[GH-ISSUE #564] [Feature] Improve compatibilty with reverse proxies #147

New issue

Closed

opened 2026-05-07 00:19:24 +02:00 by BreizhHardware · 2 comments

BreizhHardware commented

2026-05-07 00:19:24 +02:00

Owner

Originally created by @DavidutzDev on GitHub (Jul 10, 2025).
Original GitHub issue: https://github.com/ovh/the-bastion/issues/564

Hello,

This might not be a priority or a main feature of Bastion. But since there's a HTTP Proxy service it may still be relative to the project. Here's a detailed version of my issue.

I'm currently running a network where I want Bastion to be the only secured entry point. Behind bastion I have a Traefik instance serving as my main reverse proxy to route my domain names to the correct WebUI. (I've seen issues opened relating the same problems but I didn't had any issue in forwarding a WebUI without reverse proxy).

Currently the main issue I have is that Bastion doesn't seems to forward the dns name to the targeted source.

Working situation :
USER -> BASTION -> NGINX
Not working situation
USER -> BASTION -> TRAEFIK -> NGINX

I didn't give a look to the internal implementation of the proxy used by bastion but here's what I have observed. I also mention that either HTTPS and HTTP routes are enabled in my reverse proxy and no one worked. Is it even possible using Bastion to achieve what I try to do ? Is there any quick fix ? Or is it a whole feature that isn't even on plans ?

I am open and available to share any additional information if that could help.
(also sorry if the message isn't clear and need more details).

Here's a small dump of the logs of my tests :

curl -v -k -u davidutz@group=SuperSysadmin,user=supersysadmin@nginx-demo-01.srv-eval-02.evalinfra.com https://unx-srv-eval-01.evalinfra.unxwares.com:8443232s
Enter host password for user 'davidutz@group=SuperSysadmin,user=supersysadmin@nginx-demo-01.srv-eval-02.evalinfra.com':
* Host srv-eval-01.evalinfra.com:8443 was resolved.
* IPv6: (none)
* IPv4: 10.20.0.2
*   Trying 10.20.0.2:8443...
* schannel: disabled automatic use of client certificate
* ALPN: curl offers http/1.1
* ALPN: server did not agree on a protocol. Uses default.
* Connected to srv-eval-01.evalinfra.com (10.20.0.2) port 8443
* using HTTP/1.x
* Server auth using Basic with user 'davidutz@group=SuperSysadmin,user=supersysadmin@nginx-demo-01.srv-eval-02.evalinfra.com'
> GET / HTTP/1.1
> Host: srv-eval-01.evalinfra.com:8443
> Authorization: Basic ZGF2aWR1dHpAZ3JvdXA9U3VwZXJTeXNhZG1pbix1c2VyPXN1cGVyc3lzYWRtaW5AbmdpbngtZGVtby0wMS51bngtc3J2LWV2YWwtMDIuZXZhbGluZnJhLnVueHdhcmVzLmNvbTpiaCV7LEVbSVhYT1g5K11LUD8xN2VNSGdtVCQvcFtOJA==
> User-Agent: curl/8.13.0
> Accept: */*
>
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
* Request completely sent off
* HTTP 1.0, assume close after body
< HTTP/1.0 404 Not Found
< Date: Thu Jul 10 22:12:34 2025 GMT
< Connection: close
< Server: The Bastion 3.20.00
< X-Bastion-Instance: srv-eval-01
< X-Bastion-ReqID: b3730769b4eb
< X-Bastion-Remote-IP: nginx-demo-01.srv-eval-02.evalinfra.com
< X-Bastion-Request-Length: 0
< X-Bastion-Auth-Mode: group/explicit
< Content-Length: 19
< Content-Type: text/plain; charset=utf-8
< X-Bastion-Remote-Client-SSL-Cert-Subject: /CN=TRAEFIK DEFAULT CERT
< X-Bastion-Remote-Client-SSL-Cipher: TLS_AES_128_GCM_SHA256
< X-Bastion-Remote-Client-SSL-Warning: Peer certificate not verified
< X-Bastion-Remote-Status: 404 Not Found
< X-Bastion-Egress-Timing: 72354
< X-Bastion-Local-Status: 200 OK
< X-Bastion-Local-Status: 404 Not Found
* schannel: server close notification received (close_notify)
<
404 page not found
* Excess found writing body: excess = 1, size = 19, maxdownload = 19, bytecount = 19
* shutting down connection #0

Thanks for reading !

