Server configuration with reverse proxy returns timeout and proxy errors

Hi @jary! Thanks for laying the groundwork for the upstream SSL features we added to Central v1.2.

Your .env file looks fine to me. I have a very similar config with an nginx proxy routing traffic to two servers. The proxy's nginx config is embedded below. The only difference seems to be I route everything over HTTP, but then in Central's nginx config, we set X-Forwarded-Proto to HTTPS to https.

nginx.conf
server {
    server_name prod.central.example.com;
    location / {
            proxy_pass http://0.0.0.0:8080;
    }
    listen [::]:443 ssl;
    listen 443 ssl;
    ssl_certificate /etc/ssl/certs/example.com.crt;
    ssl_certificate_key /etc/ssl/certs/example.com.key;
    ssl_trusted_certificate /etc/ssl/certs/example.com.pem;
    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
    ssl_dhparam /etc/dh/nginx.pem;
}

server {
    server_name test.central.example.com
    location / {
            proxy_pass http://0.0.0.0:9080;
    }
    listen [::]:443 ssl;
    listen 443 ssl;
    ssl_certificate /etc/ssl/certs/example.com.crt;
    ssl_certificate_key /etc/ssl/certs/example.com.key;
    ssl_trusted_certificate /etc/ssl/certs/example.com.pem;
    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
    ssl_dhparam /etc/dh/nginx.pem;
}

server {
    if ($host = prod.central.example.com) {
        return 301 https://$host$request_uri;
    }
    if ($host = test.central.example.com) {
        return 301 https://$host$request_uri;
    }
    listen 80 ;
    listen [::]:80 ;
    server_name prod.central.example.com test.central.example.com;
    return 404;
}

What happens if you disable your on-machine firewall entirely as described at https://docs.getodk.org/central-upgrade/#upgrading-to-central-v0-9? iptables interacts with Docker in strange ways...

Is there any chance you are using an external database? Maybe with special characters in the password? If so, see Connection timeout after upgrading to Central v1.2 - #5 by Matthew_White

Are there any other changes to your ~/central directory?

2 Likes