SG behind Nginx proxy

[Todd Freese]

I have a EC2 node with SG running and want to use Nginx to act as a proxy for requests to the admin port on the SG. Both are running off the same EC2 node. However, any requests to the proxy returns a 502 error.

Here is my Nginx settings:

upstream sync_gateway {

    server 127.0.0.1:4985;

}

server {

    listen       80;

    server_name  dl.mydomain.com;

    location / {

        proxy_pass              http://sync_gateway;

        proxy_pass_header       Accept;

        proxy_pass_header       Server;

        proxy_http_version      1.1;

        keepalive_requests      1000;

        keepalive_timeout       360s;

        proxy_read_timeout      360s;

    }

}

Do I need to add any thing else to this?

I know my SG is setup correctly, as requests directly to 127.0.0.1:4985 work fine. But request to 127.0.0.1:80 return 502.

Todd

[Paul Capestany]

I guess you'd already taken a look at Couchbase's Deploying and configuring nginx developer docs?

Seems like you're using port 4985 instead of 4984?

[Todd Freese]

Yes, I saw that and I'm using the recommended config.

I need to proxy the admin port for internal use. I make a lot of calls to the admin port for management of SG using the REST api.

Does the admin port need any additional Nginx config options?

Todd

[Paul Capestany]

It's been a while since I last had to mess around with Nginx/sync gateway config settings, but perhaps you may want to take a look at this: Insecure mode on default sync_gateway bucket — Issue #708 — couchbase/sync_gateway ...I vaguely remember running into a similar issue as you, and I think that thread might have been what helped me resolve it.

Also, FWIW, I personally hated manually setting this stuff up, so a few months ago I made a little repo that shows how to automagically set up an auto-scaling cluster of CoreOS machines running Couchbase and Sync Gateway nodes behind Nginx on AWS using Terraform: couchbase-sync-gateway-terraform 

[Todd Freese]

So after pulling out the little bit of hair I had left.... I finally solved why I could not get Nginx reverse proxy to work with sync gateway running on EC2. (Nginx was returning 502 errors) Nginx was getting a permission denied from the upstream server (SG). I'm posting this here to help anyone down the line who runs into this.

I needed to run the following:

sudo setsebool httpd_can_network_connect on -P

Then it started working. I don't know enough about Nginx to know if my default setting is different on my setup versus others. I haven't seen anyone report needing to do this.

It might be a good idea to maybe comment on this in the SG/Nginx docs on the web site.

Todd