Nginx config to proxy pass to external ip and port (https -> http)

Question

I have a little complicated configuration of services.

My domain (call it "a.team" for now) points to my 1&1 Cloud Server with different services running dockerized fully functional with a dockerized nginx. Many subdomains pointing to docker containers and everything is fine.

Now I got a server at the office, ports 8080, 8090 and 7990 (Atlassian products) with access through the router fw and a static ip (works fine).

I want the cloud Server to manage the domain and proxy like this:

SSL https://jira.a.team to non SSL http://---.---.---.133:8080 (dummy) as a proxy (and for the other products, too)

Nginx is configured to redirect all http to https:

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;  
    return 301 https://$host$request_uri;
}
server {
    listen 443 default_server ssl;
    server_name _;
    ssl_certificate /path/bundle.cer;
    ssl_certificate_key /path/-.a.team_private_key.key;
}

And I want to add the new configuration to the existing ones.

server {
    listen 443 ssl;
    server_name jira.a.team;

    location / {
        proxy_pass http://---.---.---.133:8080;
        proxy_redirect off;
    }
}

I tried many combinations with proxy set headers for host, x-real-ip and x-forwarded-for but all I get is a 504 gateway timeout.

Thank you for helping!

Regards

Answer 1

Try to use the upstream feature in Nginx.

You should know though, when doing proxy pass to external address, you will need to permit outgoing traffic to these ports in your office FWs, as the traffic will be going through the Nginx server.

Configure the server (vhost jira.a.team), note the upstream reference jira_app

server {
  listen       *:443 ssl;
  server_name  jira.a.team;
  ssl on;
  ssl_certificate           ....
  ssl_certificate_key       ....
  ssl_session_cache         ....
  ssl_session_timeout       5m;
  ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers               ....
  ssl_prefer_server_ciphers on;
  access_log            /var/log/nginx/....access.log combined;
  error_log             /var/log/nginx/....error.log;
  location / {
    proxy_pass            http://jira_app;
    proxy_read_timeout    90;
    proxy_connect_timeout 90;
    proxy_redirect        off;
    proxy_set_header      Host $host;
    proxy_set_header      X-Real-IP $remote_addr;
    proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header      Proxy "";
  }
  proxy_set_header Host $http_host;
  proxy_set_header X-Forwarded-For $remote_addr;
  proxy_set_header X-Forwarded-Proto $scheme;   
}

Configure upstream

upstream jira_app {
  server     ---.---.---.133:8080  fail_timeout=10s;
}

If you still want to use redirect from HTTP to HTTPs you can do the following as a separate server object:

server {                                                                                                                                                 
 listen *:80;                                                                                                                                           
 server_name           jira.a.team;                                                                                                               
 location / {                                                                                                                                                                                                                                                   
  rewrite ^ https://jira.a.team$request_uri? permanent;                                                                                            
 }                                                                                                                                                      
}