I have an EC2 AWS instance and I want to create a test environment for an application.
All other containers are working properly, but NGINX's is the only one that is not stable and keeps restarting constantly.
I tried in several ways to make NGINX run. Change addresses I used Return 301. Tried to remove certbot, nothing worked.
I'm an intern and I need to create this test environment for an assessment. Can someone help me?
my docker-compose.yml is like this
version: "3.9"
services:
backend:
container_name: backend
image: <my_image>
restart: always
ports:
- "3030:3030"
environment:
- "DATABASE_URL=${DATABASE_URL}"
- "SERVER_PORT=${SERVER_PORT}"
- "JWT_SECRET=${JWT_SECRET}"
sniffer:
container_name: mqtt-sniffer
image: <my_image>
restart: always
environment:
- "POSTGRES_DB=${POSTGRES_DB}"
- "POSTGRES_USER=${POSTGRES_USER}"
- "POSTGRES_PASSWORD=${POSTGRES_PASSWORD}"
- "POSTGRES_HOST=${POSTGRES_HOST}"
- "MQTT_CLIENT_ID=${MQTT_CLIENT_ID}"
- "MQTT_USER=${MQTT_USER}"
- "MQTT_PASSWORD=${MQTT_PASSWORD}"
- "MQTT_HOST=${MQTT_HOST}"
- "MQTT_PORT=${MQTT_PORT}"
web:
container_name: web
image: <my_image>
restart: always
nginx:
container_name: nginx
image: nginx:latest
restart: always
ports:
- "80:80"
- "443:443"
environment:
- API_SERVER_NAME=${API_SERVER_NAME}
volumes:
- /home/ubuntu/app/nginx/default.conf:/etc/nginx/nginx.conf:ro
- /home/ubuntu/app/certbot/www:/etc/nginx/acme_challenge:ro
- /home/ubuntu/app/certbot/certificate:/etc/nginx/certificate:ro
and my default.conf is like this
events {}
http {
server {
listen 80;
listen [::]:80;
server_name 18.231.90.250;
location /.well-known/acme-challenge/ {
root /etc/nginx/acme_challenge;
}
location / {
proxy_pass http://18.231.90.250;
}
}
server {
listen 80;
listen [::]:80;
location /.well-known/acme-challenge/ {
root /etc/nginx/acme_challenge;
}
location / {
proxy_pass http://web:80;
}
}
server {
listen 443 default_server ssl;
listen [::]:443 ssl;
ssl_certificate /etc/nginx/certificate/live/teste.clientautoponia.com/fullchain.pem;
ssl_certificate_key /etc/nginx/certificate/live/teste.clientautoponia.com/privkey.pem;
location / {
proxy_pass http://backend:3030;
}
}
I don't need to have the ssl certificate, I just want to be able to communicate when accessing the instance. Get a 200 when trying to access the address.
Related
I am using a docker-compose to run my frontend application, backend application and nginx webserver. I would like to redirect the requests to the correct port (backend or frontend), but for some reason I just get Internal Server errors.
This is my docker-compose:
version: "3"
services:
webserver:
image: nginx:alpine
ports:
- "80:80"
- "443:443"
networks:
- project
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf
- ./nginx/error.log:/etc/nginx/error_log.log
- ./nginx/cache/:/etc/nginx/cache
- /etc/letsencrypt/:/etc/letsencrypt/
backend:
build:
context: ./project-backend
dockerfile: stage.Dockerfile
env_file:
- ./project-backend/environments/stage.env
volumes:
- ./project-backend/src:/usr/src/app/src
ports:
- "3000:3000"
networks:
- project
frontend:
build:
context: ./project-frontend
dockerfile: stage.Dockerfile
ports:
- "4200:80"
networks:
- project
networks:
project:
This works fine. I can access both of the frontend and backend.
This is my nginx.conf file:
events {}
http {
client_max_body_size 20m;
proxy_cache_path /etc/nginx/cache keys_zone=one:500m max_size=1000m;
server {
proxy_cache one;
proxy_cache_key $request_method$request_uri;
proxy_cache_min_uses 1;
proxy_cache_methods GET;
proxy_cache_valid 200 1y;
listen 80;
server_name localhost;
location /api {
proxy_pass http://localhost:3000/api;
rewrite ^/api(.*)$ $1 break;
}
location / {
proxy_pass http://localhost:4200;
rewrite ^/(.*)$ $1 break;
}
}
}
Try to reach by service name, instead of localhost.
example:
Change proxy_pass http://localhost:3000/api; -> proxy_pass http://backend:3000/api;
Change proxy_pass http://localhost:4200; -> proxy_pass http://frontend:4200;
I have a project running on docker. I use Nginx reverse proxy to run my app.
