Forum Discussion
How to tell nginx to use a forward proxy to reach a specific destination
- Nov 09, 2022
Seems I have also made a mistake. In setting a proxy setting for git it treats the NGINX as a forward proxy. The issue with this is NGINX is a reverse proxy. In effect it acts as an endpoint for the forward proxy you are trying to reach.
The error is due to NGINX trying to interpret a forward proxy request. So I figure we need to tell it to not do any processing on the traffic and we do that with the stream command which passes the TCP stream directly to the destination.stream { upstream web_server { # Our web server, listening for SSL traffic # Note the web server will expect traffic # at this xip.io "domain", just for our # example here server PROXYIP:PROXYPORT; } server { listen 443; proxy_pass web_server; } }
The issue with this is it intercepts ALL traffic on 443. If you dont want that then have it listen on a different port and adjust the .gitconfig to specify its proxy on the new port. You cannot tell it to match a name because at the TCP layer there is no server name.
Hello !
Thank you for your answer.
Here is NGINX configuration :
server {
listen 443 ssl;
server_name <GITLAB-HOST>;
ssl_certificate /etc/nginx/certs/mycert.crt;
ssl_certificate_key /etc/nginx/certs/mykey.key;
ssl_session_cache shared:SSL:1m;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log debug;
location / {
proxy_set_header Host $http_host;
proxy_connect_timeout 60;
proxy_read_timeout 60;
proxy_send_timeout 60;
proxy_intercept_errors off;
proxy_http_version 1.1;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass https://<PROXY-IP>:<PROXY-PORT>;
}
}
And here is the .gitconfig file from a client :
[http]
sslCAInfo = <path-to-truststore>
[http "https://<GITLAB-HOST>"]
proxy = https://<NGINX-HOST-IP>:443
sslCAInfo = <path-to-truststore>
Here is the git command that I perform on the client and the result :
git clone https://<LOGIN>@<GITLAB-HOST>/myrepo.git
Cloning into 'myrepo'...
fatal: unable to access 'https://<GITLAB-HOST>/myrepo.git/': Failed connect to <GITLAB-HOST>:443; Connection timed out
Here is the version of git CLI on the client :
git-1.8.3.1-23.el7_8.x86_64
And my version of NGINX on the nginx host :
# nginx -v
nginx version: nginx/1.20.2
I tried something else in my ~/.gitconfig file. I kept only one http section :
[http]
sslCAInfo = <truststore-path>
proxy = https://<NGINX-HOST-IP>:443
But now, I have a 400 http error when I execute the git command :
git clone https://<LOGIN>@<GITLAB-HOST>/myrepo.git
Cloning into 'myrepo'...
fatal: unable to access 'https://<GITLAB-HOST>/myrepo.git/': Received HTTP code 400 from proxy after CONNECT
And I can see this in NGINX logs :
2022/11/08 10:25:09 [info] 24032#24032: *1 client sent invalid request while reading client request line, client: <CLIENT-IP>, server: <GITLAB-HOST>, request: "CONNECT <GITLAB-HOST>:443 HTTP/1.1"
Thank you in advance !
Seems I have also made a mistake. In setting a proxy setting for git it treats the NGINX as a forward proxy. The issue with this is NGINX is a reverse proxy. In effect it acts as an endpoint for the forward proxy you are trying to reach.
The error is due to NGINX trying to interpret a forward proxy request. So I figure we need to tell it to not do any processing on the traffic and we do that with the stream command which passes the TCP stream directly to the destination.
stream {
upstream web_server {
# Our web server, listening for SSL traffic
# Note the web server will expect traffic
# at this xip.io "domain", just for our
# example here
server PROXYIP:PROXYPORT;
}
server {
listen 443;
proxy_pass web_server;
}
}
The issue with this is it intercepts ALL traffic on 443. If you dont want that then have it listen on a different port and adjust the .gitconfig to specify its proxy on the new port. You cannot tell it to match a name because at the TCP layer there is no server name.
- pepitoNov 10, 2022Altocumulus
Hello Kevin.
I tried your solution and it works fine, thanks for your help !
Best regards.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com