Forum Discussion

Altocumulus

Oct 28, 2022

How to tell nginx to use a forward proxy to reach a specific destination

Hello. I accidentally closed my previous post, so I recreate this discussion because of the following problem I'm encountering. Here is the situation : I have multiple servers which are in a secu...

application delivery

devops

security

Kevin_Davies
Nov 09, 2022
Seems I have also made a mistake. In setting a proxy setting for git it treats the NGINX as a forward proxy. The issue with this is NGINX is a reverse proxy. In effect it acts as an endpoint for the forward proxy you are trying to reach.

The error is due to NGINX trying to interpret a forward proxy request. So I figure we need to tell it to not do any processing on the traffic and we do that with the stream command which passes the TCP stream directly to the destination.

stream { upstream web_server { # Our web server, listening for SSL traffic # Note the web server will expect traffic # at this xip.io "domain", just for our # example here server PROXYIP:PROXYPORT; } server { listen 443; proxy_pass web_server; } }

The issue with this is it intercepts ALL traffic on 443. If you dont want that then have it listen on a different port and adjust the .gitconfig to specify its proxy on the new port. You cannot tell it to match a name because at the TCP layer there is no server name.

pepito

Altocumulus

Hello !

Thank you for your answer.

Here is NGINX configuration :

server {
  listen 443 ssl;
  server_name <GITLAB-HOST>;

  ssl_certificate /etc/nginx/certs/mycert.crt;
  ssl_certificate_key /etc/nginx/certs/mykey.key;
  ssl_session_cache shared:SSL:1m;
  ssl_prefer_server_ciphers   on;

  access_log /var/log/nginx/access.log;
  error_log  /var/log/nginx/error.log debug;

  location / {
    proxy_set_header Host $http_host;
    proxy_connect_timeout 60;
    proxy_read_timeout 60;
    proxy_send_timeout 60;
    proxy_intercept_errors off;
    proxy_http_version 1.1;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_pass https://<PROXY-IP>:<PROXY-PORT>;
  }
}

And here is the .gitconfig file from a client :

[http]
        sslCAInfo = <path-to-truststore>
[http "https://<GITLAB-HOST>"]
        proxy = https://<NGINX-HOST-IP>:443
        sslCAInfo = <path-to-truststore>

Here is the git command that I perform on the client and the result :

git clone https://<LOGIN>@<GITLAB-HOST>/myrepo.git
Cloning into 'myrepo'...
fatal: unable to access 'https://<GITLAB-HOST>/myrepo.git/': Failed connect to <GITLAB-HOST>:443; Connection timed out

Here is the version of git CLI on the client :

git-1.8.3.1-23.el7_8.x86_64

And my version of NGINX on the nginx host :

# nginx -v
nginx version: nginx/1.20.2

I tried something else in my ~/.gitconfig file. I kept only one http section :

[http]
  sslCAInfo = <truststore-path>
  proxy = https://<NGINX-HOST-IP>:443

But now, I have a 400 http error when I execute the git command :

git clone https://<LOGIN>@<GITLAB-HOST>/myrepo.git
Cloning into 'myrepo'...
fatal: unable to access 'https://<GITLAB-HOST>/myrepo.git/': Received HTTP code 400 from proxy after CONNECT

And I can see this in NGINX logs :

2022/11/08 10:25:09 [info] 24032#24032: *1 client sent invalid request while reading client request line, client: <CLIENT-IP>, server: <GITLAB-HOST>, request: "CONNECT <GITLAB-HOST>:443 HTTP/1.1"

Thank you in advance !

Kevin_Davies

MVP

Nov 09, 2022

Seems I have also made a mistake. In setting a proxy setting for git it treats the NGINX as a forward proxy. The issue with this is NGINX is a reverse proxy. In effect it acts as an endpoint for the forward proxy you are trying to reach.

The error is due to NGINX trying to interpret a forward proxy request. So I figure we need to tell it to not do any processing on the traffic and we do that with the stream command which passes the TCP stream directly to the destination.

stream {
    upstream web_server {
        # Our web server, listening for SSL traffic
        # Note the web server will expect traffic
        # at this xip.io "domain", just for our
        # example here
        server PROXYIP:PROXYPORT;
    }

    server {
        listen 443;
        proxy_pass web_server;
    }
}

The issue with this is it intercepts ALL traffic on 443. If you dont want that then have it listen on a different port and adjust the .gitconfig to specify its proxy on the new port. You cannot tell it to match a name because at the TCP layer there is no server name.

pepito
Altocumulus
Nov 10, 2022
Hello Kevin.
I tried your solution and it works fine, thanks for your help !
Best regards.

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

How to tell nginx to use a forward proxy to reach a specific destination

Recent Discussions

Background Tasks

Which process is consuming higher CPU

SSL bridging without SSL proxy forward

Big-IP VE edition for MacBook M4 Chip

Client SSL Profile set to Require Client Certificate breaks RDP in APM

Related Content

Different policies same destination and pool

Block destination IP by source IP

Forwarding IP recommendations - using destination /32

check the utilization on specific node

Nodes forwarding

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS