Forum Discussion

pepito's avatar
pepito
Icon for Altocumulus rankAltocumulus
Nov 07, 2022

Small question related to proxy_set_header Host

Hello.

I create this discussion following another one here.

Every time I tried to reply, my reply was automatically removed, I don't know why.

Here is my situation, I'm trying to use nginx as a reverse proxy to redirect http requests from clients to a gitlab host, through a foward proxy.

Clients in secure zone -> HTTPS Nginx host -> HTTPS Forward Proxy -> HTTPS Gitlab host.

I tried the following configuration :

  • <DNS-ALIAS-NGINX-GITLAB> is a specific DNS alias I created which targets the nginx host.
  • <GITLAB-HOST> is the gitlab host myhost:443. I added the port because the listening port of the gitlab host is 443 while the listening post of the forward proxy is something else.
  • <PROXY-IP> and <PROXY-PORT> are respectively the IP and the listening port of the foaward proxy.

 

 

server {
  listen 443 ssl;
  server_name <DNS-ALIAS-NGINX-GITLAB>;

  ssl_certificate /etc/nginx/certs/mycrt.crt;
  ssl_certificate_key /etc/nginx/certs/mykey.key;
  ssl_session_cache shared:SSL:1m;
  ssl_prefer_server_ciphers   on;

  access_log /var/log/nginx/mysite.access.log;
  error_log  /var/log/nginx/mysite.error.log debug;

  location / {
    proxy_set_header Host <GITLAB-HOST>:443;
    proxy_connect_timeout 60;
    proxy_read_timeout 60;
    proxy_send_timeout 60;
    proxy_intercept_errors off;
    proxy_http_version 1.1;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_pass https://<PROXY-IP>:<PROXY-PORT>;
  }
}

 

 

Unfortunately, when I try a git clone command from a client, I encounter a 502 http error from the client perspective, and the following error message in nginx logs :

 

2022/11/04 16:16:23 [error] 18473#18473: *1 SSL_do_handshake() failed (SSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol) while SSL handshaking to upstream, client: <CLIENT-IP>, server: <DNS-ALIAS-NGINX-GITLAB>, request: "GET /myrepo.git/info/refs?service=git-upload-pack HTTP/1.1", upstream: "https://<PROXY-IP>:<PROXY-PORT>/myrepo.git/info/refs?service=git-upload-pack", host: "<DNS-ALIAS-NGINX-GITLAB>"

 

 

I was wondering what is the problem with my nginx configuration ?

Should I try the following maybe :

Clients in secure zone -> HTTP Nginx host -> HTTP Forward Proxy -> HTTPS Gitlab host

 

Thank you in advance for your help !

Best regards.