Integrating into existing reverse proxy setup

Hi,

I try to wrap my head around the configuration of this project in such a way, that the existing rev-proxy setup isn’t harmed. Some services {gitlab, discourse} are available with the pattern service.e xample.org already and nginx relays them to local host/docker instances, redirects http to https as well as provides the certbot certs.

Access to jitsi docker from LAN works well, but the rev-proxy access via https://meet.example.org fails with:

400 Bad Request
The plain HTTP request was sent to HTTPS port

Any idea, what I’m missing?

Here’s the relevant config:

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name meet.example.org;
    server_tokens off; 
    access_log  /var/log/nginx/meet_access.log;
    error_log   /var/log/nginx/meet_error.log;

    location / {
        proxy_redirect off;
        proxy_set_header Host $http_host;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-Ssl on;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_pass http://localhost:8443;
    }

    ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem; # managed by Certbot
}

If such a setup is of broader interest (I think so), I can provide the configuration enhancements, once this is working and I’ve figured out, how to push the certbot certs into the jitsi docker setup.

Just guessing here, but you may need to change your proxy_pass from http to https.

Just guessing here, but you may need to change your proxy_pass from http to https.

No, the idea is to completely handle SSL at the outer level.

For the record, here’s a working config:

server {
    if ($host = meet.example.org) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 0.0.0.0:80;
    listen [::]:80;
    server_name meet.example.org;
    server_tokens off;

    access_log  /var/log/nginx/meet_access.log;
    error_log   /var/log/nginx/meet_error.log;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name meet.example.org;
    server_tokens off;
    
    access_log  /var/log/nginx/meet_access.log;
    error_log   /var/log/nginx/meet_error.log;

    location / {
        proxy_set_header Host $http_host;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-Ssl on;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_pass http://localhost:8000;
    }

    ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem; # managed by Certbot
}

The real magic to get this fully working is using the public IP as DOCKER_HOST_ADDRESS.

1 Like

Did you found a solution? I have the same problem.

Sure, it’s working fine here. I documented the solution in the message right above yours.

Without further details from your side, it’s hard to say something.

Actually where do we add these settings?/

Well, mine is in /etc/nginx/conf.d/meet.conf on the host.