How to tell nginx to use a forward proxy to reach a specific destination
Hello.
I accidentally closed my previous post, so I recreate this discussion because of the following problem I'm encountering.
Here is the situation :
- I have multiple servers which are in a secure network zone
- I have another server where nginx is installed and is used as a reverse proxy.
- The NGINX server has access to a remote destination (a gitlab server) through a forward proxy (squid)
So the flow is the following : Servers in secure zone --> Server Nginx as reverse proxy --> Server squid as forward proxy --> an internal gitlab in another network zone.
Is it possible to tell nginx to use the squid forward proxy to reach the gitlab server, please ?
For the moment, I have this configuration :
server { listen 443 ssl; server_name <ALIAS DNS OF NGINX SERVER>; ssl_certificate /etc/nginx/certs/mycert.crt; ssl_certificate_key /etc/nginx/certs/mykey.key; ssl_session_cache shared:SSL:1m; ssl_prefer_server_ciphers on; access_log /var/log/nginx/mylog.access.log; error_log /var/log/nginx/mylog.error.log debug; location / { proxy_pass https://the-gitlab-host:443; } }
But it does not work. When I try to perform a git command from a server in secure zone, it fails and in the nginx logs I see a timeout, which is normal, because nginx does not use the squid forward proxy to reach the gitlab server.
Thank you in advance for your help !
Best regards.
Seems I have also made a mistake. In setting a proxy setting for git it treats the NGINX as a forward proxy. The issue with this is NGINX is a reverse proxy. In effect it acts as an endpoint for the forward proxy you are trying to reach.
The error is due to NGINX trying to interpret a forward proxy request. So I figure we need to tell it to not do any processing on the traffic and we do that with the stream command which passes the TCP stream directly to the destination.stream { upstream web_server { # Our web server, listening for SSL traffic # Note the web server will expect traffic # at this xip.io "domain", just for our # example here server PROXYIP:PROXYPORT; } server { listen 443; proxy_pass web_server; } }
The issue with this is it intercepts ALL traffic on 443. If you dont want that then have it listen on a different port and adjust the .gitconfig to specify its proxy on the new port. You cannot tell it to match a name because at the TCP layer there is no server name.