401 HTTP Error during access of git (Apache2 over reverse route of NginX Server)

I have an apache2 and nginx webserver running. The apache is listening on port 7080 (http) and 7081 (https). The nginx is running on port 80 (http) and 443 (https/TLS) and runs as reverse proxy for a portal. In created the virtual server “traden.biz” with apache2 as webserver for the website and activated git. I can use git, login, checkin and so on with URL like https://traden.biz:7081/git/gitweb.cgi?p=tradenbiz.git;a=summary. If i use the main URL which shall be used only from nginx https://traden.biz/git/tradenbiz.git/* i get a 401. During activation of the git repo a htpasswd file (git.basic.passwd) was generated and with the apache2 URL everything is running fine. But i wanna use HTTPS (TLS/80) over the NginX Server. Later on i will close the ports 7080 and 7081 to block communication from outside. Here is a snippet from the apache2 config (7081/HTTPS):

<VirtualHost 116.202.193.58:7081 [2a01:4f8:241:100e::2]:7081>
    SuexecUserGroup "#1024" "#1018"
    ServerName traden.biz
    ServerAlias www.traden.biz
    ServerAlias mail.traden.biz
    ServerAlias webmail.traden.biz
    ServerAlias admin.traden.biz
    DocumentRoot /home/fkrutik/public_html
    ErrorLog /var/log/virtualmin/traden.biz_error_log
    CustomLog /var/log/virtualmin/traden.biz_access_log combined
    ScriptAlias /cgi-bin/ /home/fkrutik/cgi-bin/
    ScriptAlias /awstats/ /home/fkrutik/cgi-bin/
    DirectoryIndex index.php index.php4 index.php5 index.htm index.html
    <Directory /home/fkrutik/public_html>
        Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch 
        Require all granted
        AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    </Directory>
    <Directory /home/fkrutik/cgi-bin>
        Require all granted
        AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    </Directory>

    SSLEngine on
    SSLCertificateFile /home/fkrutik/ssl.cert
    SSLCertificateKeyFile /home/fkrutik/ssl.key
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLCACertificateFile /home/fkrutik/ssl.ca
    <Location /git/tradenbiz.git>
        <LimitExcept GET HEAD PROPFIND OPTIONS REPORT>
            Require user fkrutik
        </LimitExcept>
        <Limit GET HEAD PROPFIND OPTIONS REPORT>
            Satisfy Any
        </Limit>
        Options ExecCGI FollowSymLinks MultiViews SymLinksIfOwnerMatch
    </Location>
    <Directory "/home/fkrutik/public_html/git">
        Options ExecCGI FollowSymLinks MultiViews SymLinksIfOwnerMatch
    </Directory>
    <Location /git>
        DAV on
        AuthType Basic
        AuthName traden.biz
        AuthUserFile /home/fkrutik/etc/git.basic.passwd
        Require valid-user
        Satisfy All
        RedirectMatch ^/git$ http://traden.biz/git/gitweb.cgi
        RedirectMatch ^/git/$ http://traden.biz/git/gitweb.cgi
        RewriteEngine off
        AddHandler cgi-script .cgi
    </Location>
</VirtualHost>

And the snippet of the NginX Server to reverse proxy the URL for Git above:

server {
	listen 116.202.193.58:443 ssl http2;


	server_name traden.biz;
	server_name www.traden.biz;
	server_name ipv4.traden.biz;

	ssl_certificate             /home/fkrutik/ssl.cert;
	ssl_certificate_key         /home/fkrutik/ssl.key;
	# ssl_client_certificate      /home/fkrutik/ssl.ca;

	client_max_body_size 134217728;

	root "/home/fkrutik/public_html";
	access_log "/home/fkrutik/logs/proxy_access_ssl_log";
	error_log "/home/fkrutik/logs/proxy_ssl_error_log";

	#extension letsencrypt begin
	location ^~ /.well-known/acme-challenge/ {
		root /home/fkrutik/public_html;

		default_type text/plain;

		satisfy any;
		auth_basic off;
		allow all;	
		
		location ~ ^/\.well-known/acme-challenge.*/\. {
			deny all;
		}
	}
	#extension letsencrypt end

	#extension sslit begin

	#extension sslit end

	location / {
		proxy_pass http://172.19.0.4:80;
		proxy_hide_header upgrade;
		proxy_set_header Host             $host;
		proxy_set_header X-Real-IP        $remote_addr;
		proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
		proxy_set_header X-Accel-Internal /internal-nginx-static-location;
	}

	location ~ /git(/.*) {
		proxy_pass http://116.202.193.58:7080$request_uri;
		proxy_set_header Authorization "";
		proxy_set_header X-Forwarded-User $remote_user;
		proxy_redirect off;
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	}
}

The log entry of the proxy_access_ssl_log (nginx) is:

130.180.67.125 - fkrutik [08/May/2023:22:23:51 +0200] "GET /git/gitweb.cgi?p=tradenbiz%2Egit HTTP/2.0" 401 381 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"

There is no corresponding entry in the apache2 logs

The NginX location / reverse proxy my Portal running inside a docker container.

