access the rancher server through proxy failed, because rancher server redirect to intranet IP

[hjianhao]

I access the rancher from internet with mydomainname:port (for example 91)
rancher server running on IP 192.168.1.140 (intranet IP)
I am using nginx for proxy, pass the request from port 91 to IP 192.168.1.140:8080

I enter the mydomainname:91 url on browsers, then redirect to 192.168.1.140:8080/static, so this intranet IP can not be accessed from internet.
I think rancher server should not redirect the request to intranet IP and ports.

[ka2er]

+1 definitively need reverse proxy support

[hjianhao]

I do configure a reverse proxy using nginx ( using proxy_pass), but still redirect to intranet IP?

[hjianhao]

When I access the rancher server, When load the homepage, I found the request projects?all=true, request URL is intranet.

[cloudnautique]

How do you have the Nginx proxy configured?
Rancher should obey Host header and X-Forwarded-For.
You will also need a location /v1/subscribe block that handles proxying websocket requests.

[vincent99]

/v1/stats needs WebSockets too.. It would be better to make the whole proxy able to handle them rather than certain URLs that currently need it.

[cloudnautique]

I think if just the proxy_pass setting is used, then the request is made with the host header of the proxy_pass server.

A basic setup that should work, and handle the websockets:

 upstream rancher {
     server rancher1:8080
 }

 server {
     listen 80; 
     server_name rancher.example.com;

       location / {
          proxy_set_header Host $host;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_pass http://rancher;
          proxy_http_version 1.1;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "upgrade";
    }

 }

[hjianhao]

@cloudnautique thanks for your reference configuration, it did work.
But there is a little problem, I can not use the 80 port (for conflict reason), so It failed firstly, I change the the proxy_set_header Host $host; to proxy_set_header Host $host:$port; it did work.
thanks again. :)

[deniseschannon]

@hjianhao Since it looks like we've fixed this issue, I'll close it.

[flaccid]

@cloudnautique Thanks for the nginx conf, this worked for me however it ends up redirecting to the public IP after login e.g. http://1.2.3.4:8080/static/services/projects instead of http://foo.com/static/services/projects. Something I am missing?

[cloudnautique]

Was the github callback setup with the ip?

[flaccid]

@cloudnautique yes - do you recommend disabling access control and re-set it up to solve?

[vincent99]

Yes; GitHub always sends you back to the URL configured in the application you create.

[flaccid]

Ok, I tried but now its stuck in some weird state always going to Error and so i went to the settings/auth URL manually and tried to auth but the whole page didn't load and now all URLs are stuck on:

Error
GitHubError (503)
Non-200 Response from Github
Reload to try again or log out

[flaccid]

Ok, so I have fixed that up by upgrading but when accessing with the reverse proxy (and I also employed https forcing), I get:

[Exception... "<no message>" nsresult: "0x805e0006 (<unknown>)" location: "JS frame :: https://releases.rancher.com/ui/0.28.0/assets/vendor.js :: .send :: line 3" data: no]

I actually use a separete nginx container to redirect all http requests to https, the https then terminates with an ELB which then forwards to the nginx conf above.

[winggundamth]

@flaccid I still looking for correct nginx configuration https reverse proxy too. I put the detail here #1151