Have Octopus deploy setup on http://localhost:8080 behind nginx reverse proxy.
When trying to login using google apps authentication get redirected to http://[machine_name]:8080/api/users/authenticate/GoogleApps… instead of actual domain name
nginx config :
server {
listen 443 ssl;
server_name octopus.example.com;
ssl on;
location / {
proxy_pass http://vm01:8080;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_cookie_domain $host octopus.example.com;
}
}
Hi Nikolai,
Thanks for getting in touch! Sorry to hear that you’re having trouble with the google apps authentication.
We dont explicitly look for the X-Forwarded-Host
header. Can you try adding:
proxy_set_header HOST $http_host;
to the proxy config? That should override the detected host and Octopus should then work.
Let me know how it goes!
Regards,
Matt
It works for host name but not for port. I get correct host in redirect url but port is still local.
something like this
octopus.example.com:8080/api/users/authenticate/GoogleApps
but should be
https://octopus.example.com/api/users/authenticate/GoogleApps
Hi Nikolai,
Great to hear - we’re getting closer.
Can you try changing it to:
proxy_set_header Host $host:$server_port;
instead?
Let me know how it goes.
Matt
still the same, port 8080 instead of correct one
Hi Nikolai,
Unfortunately, while I know a bit about nginx, I’m far from an expert.
That said, this serverfault question suggests using $http_host
instead of $host
. In that case, you wouldn’t need the :$server_port
part.
Hope that helps!
Regards,
Matt
$http_host not working as well. Looks like octopus ignores host completely, because I see the resources like css loaded from correct host but wrong port too. See screenshots:
as a workaround I put octopus to https://localhost:443 and update nginx config like this:
proxy_pass https://vm01:443;
proxy_set_header HOST $http_host;
and it works. But it would be nice if octopus correctly handle port from header…
Hi Nikolai,
Glad to hear you’ve got it resolved.
While Octopus does not explicitly support the X-Forwarded-Host
header, I beleive that it should be possible to config nginx to pass the required headers to Octopus so that it transparently proxyies the traffic, and neither Octopus nor the client knows that nginx is in the middle.
That said, I’ve logged a suggestion on our UserVoice site that you can add your votes to. We use UserVoice as part of our prioritisation, so the more votes it gets, the more likely it will happen.
Hope that helps!
Regards,
Matt
Hi, Matt
Thanks for your support. I think It would be great to have octopus correctly handle X-Forwarded headers but I have to comment that this issue looks like totally related to Google App authentication introduces recently because octopus worked fine behind reverse proxy for quite long time at our side. It looks like authentication provider constructs redirect url from local hostname not using server url (The publicly-accessible URL of this server.) from configuration settings like it is done for links in subscription emails. It think it is sort of a bug to be fixed
Hi Nikolai,
You’ll be glad to hear that the developer who’s been working on the authentication plugin has agreed to pick it up.
You can keep track of the Github pull request to track the progress.
Hope that helps.
Regards,
Matt