Cockpit via NGINX - settings make other services not reachable

I have a server (Ubuntu-Server) with some Docker-based servers (Gitlab, Redmine) and NGINX as Proxy.

gitlab.<myserver>    => NGINX -> <docker-net-ip>:port => Gitlab-container  
redmine.<myserver>   => NGINX -> <docker-net-ip>:port => Redmine-container
                                                         SQL-container  
                                                         Certbot  

This works like a charm. Now I want to extend my server by Cockpit Web Service:

cockpit.<myserver>   => NGINX -> localhost:9090       => Cockpit running on the server  
gitlab.<myserver>    => NGINX -> <docker-net-ip>:port => Gitlab-container  
redmine.<myserver>   => NGINX -> <docker-net-ip>:port => Redmine-container
                                                         SQL-container  
                                                         Certbot  

I added an extra NGINX rule (corresponding to https://github.com/cockpit-project/cockpit/wiki/Proxying-Cockpit-over-NGINX) for cockpit and then cockpit comes available but neither Redmine nor Gitlab. If I remove the rule, it's vice versa.

In /etc/nginx/sites-available/ and /etc/nginx/sites-enabled/ the following NGINX rules are stored:

gitlab.<myserver>

server {

    listen 80;
    listen [::]:80;

    server_name gitlab.<myserver>;

    location / {
        proxy_pass         http://<docker-net-ip>:port;
        proxy_buffering    off;
        proxy_set_header   X-Real-IP       $remote_addr;
    }
}

redmine.<myserver>

server {

    listen 80;
    listen [::]:80;

    server_name redmine.<myserver>;

    location / {
        proxy_pass         http://<docker-net-ip>:port;
        proxy_set_header   Host                $host;
        proxy_set_header   X-Real-IP           $remote_addr;
        proxy_set_header   X-Forwarded-for     $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto   $scheme;
    }
}

and now I added :
cockpit.<myserver>

server {
    listen         80;
    listen         443 ssl;

    server_name    cockpit.<myserver>;

    location / {
        # Required to proxy the connection to Cockpit
        proxy_pass https://127.0.0.1:9090;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Required for web sockets to function
        proxy_http_version 1.1;
        proxy_buffering off;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        # Pass ETag header from Cockpit to clients.
        # See: https://github.com/cockpit-project/cockpit/issues/5239
        gzip off;
    }
}

and /etc/cockpit/cockpit.conf

[WebService]
Origins = https://cockpit.<myserver> 127.0.0.1:9090
ProtocolHeader = X-Forwarded-Proto

[Log]
Fatal = /var/log/cockpit.log

[Session]
IdleTimeout=15

What's missing here?


What's missing here?

The problem occurs not on all devices. Some show up that "This connection is not secure." for redmine and gitlab. But cockpit does not. The solution to the riddle is now, that the rules for Gitlab and Redmine are not complete and the https requests become stuck in nowhere.

The rules for port 443 (https) are missing. Now I changed the blocks into two:

  1. Redirect http request to https
  2. listen to https requests and forward them to the application

This looks now like this:

/etc/nginx/sites-available/gitlab.<myserver> linked to /etc/nginx/sites-enabled/gitlab.<myserver>

# redirect http request to https while keeping the request uri
server {

    listen 80;
    listen [::]:80;

    server_name gitlab.<myserver>;

    return 301 https://gitlab.<myserver>$request_uri;
}

# https requests will forwarded to the server application
server {

    listen 443 ssl;
    listen [::]:443 ssl;

    server_name gitlab.<myserver>;

    location / {
        proxy_pass         http://<docker-net-ip>:<port>;
        proxy_buffering    off;
        proxy_set_header   X-Real-IP       $remote_addr;

        # Note: You should disable gzip for SSL traffic.
        # See: https://bugs.debian.org/773332
        gzip off;
    }
}

/etc/nginx/sites-available/redmine.<myserver> linked to /etc/nginx/sites-enabled/redmine.<myserver>

# redirect http request to https while keeping the request uri
server {

    listen 80;
    listen [::]:80;

    server_name redmine.<myserver>;

    return 301 https://redmine.<myserver>$request_uri;
}

# https requests will forwarded to the server application
server {

    listen 443 ssl;
    listen [::]:443 ssl;

    server_name redmine.<myserver>;

    location / {
        proxy_pass         http://<docker-net-ip>:<port>;
        proxy_set_header   Host                $host;
        proxy_set_header   X-Real-IP           $remote_addr;
        proxy_set_header   X-Forwarded-for     $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto   $scheme;

        # Note: You should disable gzip for SSL traffic.
        # See: https://bugs.debian.org/773332
        gzip off;
    }
}

/etc/nginx/sites-available/cockpit.<myserver> linked to /etc/nginx/sites-enabled/cockpit.<myserver>

server {
    listen         80;
    listen         443 ssl;

    server_name    cockpit.<myserver>;

    location / {
        # Required to proxy the connection to Cockpit
        proxy_pass https://127.0.0.1:9090;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Required for web sockets to function
        proxy_http_version 1.1;
        proxy_buffering off;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        # Pass ETag header from Cockpit to clients.
        # See: https://github.com/cockpit-project/cockpit/issues/5239
        gzip off;
    }
}

and /etc/cockpit/cockpit.conf

[WebService]
Origins = https://cockpit.<myserver> 127.0.0.1:9090
ProtocolHeader = X-Forwarded-Proto

[Log]
Fatal = /var/log/cockpit.log

[Session]
IdleTimeout=15

and for beeing complete:
/etc/nginx/sites-available/default linked to /etc/nginx/sites-enabled/default

##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or WordPress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
#
server {
    listen 80 default_server;
    listen [::]:80 default_server;

    # SSL configuration
    #
    # listen 443 ssl default_server;
    # listen [::]:443 ssl default_server;
    #
    # Note: You should disable gzip for SSL traffic.
    # See: https://bugs.debian.org/773332
    #
    # Read up on ssl_ciphers to ensure a secure configuration.
    # See: https://bugs.debian.org/765782
    #
    # Self signed certs generated by the ssl-cert package
    # Don't use them in a production server!
    #
    # include snippets/snakeoil.conf;

    root /var/www/html;

    error_log /opt/logs/certbot_error debug;
}