Originally created by @DavidutzDev on GitHub (Jul 10, 2025). Original GitHub issue: https://github.com/ovh/the-bastion/issues/564 Hello, This might not be a priority or a main feature of Bastion. But since there's a HTTP Proxy service it may still be relative to the project. Here's a detailed version of my issue. I'm currently running a network where I want Bastion to be the only secured entry point. Behind bastion I have a Traefik instance serving as my main reverse proxy to route my domain names to the correct WebUI. (I've seen issues opened relating the same problems but I didn't had any issue in forwarding a WebUI without reverse proxy). Currently the main issue I have is that Bastion doesn't seems to forward the dns name to the targeted source. Working situation : ``` USER -> BASTION -> NGINX``` Not working situation ```USER -> BASTION -> TRAEFIK -> NGINX``` I didn't give a look to the internal implementation of the proxy used by bastion but here's what I have observed. I also mention that either HTTPS and HTTP routes are enabled in my reverse proxy and no one worked. Is it even possible using Bastion to achieve what I try to do ? Is there any quick fix ? Or is it a whole feature that isn't even on plans ? I am open and available to share any additional information if that could help. (also sorry if the message isn't clear and need more details). Here's a small dump of the logs of my tests : ``` curl -v -k -u davidutz@group=SuperSysadmin,user=supersysadmin@nginx-demo-01.srv-eval-02.evalinfra.com https://unx-srv-eval-01.evalinfra.unxwares.com:8443232s Enter host password for user 'davidutz@group=SuperSysadmin,user=supersysadmin@nginx-demo-01.srv-eval-02.evalinfra.com': * Host srv-eval-01.evalinfra.com:8443 was resolved. * IPv6: (none) * IPv4: 10.20.0.2 * Trying 10.20.0.2:8443... * schannel: disabled automatic use of client certificate * ALPN: curl offers http/1.1 * ALPN: server did not agree on a protocol. Uses default. * Connected to srv-eval-01.evalinfra.com (10.20.0.2) port 8443 * using HTTP/1.x * Server auth using Basic with user 'davidutz@group=SuperSysadmin,user=supersysadmin@nginx-demo-01.srv-eval-02.evalinfra.com' > GET / HTTP/1.1 > Host: srv-eval-01.evalinfra.com:8443 > Authorization: Basic ZGF2aWR1dHpAZ3JvdXA9U3VwZXJTeXNhZG1pbix1c2VyPXN1cGVyc3lzYWRtaW5AbmdpbngtZGVtby0wMS51bngtc3J2LWV2YWwtMDIuZXZhbGluZnJhLnVueHdhcmVzLmNvbTpiaCV7LEVbSVhYT1g5K11LUD8xN2VNSGdtVCQvcFtOJA== > User-Agent: curl/8.13.0 > Accept: */* > * schannel: remote party requests renegotiation * schannel: renegotiating SSL/TLS connection * schannel: SSL/TLS connection renegotiated * schannel: remote party requests renegotiation * schannel: renegotiating SSL/TLS connection * schannel: SSL/TLS connection renegotiated * Request completely sent off * HTTP 1.0, assume close after body < HTTP/1.0 404 Not Found < Date: Thu Jul 10 22:12:34 2025 GMT < Connection: close < Server: The Bastion 3.20.00 < X-Bastion-Instance: srv-eval-01 < X-Bastion-ReqID: b3730769b4eb < X-Bastion-Remote-IP: nginx-demo-01.srv-eval-02.evalinfra.com < X-Bastion-Request-Length: 0 < X-Bastion-Auth-Mode: group/explicit < Content-Length: 19 < Content-Type: text/plain; charset=utf-8 < X-Bastion-Remote-Client-SSL-Cert-Subject: /CN=TRAEFIK DEFAULT CERT < X-Bastion-Remote-Client-SSL-Cipher: TLS_AES_128_GCM_SHA256 < X-Bastion-Remote-Client-SSL-Warning: Peer certificate not verified < X-Bastion-Remote-Status: 404 Not Found < X-Bastion-Egress-Timing: 72354 < X-Bastion-Local-Status: 200 OK < X-Bastion-Local-Status: 404 Not Found * schannel: server close notification received (close_notify) < 404 page not found * Excess found writing body: excess = 1, size = 19, maxdownload = 19, bytecount = 19 * shutting down connection #0 ``` Thanks for reading !

BreizhHardware closed this issue

2026-05-07 00:19:24 +02:00

BreizhHardware commented

2026-05-07 00:19:24 +02:00

Author

Owner

@speed47 commented on GitHub (Sep 11, 2025):

Indeed the "Host" header is not crafted currently on the egress side, but I reckon it might be of use if the remote webserver has several hostnames with differing contents on the same IP.

Our main use case is network devices APIs, and there's no need of the "host" header, but it should be easy to add nonetheless!

@speed47 commented on GitHub (Sep 11, 2025): Indeed the "Host" header is not crafted currently on the egress side, but I reckon it might be of use if the remote webserver has several hostnames with differing contents on the same IP. Our main use case is network devices APIs, and there's no need of the "host" header, but it should be easy to add nonetheless!

BreizhHardware commented

2026-05-07 00:19:25 +02:00

Author

Owner

@speed47 commented on GitHub (Sep 11, 2025):

Merged, will be included in the next release :)

@speed47 commented on GitHub (Sep 11, 2025): Merged, will be included in the next release :)

BreizhHardware referenced this issue

2026-05-07 00:20:08 +02:00

[PR #147] [MERGED] release v3.03.00 #276