All works fine but trying to personalize the server_name on nginx but couldn't figure out how.
Docker yml file
I've added server name to /etc/hosts by docker
version: "3"
services:
nginx:
container_name: nginx
volumes:
- ./nginx/logs/nginx:/var/log/nginx
build:
context: ./nginx
dockerfile: ./Dockerfile
depends_on:
- menu-app
ports:
- "80:80"
- "433:433"
extra_hosts:
- "www.qr-menu.loc:172.18.0.100"
- "www.qr-menu.loc:127.0.0.1"
networks:
default:
ipv4_address: 172.18.0.100
menu-app:
image: menu-app
container_name: menu-app
volumes:
- './menu-app/config:/var/www/config'
- './menu-app/core:/var/www/core'
- './menu-app/ecosystem.json:/var/www/ecosystem.json'
- './menu-app/tsconfig.json:/var/www/tsconfig.json'
- './menu-app/tsconfig-build.json:/var/www/tsconfig-build.json'
- "./menu-app/src:/var/www/src"
- "./menu-app/package.json:/var/www/package.json"
build:
context: .
dockerfile: menu-app/.docker/Dockerfile
tmpfs:
- /var/www/dist
ports:
- "3000:3000"
extra_hosts:
- "www.qr-menu.loc:127.0.0.1"
- "www.qr-menu.loc:172.18.0.100"
networks:
default:
ipam:
driver: default
config:
- subnet: 172.18.0.0/24
And I have Nginx conf
server_names_hash_bucket_size 1024;
upstream local_pwa {
server menu-app:3000;
keepalive 8;
}
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name www.qr-menu.loc 172.18.0.100;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
location / {
proxy_set_header X-Forwarded-For $remote_addr;
proxy_pass http://local_pwa/;
}
}
but unfortunately, app runs on localhost instead of www.qr-menu.loc
I couldn't figure out how to change server_name on Nginx.
This is a really, really late answer. The server_name directive tells nginx which configuration block to use on receipt of a request. Also see: http://nginx.org/en/docs/http/server_names.html
I think the docker-compose extra_hosts directive might only work for domain-name resolution within the docker network. In other words, on your computer that's running docker the name "www.qr-menu.loc" is not available, but in a running docker container that name should be available.
So, i have set up a docker swarm and connected a worker on it and deployed a stack with 4 services:
generator, which will be located at the worker node
API & scheduler, both will be located on the manager node
proxy, that will be located on the manager node, accepting requests and redirecting it though the other 3
This is my stack file:
version: "3.7"
services:
generator:
image: musicorum/generator:latest
restart: always
environment:
- 'XXXX=XXXX'
deploy:
resources:
reservations:
memory: 860M
placement:
constraints:
- "node.labels.generator==yes"
ports:
- 5000:5000
networks:
- proxy_ext
- netg
volumes:
- type: bind
source: /home/musicorum/cache
target: /usr/src/app/cache
api:
image: musicorum/api:latest
restart: always
environment:
- 'XXXX=XXXX'
networks:
- proxy_ext
ports:
- 4500:4500
deploy:
placement:
constraints:
- "node.labels.generator!=yes"
scheduler:
image: musicorum/scheduler:latest
restart: always
environment:
- 'XXXX=XXXX'
ports:
- 6500:6500
networks:
- proxy_ext
deploy:
placement:
constraints:
- "node.labels.generator!=yes"
proxy:
image: nginx:latest
restart: always
networks:
- proxy_ext
- netg
ports:
- 80:80
- 443:443
configs:
- source: nginx_4
target: /etc/nginx/conf.d/default.conf
- source: sslcrt
target: /etc/ssl/musicorumapp/ssl.crt
- source: sslkey
target: /etc/ssl/musicorumapp/ssl.key
depends_on:
- scheduler
- api
- generator
deploy:
placement:
constraints:
- "node.labels.generator!=yes"
configs:
nginx_4:
external: true
sslcrt:
external: true
sslkey:
external: true
networks:
proxy_ext:
external: true
netg:
driver: overlay
attachable: true
As you can see, the they are connected on the same network, i even created proxy_ext and netg to double-check the connection, but Nginx give this message when start up:
/docker-entrypoint.sh: Configuration complete; ready for start up
