Score:1

Server

Cockpit via NGINX - settings make other services not reachable

Alex44

3/13/23, 4:26 PM

I have a server (Ubuntu-Server) with some Docker-based servers (Gitlab, Redmine) and NGINX as Proxy.

gitlab.<myserver>    => NGINX -> <docker-net-ip>:port => Gitlab-container  
redmine.<myserver>   => NGINX -> <docker-net-ip>:port => Redmine-container
                                                         SQL-container  
                                                         Certbot

This works like a charm. Now I want to extend my server by Cockpit Web Service:

cockpit.<myserver>   => NGINX -> localhost:9090       => Cockpit running on the server  
gitlab.<myserver>    => NGINX -> <docker-net-ip>:port => Gitlab-container  
redmine.<myserver>   => NGINX -> <docker-net-ip>:port => Redmine-container
                                                         SQL-container  
                                                         Certbot

I added an extra NGINX rule (corresponding to https://github.com/cockpit-project/cockpit/wiki/Proxying-Cockpit-over-NGINX) for cockpit and then cockpit comes available but neither Redmine nor Gitlab. If I remove the rule, it's vice versa.

In /etc/nginx/sites-available/ and /etc/nginx/sites-enabled/ the following NGINX rules are stored:

gitlab.<myserver>

server {

    listen 80;
    listen [::]:80;

    server_name gitlab.<myserver>;

    location / {
        proxy_pass         http://<docker-net-ip>:port;
        proxy_buffering    off;
        proxy_set_header   X-Real-IP       $remote_addr;
    }
}

redmine.<myserver>

server {

    listen 80;
    listen [::]:80;

    server_name redmine.<myserver>;

    location / {
        proxy_pass         http://<docker-net-ip>:port;
        proxy_set_header   Host                $host;
        proxy_set_header   X-Real-IP           $remote_addr;
        proxy_set_header   X-Forwarded-for     $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto   $scheme;
    }
}

and now I added :
cockpit.<myserver>

server {
    listen         80;
    listen         443 ssl;

    server_name    cockpit.<myserver>;

    location / {
        # Required to proxy the connection to Cockpit
        proxy_pass https://127.0.0.1:9090;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Required for web sockets to function
        proxy_http_version 1.1;
        proxy_buffering off;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        # Pass ETag header from Cockpit to clients.
        # See: https://github.com/cockpit-project/cockpit/issues/5239
        gzip off;
    }
}

and /etc/cockpit/cockpit.conf

[WebService]
Origins = https://cockpit.<myserver> 127.0.0.1:9090
ProtocolHeader = X-Forwarded-Proto

[Log]
Fatal = /var/log/cockpit.log

[Session]
IdleTimeout=15

What's missing here?

392

0 + 0

nginx

proxy

proxypass

cockpit

Alex44

3/14/23, 5:04 PM

it is already solved...

Score:1

Server

Alex44

3/14/23, 2:23 PM

What's missing here?

The problem occurs not on all devices. Some show up that "This connection is not secure." for redmine and gitlab. But cockpit does not. The solution to the riddle is now, that the rules for Gitlab and Redmine are not complete and the https requests become stuck in nowhere.

The rules for port 443 (https) are missing. Now I changed the blocks into two:

Redirect http request to https
listen to https requests and forward them to the application

This looks now like this:

/etc/nginx/sites-available/gitlab.<myserver> linked to /etc/nginx/sites-enabled/gitlab.<myserver>

# redirect http request to https while keeping the request uri
server {

    listen 80;
    listen [::]:80;

    server_name gitlab.<myserver>;

    return 301 https://gitlab.<myserver>$request_uri;
}

# https requests will forwarded to the server application
server {

    listen 443 ssl;
    listen [::]:443 ssl;

    server_name gitlab.<myserver>;

    location / {
        proxy_pass         http://<docker-net-ip>:<port>;
        proxy_buffering    off;
        proxy_set_header   X-Real-IP       $remote_addr;

        # Note: You should disable gzip for SSL traffic.
        # See: https://bugs.debian.org/773332
        gzip off;
    }
}

/etc/nginx/sites-available/redmine.<myserver> linked to /etc/nginx/sites-enabled/redmine.<myserver>

# redirect http request to https while keeping the request uri
server {

    listen 80;
    listen [::]:80;

    server_name redmine.<myserver>;

    return 301 https://redmine.<myserver>$request_uri;
}

# https requests will forwarded to the server application
server {

    listen 443 ssl;
    listen [::]:443 ssl;

    server_name redmine.<myserver>;

    location / {
        proxy_pass         http://<docker-net-ip>:<port>;
        proxy_set_header   Host                $host;
        proxy_set_header   X-Real-IP           $remote_addr;
        proxy_set_header   X-Forwarded-for     $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto   $scheme;

        # Note: You should disable gzip for SSL traffic.
        # See: https://bugs.debian.org/773332
        gzip off;
    }
}

/etc/nginx/sites-available/cockpit.<myserver> linked to /etc/nginx/sites-enabled/cockpit.<myserver>

server {
    listen         80;
    listen         443 ssl;

    server_name    cockpit.<myserver>;

    location / {
        # Required to proxy the connection to Cockpit
        proxy_pass https://127.0.0.1:9090;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Required for web sockets to function
        proxy_http_version 1.1;
        proxy_buffering off;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        # Pass ETag header from Cockpit to clients.
        # See: https://github.com/cockpit-project/cockpit/issues/5239
        gzip off;
    }
}

and /etc/cockpit/cockpit.conf

[WebService]
Origins = https://cockpit.<myserver> 127.0.0.1:9090
ProtocolHeader = X-Forwarded-Proto

[Log]
Fatal = /var/log/cockpit.log

[Session]
IdleTimeout=15

and for beeing complete:
/etc/nginx/sites-available/default linked to /etc/nginx/sites-enabled/default

##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or WordPress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
#
server {
    listen 80 default_server;
    listen [::]:80 default_server;

    # SSL configuration
    #
    # listen 443 ssl default_server;
    # listen [::]:443 ssl default_server;
    #
    # Note: You should disable gzip for SSL traffic.
    # See: https://bugs.debian.org/773332
    #
    # Read up on ssl_ciphers to ensure a secure configuration.
    # See: https://bugs.debian.org/765782
    #
    # Self signed certs generated by the ssl-cert package
    # Don't use them in a production server!
    #
    # include snippets/snakeoil.conf;

    root /var/www/html;

    error_log /opt/logs/certbot_error debug;
}

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Cockpit via NGINX - settings make other services not reachable

TH: ห้องนักบินผ่าน NGINX - การตั้งค่าทำให้บริการอื่นไม่สามารถเข้าถึงได้

RO: Cockpit prin NGINX - setările fac ca alte servicii să nu fie accesibile

RU: Cockpit через NGINX — настройки делают другие сервисы недоступными

VI: Buồng lái qua NGINX - cài đặt khiến các dịch vụ khác không thể truy cập được

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.