'https://gitlab.mydomain.io'
nginx['listen_port'] = 81
nginx['listen_https'] = false
I used port 81 so the reverse proxy can bind to 80 so it's easier to get LetsEncrypt certificates. This is my virtual host for the gitlab subdomain:
upstream gitlab {
server localhost:81 fail_timeout=0;
}
server {
listen 82;
listen [::]:82;
server_name gitlab.mydomain.io;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name gitlab.mydomain.io;
ssl_certificate /etc/nginx/ssl/gitlab.mydomain.io.crt;
ssl_certificate_key /etc/nginx/ssl/gitlab.mydomain.io.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
location / {
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_redirect off;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_pass https://gitlab;
}
}
When I navigate to my subdomain, I get a 502 Bad Gateway with the following error in the nginx log:
[error] 6301#6301: *6 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 88.217.180.123, server: gitlab.mydomain.io, request: "GET / HTTP/1.1", upstream: "https://127.0.0.1:81/", host: "gitlab.mydomain.io"
I tried using different protocols with nginx but to no avail. Does anyone have an idea?
Related
I am new to nginx reverse proxy configuration. We have a requirement to setup a proxy server to route requests to a remote server that requires IP whitelisting. Two way SSL is also in place.
We have been trying to it up hit a roadblock. Following is the configuration :
server {
listen 80;
server_name myserver.com;
return 302 https://myserver.com;
}
server {
listen 443;
server_name myserver.com;
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_certificate /etc/nginx/keys/my-net.crt;
ssl_certificate_key /etc/nginx/keys/my-net.key;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
location / {
resolver 8.8.8.8;
set $backend "https://remoteserver.com";
proxy_pass $backend;
proxy_ssl_server_name on;
proxy_ssl_trusted_certificate /home/ubuntu/myfile.pem;
proxy_ssl_session_reuse off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwared-For $proxy_add_x_forwarded_for;
}
}
The problem we are facing is that the proxy server is resolving the domain name to IP because of which SSLhandshake is failing. We need to stop this and hit the domain name because the certificate is on the domain name.
Error from error.log
2022/03/02 14:10:02 [error] 27012#27012: *8 SSL_do_handshake() failed (SSL: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:SSL alert number 40) while SSL handshaking to upstream, client: <>, server: <>, request: "POST <> HTTP/1.1", upstream: "https:<>", host: "<>"
2022/03/02 14:10:02 [alert] 27012#27012: *8 socket() failed (97: Address family not supported by protocol) while connecting to upstream, client: <>, server: <>, request: "POST /gateway/api/txb/v1/payments/transfer-payment HTTP/1.1", upstream: "https://[IPv6]:443/", host: "<>"
Already tried the solution here but no luck - How to stop nginx from resolving upstream to ip?
You need to off proxy_pass_request_headers after that set headers with proxy_set_heder and listen ssl listen 443 ssl;
server {
listen 80;
server_name myserver.com;
return 302 https://myserver.com;
}
server {
listen 443 ssl;
server_name myserver.com;
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_certificate /etc/nginx/keys/my-net.crt;
ssl_certificate_key /etc/nginx/keys/my-net.key;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
location / {
resolver 8.8.8.8;
set $backend "https://remoteserver.com";
proxy_pass $backend;
proxy_ssl_server_name on;
proxy_ssl_trusted_certificate /home/ubuntu/myfile.pem;
proxy_ssl_session_reuse off;
proxy_pass_request_headers off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwared-For $proxy_add_x_forwarded_for;
}
}
This is how I configure my Nginx
upstream stage {
server example.com;
}
server {
server_name IP;
listen 80;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header protocol Token;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_pass https://stage;
}
}
I see this on error.log
2021/11/03 15:26:14 [error] 40782#40782: *1 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL hands
haking to upstream, client: IP, server: IP, request: "POST / HTTP/1.1", upstream: "https://IP:80/", host: "IP:10784"
How can I proxy user's request from http to https?
Disabling TLS with the proxy_ssl_verify off directive will resolve the issue, although it, well, disables TLS -- something you should not be doing on a public network connecting the proxying party and the upstream.
