Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nginx reverse proxy back-circle to localhost in configuration? #1

Open
SaschaMuehl opened this issue Jan 18, 2021 · 7 comments
Open

Nginx reverse proxy back-circle to localhost in configuration? #1

SaschaMuehl opened this issue Jan 18, 2021 · 7 comments
Assignees
@totallytot

Comments

@SaschaMuehl
Copy link

First of all, thank you for sharing your configurations.

I tried to set up Jira in my LEMP-Stack but fail on my reverse NGINX proxy. After trying to set up the proxy i.a.w. Configure Jira server to run behind a NGINX reverse proxy | Jira | Atlassian Documentation 

My target is to reach: mypage.de/jiraX

I tried the original Documentation and your config Files but just get back "404 Not Found - nginx" calling
mypage.de/jiraX.

Could you help me please to find the mistake in my settings? It would be awesome. Me and a friend of mine, we want to use the agile platform to bring a volunteering project to the next level. Thank you very much

My blocks are slightly different to yours. I do have a main nginx configuration file mypage.de which catches the http and https requests (including SSL Snippets etc. - works with other apps) und for each "mypage.de/.." an extra file with its own configuration which is leading to internal ports 127.0.0.1:PortX .

I think I my problem is the proxy passing but I'm not sure.

Here are the mentioned Nginx-Configurations
mypage.de.txt
mypage.de_jira.txt

My server.xml looks like this (I enabled http and https Connector):

 <!-- OPTIONAL,Nginx Proxy Connector with https -->
<Connector port="8081" maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false" 
maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443" acceptCount="100" 
disableUploadTimeout="true" proxyName="mypage.de" proxyPort="443" scheme="https" secure="true"/>


<Connector port="8080" relaxedPathChars="[]|" relaxedQueryChars="[]|{}^&#x5c;&#x60;&quot;&lt;&gt;" maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false" maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443" acceptCount="100" disableUploadTimeout="true" bindOnInit="false" secure="true" scheme="https" proxyName="mypage.de" proxyPort="443"/>

and

<Context path="/jira" docBase="${catalina.home}/atlassian-jira" reloadable="false" useHttpOnly="true">
@totallytot
Copy link
Owner

totallytot commented Jan 18, 2021
edited
Loading

@SaschaMuehl
Looking at mypage.de.txt. There is location block related to Jira:

 location /jiraX {
	  proxy_set_header X-Forwarded-Host $host;
 	  proxy_set_header X-Forwarded-Server $host;
  	  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
  	  proxy_pass http://127.0.0.1:92;
  	  client_max_body_size 10M;
}

Proxy pass is 127.0.0.1:92. Do you share the same server for Nginx and Jira? If yes, 127.0.0.1 is ok, if no you should use Jira server private IP or DNS record. Also, connector port in your server.xml is 8080, but you are using 92 port as a target in proxy. Use the following pattern for proxy pass:
proxy_pass http://jira_server_private_ip/dns:port_on_which_jira_is_running;

@totallytot totallytot self-assigned this Jan 18, 2021
@SaschaMuehl
Copy link
Author

Thanks for your fast reply @totallytot,
yes it is the same server. I thought until now:

  1. the "general-settings-file" (mypage.de.conf) is listening on DNS (global IP: 111.222.333.444 or mypage.de) on HTTP-Port 80 and HTTPS-Port 443.
  2. If there is a WWW-request the right settings are searched in the location block (here www.mypage.de/jiraX) and the proxy passes to the internal port 127.0.0.1:92 whereas the
  3. "special-settings-file" (mypage.de_jira.conf) is listening on 127.0.0.1:92 to execute at least 127.0.0.1:8080 (My target was to not open the Port 8080 for everybody) at the same time.

(to say www.mypage.de/jiraX:80 or 111.222.333.444/jiraX:80--> 127.0.0.1:92 -->127.0.0.1:8080) Please correct me.

Well it didn't work. So I opened the Port 8080 for anywhere and build a new server block for the Port 8080. This is also not working. Also I decommend the 8181 connector.

I played a bit with and tried to call in browser with "403 Forbidden" result:

  1. http://111.222.333.444/jira:8080;
  2. http://mypage.de/jira:8080;
  3. http://mypage.de/jira

This is the new File: [v2]_mypage.de.txt

What am i doing wrong?

@totallytot
Copy link
Owner

totallytot commented Jan 18, 2021
edited
Loading

@SaschaMuehl
Try to use initial config from mypage.de.txt w/t any extra config for Jira such as caching and so on. If Jira is on the same server, port 8080 should be available for localhost connections only, since you are proxying requests direct access to 8080 for users (8080 to public world) is not required. Also, you have jiraX, but not jira.