The NginX Server terminates SSL and proxies the incoming calls to the HTTP Server config of the apache2 server.

If i use the URL for the NginX server, i get a Login Dialog and if i login with the right user/pwd the dialog popups again and in the log file of the nginx i see a 401 Http Code. All the files and folder under /home/fkrutik/public_html/git have the owner and group “fkrutik” (the user itself).

Where is the error in my configurations? I need both webservers for different reasons (reverse proxiing and standard software running under apache etc.). Also i have several domains which where migrated from plesk to webmin and this configuration was running on the old server.

Kind regards,

Frank

Hi, that is completely unnecessary and complicated, you can do this with 3 lines in Apache config per server…and it will work. However I suggest you to look at the ports - how ngimx talking to Apache and your git and backwards. Are the ports set correctly on each parts?

Hi Uborn,

as i said there are different reasons i need Nginx in front and apache in the back. I moved 11 Domains from Plesk to virtualmin and this configuration was set as standard on the old server and i have several platforms which be reverse proxied by Nginx. I can’t switch to “easy” installation on apache only. Then i have the problem to move 11 Domains to the “easy” setup. Also is Nginx in several situations the faster webserver. But that’s unimportant for me at the moment.

If you have a solution i will be happy :wink:

The “layout” is (10,000 ft. overview) something like that:

nginx → apache → standard platforms like wordpress
|
V
special platforms like a self developed platform in docker compose, or like netdata for monitoring & reverse proxy for git “under” apache2

another idea can be git unter nginx direct. Then i have to skip gitweb. This i have to deactivate in virtual server setting in virtualmin.

If you have a idea you’re welcome :slight_smile:

Regards,

Frank

Hi Frank, sure I understand. I would go this way of course if possible for you and yours is self hosted (from home like mine)…

Virtualmin as main server with Apache of course for classic hosting purposes. I do not like gitweb so I use gitea. I run it on same box as virtualmin (yap bare metal hw) and proxy out via subdomain with let’s encrypt fully working. Then I have another bare metal server not available to public IP rather via Apache proxy on domain set up on virtualmin which is on public IP of course. That second server is for testing development etc. I know I could use some virtualization here and there but it happens that I have bare metal machine to do nothing. I hope so it makes sense to you.

So nginx proxy manager with SSL for front end and from there you can proxy any domain to any ip:port service you have. You can install proxmox and spin as many virtual servers (machines) you need. I would say one server with Apache be it with virtualmin and other with nginx. Nginx proxy manager will only point domain to correct server/ip/services and will manage let’s encrypt. Is this something you need?

Hi unborn,

my problem is the server is in a german datacenter. I have also a bare metal server. For the “other” tasks i have a own test server under the desk running (without any administration desktops) with Mint Linux. It has also a nginx in front and an apache2 in the back. But not as complicated as my “production” server.

On my production server (running virtualmin) i don’t need a webgit at all. But it could be nice. Don’t misunderstand me, but i don’t have a solution at all.

If i need a new virtual server i can use the standard settings of virtualmin to activate git. Also handy if you migrate 11 websites (not all have git repos :slight_smile: ).
But the apache is running on port 7081/7081. Afterwards i have to add an configuration with e reverse route to nginx. That’s not the problem. But i can’t pass the authentication through the nginx. I also tried a nginx config where you can set the Auth-Header with base64 encoded uid/pwd, but it doesn’t work also. The port from the reverse route to the apache2 is correct. I can login into git over Apache2 if i use the url with the port 7080/7081. The git over Apache2 is running. But not the reverse route from the nginx to the apache2… Every time i wanna login, i get a 401 from nginx and there’s no entry in the apache2 logs. That’s a evidence the call doesn’t reach the apache2 server…

It seems to be virtual min is not the right solution for such settings. It can’t handle nginx in front of apache2. For me is ok. I can handle the “rest” on the command line. But it’s a pity virtualmin can’t handle it. I don’t like plesk administration…

I need virtualmin to be faster as on the console and i can batch migration server. I wanna be able to do this in seconds, not in months. :wink:

I also have no problem to buy a pro version of virtualmin, but i have to have a solution for my problem. If i see virtualmin is a reliable tool, i buy it.

Regards, Frank

401 means unauthorized. I think you need to have look at your nginx proxy as it is not passing data correctly to Apache in and out. Unfortunately I’m Apache guy. Perhaps someone more knowledgeable with nginx could help?

Hi unborn,

i know that 401 means unauthorized. I don’t have time left. I do not use apache2 git administration over virtualmin anymore. I added configuration direct in nginx. Now it’s running.

Thank you for your (mental) support :slight_smile:

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.