nginx reverse proxy fronting timetrex

Ask your questions regarding TimeTrex installation here.
Post Reply
timeclock
Posts: 33
Joined: Sun Jul 03, 2016 1:23 pm

nginx reverse proxy fronting timetrex

Post by timeclock »

All:

Hi Everyone.

We are attempting to use NGINX as a reverse proxy for timetrex. We are having some trouble where users recieve a 502 bad gateway errors

Here is our server block for review:

#############################################################################

#####################################################
# timetrex (60) **80
#####################################################

server {
listen 80;
listen [::]:80;
server_name timetrex.sub.org;
return 301 https://$server_name;
location / {
proxy_pass https://192.168.1.60;
proxy_set_header host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
#try_files $uri $uri/ /index.php?q=$uri&$args;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}

#####################################################
# timetrex.sub.org;(60)**443
#####################################################

server {
listen 443 ssl;
server_name timetrex.sub.org;

ssl_protocols TLSv1.2;
#ssl_protocols TLSv1.3
ssl_prefer_server_ciphers on;
#ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
#ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
#ssl_session_timeout 24h;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
#resolver $DNS-IP-1 $DNS-IP-2 valid=300s; #new item
resolver_timeout 5s; #new item
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; #new item
add_header X-Frame-Options DENY; #new item
add_header X-Content-Type-Options nosniff; #new item
add_header X-XSS-Protection "1; mode=block"; #new item
keepalive_timeout 300s;

ssl_certificate /etc/letsencrypt/live/timetrex.sub.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/timetrex.sub.org/privkey.pem;

charset utf-8;

location / {
include proxy_params;
proxy_pass https://192.168.1.60;
#proxy_redirect on;

# Handle Web Socket connections
proxy_http_version 1.1;
#proxy_cache_bypass $http_upgrade; ####new

}
############################################################}


Questions:
Has anyone else had a problem with nginx reverse proxy fronting timetrex?

Does my server block pass muster?

Thanks in advance.
mikeb
Posts: 709
Joined: Thu Jul 27, 2006 11:58 am

Re: nginx reverse proxy fronting timetrex

Post by mikeb »

While I can't speak to the NGINX setup itself, TimeTrex does need to be configured to function properly behind a reverse proxy, by setting the following in the timetrex.ini.php file:

Code: Select all

[other]
proxy_ip_address_header_name = 'HTTP_X_FORWARDED_FOR'
proxy_protocol_header_name = 'HTTP_X_FORWARDED_PROTO'
I doubt that will help with the 502 Bad Gateway errors, as that is likely to do with your NGINX setup being incorrect, the above will at least help once you get the reverse proxy working.
TimeTrex Community Edition is developed and supported by volunteers.
Help motivate us to continue by showing your appreciation!
Post Reply