Cannot connect build agent to TeamCity behind nginx proxy
Hi,
I have a teamcity behind nginx proxy and my configuration is the following:
Nginx:
teamcity_http.conf
server {
listen *:80;
server_name teamcity.example.com;
proxy_set_header Host $host;
access_log /var/log/nginx/teamcity_http.access.log;
error_log /var/log/nginx/teamcity_http.error.log;
location / {
return 301 https://$host$request_uri;
}
}
teamcity_https.conf
server {
listen *:443 ssl;
server_name teamcity.example.com ;
ssl on;
ssl_certificate /etc/nginx/teamcity_https.crt;
ssl_certificate_key /etc/nginx/teamcity_https.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_trusted_certificate /etc/nginx/teamcity_https.trusted.crt;
resolver 8.8.8.8;
access_log /var/log/nginx/ssl-teamcity_https.access.log;
error_log /var/log/nginx/ssl-teamcity_https.error.log;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
add_header Strict-Transport-Security max-age=15552000;
location / {
proxy_redirect http:// https://;
proxy_pass http://teamcity;
proxy_read_timeout 90;
}
}
TeamCIty itself is listening on 127.0.0.1:8111
I can connect to the TeamCity via Web browser, but Agent fails with the 504 error.
What am I doing wrong?
Please sign in to leave a comment.
Hey Ilya,
What does the "teamcity" upstream look like? Is this linux or windows? The upstream should look like the following (in the config):
upstream teamcity {
server 127.0.0.1:8111;
}
Hi Bill,
This is linux, the upstream is:
upstream teamcity {
server 127.0.0.1:8111 fail_timeout=10s;
}
The only record I see nginx's access log is:
[08/Jan/2015:06:29:35 -0500] "POST /RPC2 HTTP/1.1" 504 182 "-" "TeamCity Agent"
And in the error log:
[error] 969#0: *14613 upstream timed out (110: Connection timed out) while reading response header from upstream, client: X.X.X.X, server: teamcity.example.com, request: "POST /RPC2 HTTP/1.1", upstream: "http://127.0.0.1:8111/RPC2", host: "teamcity.example.com"
Upgrading to 9.0.1 didn't help.
Hi Ilya,
It is not possible to set up such configuration in TeamCity now. There should be two connections established: server-agent and agent-server. In the current TeamCity implementation it is not possible to configure server to connect to agent through proxy. Please watch/vote for the related feature request - https://youtrack.jetbrains.com/issue/TW-12443.
At the same time we do not recommend to configure agent to connect to server through proxy. The connection from agent to server is not secure, because HTTP protocol is used (please see this section). And usually it is not necessary to access agent from the Internet. We would recommend to configure VPN tunnel between agent and server.