Here is the changed configuration:
upstream stage {
server example.com:443;
}
server {
server_name IP;
listen 80;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host example.com;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header X-Forwarded-Proto: https;
proxy_ssl_verify off;
proxy_pass https://stage$request_uri;
}
}
I try to proxy requests with nginx to a GlooEdge API Gateway, but it keeps failing with a 502 error code and a message:
peer closed connection in SSL handshake while SSL handshaking to
upstream, client: 172.24.0.1, server:
myapp.mydomain.fr, request: "GET /api/selfcare/refunds
HTTP/2.0", upstream: "https://XX.XXX.XX.XXX:443/selfcare/refunds",
host: "myapp.mydomain.fr:20889"
Here is my nginx config:
upstream my_api {
server myapi.mydomain.fr:443;
}
server {
listen 80;
return 301 https://$host:20443$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name myapp.mydomain.fr;
ssl_certificate /etc/ssl/certs/nginx/myapp.mydomain.fr.pem;
ssl_certificate_key /etc/ssl/certs/nginx/myapp.mydomain.fr.key;
location /api/ {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_pass https://my_api/;
}
location / {
proxy_pass http://my_app;
}
}
I think i tried everything, i digged every website and documentation, but i'm still unable to make this work ...
Does anyone have an idea ?
I have load balancing nginx server 192.168.2.168 with the following nginx config:
upstream balancer {
server 192.168.2.165;
server 192.168.2.166 backup;
}
server {
listen 80;
server_name 192.168.2.168;
error_log /var/log/nginx/balancer-error_log;
location /something {
proxy_pass http://balancer;
}
}
Then I try 192.168.2.168/something it gives 403 Forbiden
tailf /var/log/error.log on the 192.168.2.165 shows:
*47 directory index of "/usr/share/nginx/html/glpi/" is forbidden, client: 192.168.2.168, server: localhost, request: "GET /glpi/ HTTP/1.0", host: "balancer"
But if I replace http://balancer with http://192.168.2.165 it works fine.
proxy_pass http://192.168.2.165;
What am I doing wrong and how to make upsream servers work?
The problem is solved using server_name balancer.home; instead of server_name 192.168.2.168; + I added some headers.
Here is my config:
upstream backend {
server 192.168.2.165;
server 192.168.2.166;
server 192.168.2.167 backup;
}
server {
listen 80;
server_name balancer.home;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name balancer.home;
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
error_log /var/log/nginx/balancer-error_log;
access_log /var/log/nginx/balancer-access_log;
location / {
proxy_pass_header Server;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://backend;
}
}
PS: On upstream servers, the same server_name as on the balance server (domain name) should be specified.
I am trying to use artifactory as a docker registry. But pushing docker images gives a Bad Gateway error.
Following is my nginx configuration
upstream artifactory_lb {
server artifactory01.mycomapany.com:8081;
server artifactory01.mycomapany.com:8081 backup;
server myLoadBalancer.mycompany.com:8081;
}
log_format upstreamlog '[$time_local] $remote_addr - $remote_user - $server_name to: $upstream_addr: $request upstream_response_time $upstream_response_time msec $msec request_time $request_time';
server {
listen 80;
listen 443 ssl;
client_max_body_size 2048M;
location / {
proxy_set_header Host $host:$server_port;
proxy_pass http://artifactory_lb;
proxy_read_timeout 90;
}
access_log /var/log/nginx/access.log upstreamlog;
location /basic_status {
stub_status on;
allow all;
}
}
# Server configuration
server {
listen 2222 ssl default_server;
ssl_certificate /etc/nginx/ssl/self-signed/self.crt;
ssl_certificate_key /etc/nginx/ssl/self-signed/self.key;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
server_name myloadbalancer.mycompany.com;
if ($http_x_forwarded_proto = '') {
set $http_x_forwarded_proto $scheme;
}
rewrite ^/(v1|v2)/(.*) /api/docker/docker_repo/$1/$2;
client_max_body_size 0;
chunked_transfer_encoding on;
location / {
proxy_read_timeout 900;
proxy_pass_header Server;
proxy_cookie_path ~*^/.* /;
proxy_set_header X-Artifactory-Override-Base-Url $http_x_forwarded_proto://$host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for
proxy_pass http://myloadbalancer.company.com:8081/artifactory/;
}
}
The docker command I use to push images is
docker push myloadbalancer:2222/image_name
Nginx error logs show the following error 24084 connect() failed (111: Connection refused) while connecting to upstream, client: internal_ip, server: , request: "GET /artifactory/inhouse HTTP/1.0", upstream: "http:/internal_ip:8081/artifactory/repo"
What am I missing?
This can be fixed by changing the proxy pass to point to any of the upstream servers.
proxy_pass http://artifactory_lb;