K
Q

nginx reverse proxy to https url on seperate server result in 444 without error

7/21/2018

I spent few hours to understand that problem and seems not documented so I decided to post it here.

I needed to setup a reverse proxy from a domain rancher-gitlab-proxy.mydomain.com and redirect it directly directly to my rancher kubernetes cluster api so it is compatible with gitlab and the kubeclient gem. I used the advices and redirect template from https://github.com/rancher/rancher/issues/13058

Here is my proxy configuration :

server {
    listen       443 ssl http2;

    server_name  rancher-gitlab-proxy.mydomain.com;

    ssl_certificate "/etc/letsencrypt/live/rancher-gitlab-proxy.mydomain.com/fullchain.pem";
    ssl_certificate_key "/etc/letsencrypt/live/rancher-gitlab-proxy.mydomain.com/privkey.pem";

    location / {
        proxy_pass https://rancher.mydomain.com/k8s/clusters/c-abcd/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host rancher.mydomain.com;
        proxy_cache_bypass $http_upgrade;
        proxy_connect_timeout   10;
        proxy_send_timeout      15;
        proxy_read_timeout      20;
    }
}

When I access the url rancher-gitlab-proxy.mydomain.com I only get a nginx access log without any error message generated by nginx

X.X.X.X - - [20/Jul/2018:18:17:51 +0000] "GET / HTTP/1.1" 444 0 "-" "curl/7.29.0" "-"

The request don't reach his destination ( no log generate by the nginx on the destination server ), the request is not proxy_passed by nginx

-- 3pns
gitlab
kubernetes
nginx
reverse-proxy

Similar Questions

How to distribute requests to pods on a Kubernetes service
"Running on Docker with Consul or Eureka" ?
Helm jenkins/latest unable to run docker command
How to enable VT-X/AMD-v on Google Cloud Platform VM's?
Can not find kubeconfig file
Adding insecure registry in containerd
Variable substitution in a configuration file

1 Answer

7/21/2018

What happend is that I was taping the bare url in my browser and also when using the curl command

curl rancher-gitlab-proxy.mydomain.com;

The request is then a http request, however my proxy_pass address is a https url. In this case by default nginx return a code 444, create access log but no error is generated and the request is not proxied. It is confusing due to the lack of error message.

The reason was that my default vhost for port 80 return an error 444.

The fix is to redirect http requests to https and the proxy_pass works normally.

server {
    listen 80;
    server_name rancher-gitlab-proxy.mydomain.com;
    return 301 https://$host$request_uri;
}
server {
    listen       443 ssl http2;

    server_name  rancher-gitlab-proxy.mydomain.com;

    ssl_certificate "/etc/letsencrypt/live/rancher-gitlab-proxy.mydomain.com/fullchain.pem";
    ssl_certificate_key "/etc/letsencrypt/live/rancher-gitlab-proxy.mydomain.com/privkey.pem";

    location / {
        proxy_pass https://rancher.mydomain.com/k8s/clusters/c-abcd/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host rancher.mydomain.com;
        proxy_cache_bypass $http_upgrade;
        proxy_connect_timeout   10;
        proxy_send_timeout      15;
        proxy_read_timeout      20;
    }
}
-- 3pns
Source: StackOverflow