I have an apache2 and nginx webserver running. The apache is listening on port 7080 (http) and 7081 (https). The nginx is running on port 80 (http) and 443 (https/TLS) and runs as reverse proxy for a portal. In created the virtual server “traden.biz” with apache2 as webserver for the website and activated git. I can use git, login, checkin and so on with URL like https://traden.biz:7081/git/gitweb.cgi?p=tradenbiz.git;a=summary. If i use the main URL which shall be used only from nginx https://traden.biz/git/tradenbiz.git/* i get a 401. During activation of the git repo a htpasswd file (git.basic.passwd) was generated and with the apache2 URL everything is running fine. But i wanna use HTTPS (TLS/80) over the NginX Server. Later on i will close the ports 7080 and 7081 to block communication from outside. Here is a snippet from the apache2 config (7081/HTTPS):
<VirtualHost 116.202.193.58:7081 [2a01:4f8:241:100e::2]:7081>
SuexecUserGroup "#1024" "#1018"
ServerName traden.biz
ServerAlias www.traden.biz
ServerAlias mail.traden.biz
ServerAlias webmail.traden.biz
ServerAlias admin.traden.biz
DocumentRoot /home/fkrutik/public_html
ErrorLog /var/log/virtualmin/traden.biz_error_log
CustomLog /var/log/virtualmin/traden.biz_access_log combined
ScriptAlias /cgi-bin/ /home/fkrutik/cgi-bin/
ScriptAlias /awstats/ /home/fkrutik/cgi-bin/
DirectoryIndex index.php index.php4 index.php5 index.htm index.html
<Directory /home/fkrutik/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch
Require all granted
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
</Directory>
<Directory /home/fkrutik/cgi-bin>
Require all granted
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
</Directory>
SSLEngine on
SSLCertificateFile /home/fkrutik/ssl.cert
SSLCertificateKeyFile /home/fkrutik/ssl.key
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCACertificateFile /home/fkrutik/ssl.ca
<Location /git/tradenbiz.git>
<LimitExcept GET HEAD PROPFIND OPTIONS REPORT>
Require user fkrutik
</LimitExcept>
<Limit GET HEAD PROPFIND OPTIONS REPORT>
Satisfy Any
</Limit>
Options ExecCGI FollowSymLinks MultiViews SymLinksIfOwnerMatch
</Location>
<Directory "/home/fkrutik/public_html/git">
Options ExecCGI FollowSymLinks MultiViews SymLinksIfOwnerMatch
</Directory>
<Location /git>
DAV on
AuthType Basic
AuthName traden.biz
AuthUserFile /home/fkrutik/etc/git.basic.passwd
Require valid-user
Satisfy All
RedirectMatch ^/git$ http://traden.biz/git/gitweb.cgi
RedirectMatch ^/git/$ http://traden.biz/git/gitweb.cgi
RewriteEngine off
AddHandler cgi-script .cgi
</Location>
</VirtualHost>
And the snippet of the NginX Server to reverse proxy the URL for Git above:
server {
listen 116.202.193.58:443 ssl http2;
server_name traden.biz;
server_name www.traden.biz;
server_name ipv4.traden.biz;
ssl_certificate /home/fkrutik/ssl.cert;
ssl_certificate_key /home/fkrutik/ssl.key;
# ssl_client_certificate /home/fkrutik/ssl.ca;
client_max_body_size 134217728;
root "/home/fkrutik/public_html";
access_log "/home/fkrutik/logs/proxy_access_ssl_log";
error_log "/home/fkrutik/logs/proxy_ssl_error_log";
#extension letsencrypt begin
location ^~ /.well-known/acme-challenge/ {
root /home/fkrutik/public_html;
default_type text/plain;
satisfy any;
auth_basic off;
allow all;
location ~ ^/\.well-known/acme-challenge.*/\. {
deny all;
}
}
#extension letsencrypt end
#extension sslit begin
#extension sslit end
location / {
proxy_pass http://172.19.0.4:80;
proxy_hide_header upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Accel-Internal /internal-nginx-static-location;
}
location ~ /git(/.*) {
proxy_pass http://116.202.193.58:7080$request_uri;
proxy_set_header Authorization "";
proxy_set_header X-Forwarded-User $remote_user;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
The log entry of the proxy_access_ssl_log (nginx) is:
130.180.67.125 - fkrutik [08/May/2023:22:23:51 +0200] "GET /git/gitweb.cgi?p=tradenbiz%2Egit HTTP/2.0" 401 381 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"
There is no corresponding entry in the apache2 logs
The NginX location / reverse proxy my Portal running inside a docker container.
The NginX Server terminates SSL and proxies the incoming calls to the HTTP Server config of the apache2 server.
If i use the URL for the NginX server, i get a Login Dialog and if i login with the right user/pwd the dialog popups again and in the log file of the nginx i see a 401 Http Code. All the files and folder under /home/fkrutik/public_html/git have the owner and group “fkrutik” (the user itself).
Where is the error in my configurations? I need both webservers for different reasons (reverse proxiing and standard software running under apache etc.). Also i have several domains which where migrated from plesk to webmin and this configuration was running on the old server.
Kind regards,
Frank