Join Log in
Score:0
Matt Klein avatar Server

Use NGINX to proxy to upstream HTTPS site not owned by me

jp flag
Matt Klein

NGINX newb here. I'm running NGINX via a SWAG container and have TLS enabled for my server using a Let's Encrypt cert.

What I'm trying to do is proxy https://plantuml.mydomain.com to https://plantuml.com. I've tried multiple variations and followed multiple guides, but thus far have been unable to get this configuration to work.

A few of the pages I've tried to follow:

Here is the config I currently have:

# from /config/nginx/proxy-confs/plantuml.subdomain.conf

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name plantuml.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 8.8.8.8;

        set $puml plantuml.com;

        proxy_pass                  https://$puml;
        proxy_ssl_server_name       on;
        proxy_ssl_certificate       /config/keys/letsencrypt/fullchain.pem;
        proxy_ssl_certificate_key   /config/keys/letsencrypt/privkey.pem;
        proxy_ssl_session_reuse     on;
    }
}

The above includes are all the SWAG defaults, and other subdomains in this NGINX config, which point to other docker containers in the docker network, proxy correctly.

Here is a trimmed result of what I'm currently getting, with the tl;dr being its a 523

# curl -v https://plantuml.mydomain.com
*   Trying x.x.x.x:443...
* Connected to plantuml.mydomain.com (x.x.x.x) port 443 (#0)
...
* Server certificate:
*  subject: CN=*.mydomain.com
*  start date: Jan 18 08:16:27 2023 GMT
*  expire date: Apr 18 08:16:26 2023 GMT
*  subjectAltName: host "plantuml.mydomain.com" matched cert's "*.mydomain.com"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x480e50)
> GET / HTTP/2
> Host: plantuml.mydomain.com
> user-agent: curl/7.74.0
> accept: */*
> 
...
< HTTP/2 523 
< server: nginx
< date: Fri, 20 Jan 2023 18:21:14 GMT
< content-type: text/plain; charset=utf-8
< content-length: 0
< vary: Accept-Encoding
<

I have the error_log set to info, but there is nothing in there for this call. This entry is in the access.log (call comes from internet via the router at 192.168.50.1):

192.168.50.1 - - [20/Jan/2023:11: -0700] "GET / HTTP/2.0" 523 0 "-" "curl/7.74.0"
154
1 + 2
Jaromanda X avatar
ru flag
Jaromanda X
I believe you don't need any of the `proxy_ssl_*` settings - try without them
0
Reply
ws flag
symcbean
You've got no client facing certificate. The upstream won't respond to these requests unles you rewrite the headers and the returned content won't work as you expect without being rewritten. Sorry but you've got WAY too much to learn before you'll be able to solve problems by relying on simple questions here.
0
Reply
Score:0
Sébastien Barbieri avatar Server
ru flag
Sébastien Barbieri

This come from my PlantUML Docker install page https://blog.sbw.be/scips/2023/install-your-own-plantuml-server-inside-a-docker/389/

And I think the comment underneath are heading to the right way.

Here is my nginx config for plantuml (inside a docker but that's just a matter of port)

upstream jetty {  server 127.0.0.1:8084 weight=100 max_fails=5 fail_timeout=5;}

server {
    listen 443 ssl; # managed by Certbot
    listen [::]:443 ssl; # managed by Certbot

    listen 80;
    listen [::]:80;
     
    server_name plantuml.mycompany.example;
    
    access_log /var/log/nginx/plantuml.mycompany.example.access.log;
    error_log /var/log/nginx/plantuml.mycompany.example.error.log;
    
    # RSA certificate
    ssl_certificate /etc/letsencrypt/live/mycompany.example-0001/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mycompany.example-0001/privkey.pem; # managed by Certbot

    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
     
    # Redirect non-https traffic to https
    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    location / {
     proxy_set_header X-Forwarded-Host $host;
     proxy_set_header X-Forwarded-Server $host;
     proxy_pass http://jetty/;
     sub_filter '"http://jetty/'  '"/';
     sub_filter_once off;
    }
}

As you can see in the image below:

A deployment diagram of what we are building. A shared folder with the docker. A jetty docker container. And an nginx reverse proxy. All inside a virtual private server.

There is a proxy_pass to HTTP and not to HTTPS.

As people are pointing out there is no need to use HTTP internally.

Also you mention using let's encrypt. You can see that for the let's encrypt configuration the ssl certificates must be in the configuration too, this is mandatory for every subdomain, let's encrypt does not properly and automatically support *.mydomain.com.

So a good habit is to run the certbot each time you have a new subdomain to automatically add the ssl certificate in each subdomain.

I hope this will help.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.