Page 1 of 1

nginx reverse proxy fronting timetrex

Posted: Wed Jul 10, 2019 6:34 am
by timeclock
All:

Hi Everyone.

We are attempting to use NGINX as a reverse proxy for timetrex. We are having some trouble where users recieve a 502 bad gateway errors

Here is our server block for review:

#############################################################################

#####################################################
# timetrex (60) **80
#####################################################

server {
listen 80;
listen [::]:80;
server_name timetrex.sub.org;
return 301 https://$server_name;
location / {
proxy_pass https://192.168.1.60;
proxy_set_header host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
#try_files $uri $uri/ /index.php?q=$uri&$args;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}

#####################################################
# timetrex.sub.org;(60)**443
#####################################################

server {
listen 443 ssl;
server_name timetrex.sub.org;

ssl_protocols TLSv1.2;
#ssl_protocols TLSv1.3
ssl_prefer_server_ciphers on;
#ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
#ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
#ssl_session_timeout 24h;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
#resolver $DNS-IP-1 $DNS-IP-2 valid=300s; #new item
resolver_timeout 5s; #new item
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; #new item
add_header X-Frame-Options DENY; #new item
add_header X-Content-Type-Options nosniff; #new item
add_header X-XSS-Protection "1; mode=block"; #new item
keepalive_timeout 300s;

ssl_certificate /etc/letsencrypt/live/timetrex.sub.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/timetrex.sub.org/privkey.pem;

charset utf-8;

location / {
include proxy_params;
proxy_pass https://192.168.1.60;
#proxy_redirect on;

# Handle Web Socket connections
proxy_http_version 1.1;
#proxy_cache_bypass $http_upgrade; ####new

}
############################################################}


Questions:
Has anyone else had a problem with nginx reverse proxy fronting timetrex?

Does my server block pass muster?

Thanks in advance.

Re: nginx reverse proxy fronting timetrex

Posted: Wed Jul 10, 2019 12:51 pm
by mikeb
While I can't speak to the NGINX setup itself, TimeTrex does need to be configured to function properly behind a reverse proxy, by setting the following in the timetrex.ini.php file:

Code: Select all

[other]
proxy_ip_address_header_name = 'HTTP_X_FORWARDED_FOR'
proxy_protocol_header_name = 'HTTP_X_FORWARDED_PROTO'
I doubt that will help with the 502 Bad Gateway errors, as that is likely to do with your NGINX setup being incorrect, the above will at least help once you get the reverse proxy working.