Jump to content
trx

Webadmin through reverse proxy (NGINX) not accessible

Recommended Posts

Hi

As far is I know the webadmin page cannot be accessed via https / ssl yet.

As I'm currently running my plasticscm on an linux server with nginx handling all incoming requests (and requires ssl for all ports) i was trying to get access the webadmin via a proxy forwarding. (internally nginx connects normally in non-ssl way the webadmin-server)

Unfortunately the webadmin server does not accept this somehow (get a 404). I assume the webadmin server blocks proxy requests but it could also be that my nginx config is not properly set up.

Or do i have to wait until the webadmin supports ssl-certificates?

 

best

Fabian

Share this post


Link to post
Share on other sites

Hi trx,

There are no current restrictions regarding reverse proxies. What you are trying to achieve is a great way to enable SSL access to the webadmin page indeed :)

There must be something wrong, though... could you post your nginx configuration? Also, are there any messages in the Plastic SCM server log?

Thank you!

 

Regards,

Miguel

Share this post


Link to post
Share on other sites

Okay! I was able to make it work B)

I was trying to use a sub location (servername.com/plasticscm/) with the standard https port, but without the possibility to set a base path in the plastic webadmin it didn't work.

Now I'm using a different port and it seems to work.

thanks anyway

Share this post


Link to post
Share on other sites

Hello @trx,

that's great! Happy to know you have it working :)

Is there any possibility you could write a list of need steps to make it work? I think it will be very useful for the rest of the community.

Thanks in advance.

Share this post


Link to post
Share on other sites

Sure :P

A few small considerations before you start:

  • I've only tested it for Ubuntu 16.04 LTS (but should work for any linux nginx and plasticSCM support)
  • Try it out in testing environment first (as usual)
  • Make sure you have an ssl certificate (a signed certificate from a ca is usually the better way than a self-signed, it can prevent a lot of annoying troubles)
  • make sure you have the port you want to use open in your firewall (I forgot that so many times ;))
  • If your plastic server is on the same machine as nginx you need to of course choose another port than the one from the webadmin server (7178)
  • If you have apache or any other webserver running on your machine you probably want to decide if nginx or apache listens to the standard ports (80,443 etc.) I dont have apache so i can't tell you, but there are a lot of instructions online how to do it.

 

Just to make sure, the ssl communication is only between the user (browser) and the nginx server, nginx proxy passes to webadmin server via http. As long as both are on the same server its not huge security problem.

 

NGINX (https://nginx.org/en/)

So i don't want to go too deep into nginx as it would be a long story for itself but anyways a few small steps if you haven't set up nginx and ssl yet:

 

When you have set up nginx now comes the easy part:

location / {
                proxy_pass http://localhost:7178;
        }

will forward the incoming request to your local running plasticSCM webadmin gui. I have not set any header_set as it seems to work that way.

 

my nginx configuration:

server {
    listen 80 default_server;
    listen [::]:80 default_server;
	
    ## replace that with your incomcoming domain or ip
    server_name my.domain.name;
  	
    # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
    return 301 https://$host$request_uri;
}


server {
        ## I use here another port, as I already used the 443 port
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
		
        ## replace that with your incomcoming domain or ip
        server_name my.domain.name;
		
        # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
        ssl_certificate path/to/ssl-bundle.crt;
        ssl_certificate_key path/to/my_domain_name.key;
        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:50m;
        #ssl_session_tickets off;

        # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
        ssl_dhparam /etc/nginx/ssl/dhparam.pem;

        # intermediate configuration. tweak to your needs.
        ssl_protocols TLSv1.2;
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
        ssl_prefer_server_ciphers on;

        # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
        add_header Strict-Transport-Security max-age=15768000;

        # OCSP Stapling ---
        # fetch OCSP records from URL in ssl_certificate and cache them
        ssl_stapling on;
        ssl_stapling_verify on;

        ## verify chain of trust of OCSP response using Root CA and Intermediate certs
        ssl_trusted_certificate path/to/ssl_trusted_cert_bundle.key;
		
        location / {
                proxy_pass http://localhost:7178;
        }
  		
        ## This does not work yet as i can not set any base path in the plasticSCM webadmin server
        #
        # location /plastic {
        # 	 proxy_pass http://localhost:7178; 
        # }
        ##
}

 

I use a dedicated ssl port for the webadmin as i already use the 443 port for other services, and because you cannot set any base path in the webadmin server i cannot use any sub locations. If you use the standard 443 port I highly recommend you to use the http to https redirect (at the beginning of the file) to prevent any unsecured http connection on port 80.

 

hope that helps

best Fabian

 

  • Like 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×