reverse proxying doesn't work #11

New Issue

fauno · 2026-04-22T02:28:23Z

fauno commented

2026-04-22 02:28:23 +00:00

while setting a reverse proxy for the cluster, using nginx on a non-coopcloud server, i've found these issues:

setting an upstream block to every garage instance doesn't work, because traefik will close a connection with an unknown SNI, and the proxy_ssl_name option that would help requires a variable that's only available on the nginx commercial subscription

upstream garage_cluster {
  server garage1.coopcloud.examp.le;
  server garage2.coopcloud.examp.le;
  server garage3.coopcloud.examp.le;
}

server {
  server_name garage.examp.le;
  location / {
    proxy_pass https://garage_cluster;
    proxy_ssl_server_name on; # traefiks will receive "garage.examp.le" when disabled
    proxy_ssl_name should_be_upstream_hostname; # $upstream_last_server_name is missing
  }
}

setting a single garage instance on proxy_pass will connect to the garage instance but return signature invalid errors, because the hostname is signed along with other info, but traefik appears to keep using the SNI:

server {
  server_name garage.examp.le;
  location / {
    proxy_pass https://garage1.coopcloud.examp.le;
    proxy_ssl_server_name on;
    proxy_ssl_name garage1.coopcloud.examp.le; # tell traefik we want this hostname
    proxy_set_header Host $http_host; # but garage should receive this hostname
  }
}

the only thing that worked so far is setting a gateway node on the reverse proxy host (or on an intermediate host):

  server {
    server_name garage.examp.le;
    location / {
      proxy_pass http://localhost:3900;
      proxy_set_header Host $http_host;
    }
  }

while setting a reverse proxy for the cluster, using nginx on a non-coopcloud server, i've found these issues: * setting an `upstream` block to every garage instance doesn't work, because traefik will close a connection with an unknown SNI, and the `proxy_ssl_name` option that would help requires [a variable that's only available on the nginx commercial subscription](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#var_upstream_last_server_name) ```nginx upstream garage_cluster { server garage1.coopcloud.examp.le; server garage2.coopcloud.examp.le; server garage3.coopcloud.examp.le; } server { server_name garage.examp.le; location / { proxy_pass https://garage_cluster; proxy_ssl_server_name on; # traefiks will receive "garage.examp.le" when disabled proxy_ssl_name should_be_upstream_hostname; # $upstream_last_server_name is missing } } ``` * setting a single garage instance on `proxy_pass` will connect to the garage instance but return signature invalid errors, because the hostname is signed along with other info, but traefik appears to keep using the SNI: ```nginx server { server_name garage.examp.le; location / { proxy_pass https://garage1.coopcloud.examp.le; proxy_ssl_server_name on; proxy_ssl_name garage1.coopcloud.examp.le; # tell traefik we want this hostname proxy_set_header Host $http_host; # but garage should receive this hostname } } ``` the only thing that worked so far is [setting a gateway node on the reverse proxy host](https://garagehq.deuxfleurs.fr/documentation/cookbook/gateways/) (or on an intermediate host): ```nginx server { server_name garage.examp.le; location / { proxy_pass http://localhost:3900; proxy_set_header Host $http_host; } } ```

Brooke added this to the Issue tracking project 2026-05-08 19:29:39 +00:00

Brooke added the

labels 2026-05-08 19:40:21 +00:00

Brooke moved this to In Progress in Issue tracking on 2026-05-15 20:14:35 +00:00

Brooke removed the

Kind/Bug

label 2026-05-15 20:16:31 +00:00

Brooke commented

2026-05-15 20:17:30 +00:00

Could you provide more information on your setup? Are you saying that garage is installed as a binary+nginx and you're having trouble connecting it with other nodes? Or, are you trying to put nginx in front of garage nodes deployed with coop-cloud?

Brooke moved this to Backlog in Issue tracking on 2026-05-15 20:21:57 +00:00

Brooke moved this to Waiting/Blocked in Issue tracking on 2026-05-15 20:21:59 +00:00

fauno commented

2026-05-15 21:00:03 +00:00

Or, are you trying to put nginx in front of garage nodes deployed with coop-cloud?

this, since traefik fronts garage, the communication between several traefiks and nginx is blocked because traefik expects the exact domain and nginx won't do that unless you pay the commercial subscription, so i had to deploy a garage binary along the nginx server and set it as a localhost gateway.

i wanted the nginx option to set cache policies, but apparently i can do that with tools like s3cmd, so this may not be needed at all! i'm still testing stuff though.

> Or, are you trying to put nginx in front of garage nodes deployed with coop-cloud? this, since traefik fronts garage, the communication between several traefiks and nginx is blocked because traefik expects the exact domain and nginx won't do that unless you pay the commercial subscription, so i had to deploy a garage binary along the nginx server and set it as a localhost gateway. i wanted the nginx option to set cache policies, but apparently i can do that with tools like s3cmd, so this may not be needed at all! i'm still testing stuff though.

🎉 1

Brooke commented

2026-05-15 23:37:20 +00:00

Gotcha, glad you've sorted out a solution! On another note It might be interesting to create a garage gateway recipe...

fauno commented

2026-05-16 16:16:26 +00:00

i think we can do that already since the gateway role is set during layout configuration. i'd like to have caching middleware though, that's why i was going with nginx. maybe this could become a compose.cache.yml?

i think we can do that already since the gateway role is set during layout configuration. i'd like to have caching middleware though, that's why i was going with nginx. maybe this could become a `compose.cache.yml`?

Sign in to join this conversation.

2 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: coop-cloud/garage#11