Hi All,

I've been banging my head against the wall for two days now, and feel like I've tried every variation of configuration that I could think of or came across in the forums. I'm still a novice at networking, but feel like I have a basic understanding of how the reverse proxy should work. Let my explain..

What I'm trying to achieve:

• Nginx Reverse Proxy handling SSL (on host A, 10.10.20.3)
• OpenProject in a Proxmox LXC container (on host B, 10.10.20.11)
• Both machines A and B are in the same VLAN

What works:

• Accessing OpenProject directly via 10.10.20.11:8080 via the browser 
  • OPENPROJECT_HTTPS=false
  • Default docker-compose config

What doesn't work:

• Accessing OpenProject via the reverse proxy
  • With all combinations of
    • OPENPROJECT_HTTPS=true/false
    • docker-compose proxy service enabled/disabled (explained here)
• Connecting to OpenProject from the ReverseProxy host via telnet 10.10.20.11 8080
  • From my pc the connection via telnet does work

The Nginx Reverse Proxy config:

server {
    listen                               443 ssl http2;
    listen                               [::]:443 ssl http2;
    server_name                          op.domainname.org;

    # SSL
    ssl_certificate                      /etc/letsencrypt/live/domainname.org/fullchain.pem;
    ssl_certificate_key                  /etc/letsencrypt/live/domainname.org/privkey.pem;
    ssl_trusted_certificate              /etc/letsencrypt/live/domainname.org/chain.pem;


    # reverse proxy
    location / {
        proxy_set_header   X-Forwarded-For $remote_addr;
        proxy_set_header   Host $http_host;
        proxy_pass "http://10.10.20.11:8080";
    }


    # Access Log
    access_log  /var/log/nginx/op.access.log;

    error_log /var/log/nginx/op.error.log debug;
}


# HTTP redirect
server {
    listen      80;
    listen      [::]:80;
    server_name op.domainname.org;
    include     nginxconfig.io/letsencrypt.conf;

    location / {
        return 301 https://op.domainname.org$request_uri;
    }
}

I've tried many, many variations on this configuration, but this is the most recurring example I could find. None have worked. Maybe worth noting is that I also have other webservers on this vlan, which are successfully served by this reverse proxy.

Something suspicious is when I try to debug traffic using the OPNsense firewall logs. I see for all connections between the ReverseProxy and the OpenProject host (so both telnet and when connecting via the FQDN url), it's blocked by  Default deny / state violation rule. Unfortunately, my understanding is that there is not a single fix for this as it can be caused by many things.

I'm at complete loss how to best continue or effectively debug this. I think my topmost burning question is:

• What combination of docker-compose overrides and environment variables should I use, and with which nginx configuration?

If someone has a working example or at least some ideas, PLEASE chime in.

Thanks,

Luigi