Forum Discussion
pepito
Altocumulus
AltocumulusHow to tell nginx to use a forward proxy to reach a specific destination
Hello. I accidentally closed my previous post, so I recreate this discussion because of the following problem I'm encountering. Here is the situation : I have multiple servers which are in a secu...
Seems I have also made a mistake. In setting a proxy setting for git it treats the NGINX as a forward proxy. The issue with this is NGINX is a reverse proxy. In effect it acts as an endpoint for the forward proxy you are trying to reach.
The error is due to NGINX trying to interpret a forward proxy request. So I figure we need to tell it to not do any processing on the traffic and we do that with the stream command which passes the TCP stream directly to the destination.stream { upstream web_server { # Our web server, listening for SSL traffic # Note the web server will expect traffic # at this xip.io "domain", just for our # example here server PROXYIP:PROXYPORT; } server { listen 443; proxy_pass web_server; } }The issue with this is it intercepts ALL traffic on 443. If you dont want that then have it listen on a different port and adjust the .gitconfig to specify its proxy on the new port. You cannot tell it to match a name because at the TCP layer there is no server name.
Kevin_Davies
MVP
MVPYou have to tell git to use a proxy. Add this to your .gitconfig file using the nginx proxy IP address (not name) and port it is listening on. Post the the section below after you have configured it. Return the nginx config to the one I posted as you showed in 1 Your Solution.
[http]
[http "https://github.com"]
proxy = http://nginx_proxy_address:nginx_proxy_port In regards to the settings I provided, here is more intel
server_name gitlab-host;
proxy_set_header Host $http_host;
proxy_pass https://<proxy-ip:proxy-port;
Request from client arrives at proxy due to .gitconfig settings. On arrival NGINX tries to match it with a server confguration. It sees this configuration is listening on 443, then is sees this config server name matches the destination host in the request. This tells nginx to use this configuration for the incoming connection.
The proxy pass directive indicates there is an upstream proxy that needs to be used. So NGINX modifies the request for a proxy destination, much like the client did when it was accessing NGINX. However being a forward proxy we do not want that as it will be transparently passing traffic to the internet. So we restore the normal host from the incoming http_request using $http_host. You can try with and without this option to see what works. The forward proxy may accept proxy format requests as well.
pepitoAltocumulus
AltocumulusHello !
Thank you for your answer.
Here is NGINX configuration :
server {
listen 443 ssl;
server_name <GITLAB-HOST>;
ssl_certificate /etc/nginx/certs/mycert.crt;
ssl_certificate_key /etc/nginx/certs/mykey.key;
ssl_session_cache shared:SSL:1m;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log debug;
location / {
proxy_set_header Host $http_host;
proxy_connect_timeout 60;
proxy_read_timeout 60;
proxy_send_timeout 60;
proxy_intercept_errors off;
proxy_http_version 1.1;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass https://<PROXY-IP>:<PROXY-PORT>;
}
}
And here is the .gitconfig file from a client :
[http]
sslCAInfo = <path-to-truststore>
[http "https://<GITLAB-HOST>"]
proxy = https://<NGINX-HOST-IP>:443
sslCAInfo = <path-to-truststore>
Here is the git command that I perform on the client and the result :
git clone https://<LOGIN>@<GITLAB-HOST>/myrepo.git
Cloning into 'myrepo'...
fatal: unable to access 'https://<GITLAB-HOST>/myrepo.git/': Failed connect to <GITLAB-HOST>:443; Connection timed out
Here is the version of git CLI on the client :
git-1.8.3.1-23.el7_8.x86_64
And my version of NGINX on the nginx host :
# nginx -v
nginx version: nginx/1.20.2
I tried something else in my ~/.gitconfig file. I kept only one http section :
[http]
sslCAInfo = <truststore-path>
proxy = https://<NGINX-HOST-IP>:443
But now, I have a 400 http error when I execute the git command :
git clone https://<LOGIN>@<GITLAB-HOST>/myrepo.git
Cloning into 'myrepo'...
fatal: unable to access 'https://<GITLAB-HOST>/myrepo.git/': Received HTTP code 400 from proxy after CONNECT
And I can see this in NGINX logs :
2022/11/08 10:25:09 [info] 24032#24032: *1 client sent invalid request while reading client request line, client: <CLIENT-IP>, server: <GITLAB-HOST>, request: "CONNECT <GITLAB-HOST>:443 HTTP/1.1"
Thank you in advance !
- Kevin_Davies
Seems I have also made a mistake. In setting a proxy setting for git it treats the NGINX as a forward proxy. The issue with this is NGINX is a reverse proxy. In effect it acts as an endpoint for the forward proxy you are trying to reach.
The error is due to NGINX trying to interpret a forward proxy request. So I figure we need to tell it to not do any processing on the traffic and we do that with the stream command which passes the TCP stream directly to the destination.stream { upstream web_server { # Our web server, listening for SSL traffic # Note the web server will expect traffic # at this xip.io "domain", just for our # example here server PROXYIP:PROXYPORT; } server { listen 443; proxy_pass web_server; } }The issue with this is it intercepts ALL traffic on 443. If you dont want that then have it listen on a different port and adjust the .gitconfig to specify its proxy on the new port. You cannot tell it to match a name because at the TCP layer there is no server name.
- pepito
Hello Kevin.
I tried your solution and it works fine, thanks for your help !
Best regards.