Forum Discussion
How to tell nginx to use a forward proxy to reach a specific destination
- Nov 09, 2022
Seems I have also made a mistake. In setting a proxy setting for git it treats the NGINX as a forward proxy. The issue with this is NGINX is a reverse proxy. In effect it acts as an endpoint for the forward proxy you are trying to reach.
The error is due to NGINX trying to interpret a forward proxy request. So I figure we need to tell it to not do any processing on the traffic and we do that with the stream command which passes the TCP stream directly to the destination.stream { upstream web_server { # Our web server, listening for SSL traffic # Note the web server will expect traffic # at this xip.io "domain", just for our # example here server PROXYIP:PROXYPORT; } server { listen 443; proxy_pass web_server; } }
The issue with this is it intercepts ALL traffic on 443. If you dont want that then have it listen on a different port and adjust the .gitconfig to specify its proxy on the new port. You cannot tell it to match a name because at the TCP layer there is no server name.
In order to pickup the request for gitlab you need to specify the server_name to match.
server_name the-gitlab-host;
Secondly you need to specify the forward proxy IP address (x.x.x.x) and not name. Then tell NGINX to use the original host. I've included some other useful settings as well.
proxy_set_header Host $http_host;
proxy_connect_timeout 60;
proxy_read_timeout 60;
proxy_send_timeout 60;
proxy_intercept_errors off;
proxy_http_version 1.1;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass https://x.x.x.x:443
Now when the request arrives at NGINX it will match the server name and forward it to the forward proxy leaving the Host intact. Documentation available here - https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/
Hello Kevin.
Thank you for your answer.
For the moment, as the server name, I created an alias DNS which target the IP of the nginx server.
<ALIAS DNS OF NGINX SERVER>
If I set the server name as the DNS alias of the gitlab host instead, the servers in the secure zone won't go through nginx, no ? They will contact the DNS servers and they will try to connect directly to gitlab host, which is not possible, because they are in a secure zone without direct access to the gitlab host.
Tell me if I am wrong. How can your solution work please when there are DNS servers involved ?
Best regards.
- LiefZimmermanNov 07, 2022Admin
pepito - your replies were caught in our SPAM system over our weekend. I released them all.
If one of these is best/most complete follow up then you can (or I can) delete the others as duplicates.
Sorry about the hassle.- pepitoNov 08, 2022Altocumulus
Hello Lief, thank you for your answer.
I can edit some of my replies to add "duplicated reply to be removed", but for some other replies, I don't have the choice "Edit reply" unfortunately.
You can delete all of my replies except the one from 04-Nov-2022 16:38.
Best regards
- LiefZimmermanNov 08, 2022Admin
Thanks pepito - I think I've got it all sorted out. Thanks for your patience and for contributing to our community.
(Note: The reason you could edit some replies and not others is because there is a time-limit on editing Questions and Replies in our forum. I think the cutoff is 24 calendar hours. This is a feature designed to protect the integrity of a question so MemberA does not edit a question several days after it has been answered in a way that then invalidates any answers.)
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com