For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

pepito's avatar
pepito
Icon for Altocumulus rankAltocumulus
Nov 07, 2022
Solved

Small question related to proxy_set_header Host

Hello.

I create this discussion following another one here.

Every time I tried to reply, my reply was automatically removed, I don't know why.

Here is my situation, I'm trying to use nginx as a reverse proxy to redirect http requests from clients to a gitlab host, through a foward proxy.

Clients in secure zone -> HTTPS Nginx host -> HTTPS Forward Proxy -> HTTPS Gitlab host.

I tried the following configuration :

  • <DNS-ALIAS-NGINX-GITLAB> is a specific DNS alias I created which targets the nginx host.
  • <GITLAB-HOST> is the gitlab host myhost:443. I added the port because the listening port of the gitlab host is 443 while the listening post of the forward proxy is something else.
  • <PROXY-IP> and <PROXY-PORT> are respectively the IP and the listening port of the foaward proxy.

 

 

server {
  listen 443 ssl;
  server_name <DNS-ALIAS-NGINX-GITLAB>;

  ssl_certificate /etc/nginx/certs/mycrt.crt;
  ssl_certificate_key /etc/nginx/certs/mykey.key;
  ssl_session_cache shared:SSL:1m;
  ssl_prefer_server_ciphers   on;

  access_log /var/log/nginx/mysite.access.log;
  error_log  /var/log/nginx/mysite.error.log debug;

  location / {
    proxy_set_header Host <GITLAB-HOST>:443;
    proxy_connect_timeout 60;
    proxy_read_timeout 60;
    proxy_send_timeout 60;
    proxy_intercept_errors off;
    proxy_http_version 1.1;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_pass https://<PROXY-IP>:<PROXY-PORT>;
  }
}

 

 

Unfortunately, when I try a git clone command from a client, I encounter a 502 http error from the client perspective, and the following error message in nginx logs :

 

2022/11/04 16:16:23 [error] 18473#18473: *1 SSL_do_handshake() failed (SSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol) while SSL handshaking to upstream, client: <CLIENT-IP>, server: <DNS-ALIAS-NGINX-GITLAB>, request: "GET /myrepo.git/info/refs?service=git-upload-pack HTTP/1.1", upstream: "https://<PROXY-IP>:<PROXY-PORT>/myrepo.git/info/refs?service=git-upload-pack", host: "<DNS-ALIAS-NGINX-GITLAB>"

 

 

I was wondering what is the problem with my nginx configuration ?

Should I try the following maybe :

Clients in secure zone -> HTTP Nginx host -> HTTP Forward Proxy -> HTTPS Gitlab host

 

Thank you in advance for your help !

Best regards.

security