Your location block for Jira should look like (rows 187-193):

location /jira {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
        proxy_pass http://127.0.0.1:8080/jira;
    }

Do not add another server block, just location. If Jira is on another sever, use proxy_pass http://jira_internal_ip:8080/jira; Port 8080 should be open for Nginx server. Also, do not forget about Nginx logs. In this case when you access http://mypage.de/jira you will be redirected to https://mypage.de/jira based on first server block. Afterwards, Nginx will try to match location /jira in second server block and proxy request to 127.0.0.1:8080/jira (or jira_server_ip:8080/jira) and give the output to user's browser.

(to say www.mypage.de/jiraX:80 or 111.222.333.444/jiraX:80--> 127.0.0.1:92 -->127.0.0.1:8080) Please correct me.
I assume mypage.de/jira -> 127.0.0.1:8080/jira or jira_server_ip:8080/jira

@SaschaMuehl
Copy link
Author

@totallytot
I switched everithing back (main-mypage.config@Port 80 and redirected to 443 + jira.config@localhost):
mypage.de.conf.txt
mypage.de_jira.conf.txt
Unfortunately its not working.

proxy_pass http://127.0.0.1:8080/jira; in the first location Block ("location / ") ist working
but with proxy_pass http://127.0.0.1:8080/jira; I get "nginx: [emerg] "proxy_pass" cannot have URI part in location given by regular expression, or inside named location, or inside "if" statement, or inside "limit_except" block in /etc/nginx/conf.d/mypage.de_jira.conf:27" so I changed the other location Block proxy passes to "proxy_pass http://127.0.0.1:8080;"

I tried in Browser:

  1. https://111.222.333.444:8080/ --> https://111.222.333.444/ and "Nginx - 403 Forbidden"
  2. http://mypage.de/jira --> https://127.0.0.1/jirajira
  3. http://mypage.de/jira --> https://127.0.0.1/jirajira

Error Logs after (1):

2021/01/19 21:36:29 [error] 840#840: send() failed (111: Connection refused) while resolving, resolver: 111.222.333.444:53
2021/01/19 21:36:30 [error] 840#840: *127 access forbidden by rule, client: 77.191.190.174, server: mypage.de, request: "GET / HTTP/2.0", host: "111.222.333.444"
2021/01/19 21:36:34 [error] 840#840: send() failed (111: Connection refused) while resolving, resolver: 111.222.333.444:53

The access-Log tells me for myself nothing:
77.191.190.174 - - [19/Jan/2021:21:36:24 +0100] "GET /jira HTTP/1.1" 301 162 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Edg/87.0.664.75" "-"

But (!) the jira.https.access.log is quite strange. There seems to be a circle.
Uploading jira.https.access.log…

@totallytot
Copy link
Owner

totallytot commented Jan 20, 2021
edited
Loading

@SaschaMuehl
What is the reason for proxying to port 92 in mypage.de.conf.txt?

location /jira {
    	proxy_set_header X-Forwarded-Host $host;
     	proxy_set_header X-Forwarded-Server $host;
      	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
	proxy_pass http://127.0.0.1:92;
      	client_max_body_size 10M;
  }

Why you cannot use proxy_pass http://127.0.0.1:8080/jira; here without adding configs from mypage.de_jira.conf.txt?

@SaschaMuehl
Copy link
Author

SaschaMuehl commented Jan 21, 2021
edited
Loading

@totallytot, sry for the late reply - the work distracted me.
I configured my server according to DECATEC (a German who wrote a Nextcloud install instruction). In his first versions - a couple years ago - he recommended the Main-Gateway with the vHost configuration. Here the sheme.

After setting up:

   	 location ^~ /jira {
    	proxy_set_header X-Forwarded-Host $host;
     	proxy_set_header X-Forwarded-Server $host;
      	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
	proxy_pass http://127.0.0.1:8080/jira;
      	client_max_body_size 10M;
  	}

I still get passed to https://127.0.0.1/jira (its written in my browser)

Sth. is still wrong with the code I think. According to the access.log I get a lot of inquerries like (...jirajirajirajirajirajira...):
127.0.0.1 - - [19/Jan/2021:21:36:25 +0100] "GET /**jirajirajirajirajirajira** HTTP/1.0" 400 226 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Edg/87.0.664.75"

@totallytot
Copy link
Owner

@SaschaMuehl Current config is not actual for your situation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@totallytot totallytot

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@totallytot @SaschaMuehl