2020/07/07 13:32:17 [emerg] 1#1: host not found in upstream "musicorum_generator" in /etc/nginx/conf.d/default.conf:30
nginx: [emerg] host not found in upstream "musicorum_generator" in /etc/nginx/conf.d/default.conf:30
I don't know why the Nginx, at the manager node, can't reach out to the generator container, at the worker node. If it helps, here's my default.conf:
server {
listen 80;
listen 443 ssl;
ssl_certificate /etc/ssl/musicorumapp/ssl.crt;
ssl_certificate_key /etc/ssl/musicorumapp/ssl.key;
server_name api.musicorumapp.com;
location / {
proxy_pass http://musicorum_api:4500/;
}
}
server {
listen 80;
listen 443 ssl;
ssl_certificate /etc/ssl/musicorumapp/ssl.crt;
ssl_certificate_key /etc/ssl/musicorumapp/ssl.key;
server_name scheduler.musicorumapp.com;
location / {
proxy_pass http://musicorum_scheduler:6500/;
}
}
server {
listen 80;
listen 443 ssl;
ssl_certificate /etc/ssl/musicorumapp/ssl.crt;
ssl_certificate_key /etc/ssl/musicorumapp/ssl.key;
server_name generator.musicorumapp.com;
location / {
proxy_pass http://musicorum_generator:5000/;
}
}
In your default.conf you need to reference the services by their service name. This is the name that the internal DNS will resolve.
server {
listen 80;
listen 443 ssl;
ssl_certificate /etc/ssl/musicorumapp/ssl.crt;
ssl_certificate_key /etc/ssl/musicorumapp/ssl.key;
server_name api.musicorumapp.com;
location / {
proxy_pass http://api:4500/; <------ 'api' is the service name
}
}
You only would need to prefix the name of your stack if the reverse proxy server was running external to your stack's network, but since they are all on the same network, the DNS will resolve the service name alone.
You may also remove the ports: 8000:8000 on all of your apps (except reverse proxy) in your stack yaml file because you want to route traffic through your reverse proxy, not bind the port to the host. This could lead to security vulnerabilities as well. There are no port restrictions within a docker network. If an application is listening on 8000, your reverse proxy can contact it with http://service-name:8000 within the stack's overlay network.
I have set up a web application in docker which is currently running internal to the host at 172.19.0.3:8888. I want this web application accessible over the internet on port 443 (https), with requests to port 80 (HTTP) redirected to 443.
I plan to use an Nginx reverse proxy in a docker container to achieve this, but I do not know how to properly configure it to point at the docker container 172.19.0.3:8888. Accessing http://172.19.0.3:8888 from the host works.
Here is the guide I tried to follow, but it just didn't show how to point at a docker container specifically.
https://medium.com/#pentacent/nginx-and-lets-encrypt-with-docker-in-less-than-5-minutes-b4b8a60d3a71
Note
If I set the port 443 proxy_pass to http://example.org, it works. So Cert configurations are working correctly.
Web application
Running on 172.19.0.3:8888 internal to the host
docker-compose for Nginx and Certbot
My certs are coming back clean.
version: '3'
services:
nginx:
image: nginx:1.15-alpine
ports:
- "80:80"
- "443:443"
volumes:
- ./Volumes/nginx:/etc/nginx/conf.d
- ./Volumes/certbot/conf:/etc/letsencrypt
- ./Volumes/certbot/www:/var/www/certbot
certbot:
image: certbot/certbot
volumes:
- ./Volumes/certbot/conf:/etc/letsencrypt
- ./Volumes/certbot/www:/var/www/certbot
Nginx app.conf
server {
listen 80;
server_name forums.example.com;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
server_name forums.example.com;
ssl_certificate /etc/letsencrypt/live/forums.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/forums.example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
proxy_pass http://172.19.0.3:8888/;
}
}
Web Application
flarum:
image: mondedie/docker-flarum:0.1.0-beta.8.1-stable
container_name: flarum
env_file:
- ./flarum.env
volumes:
- ./Volumes/assets:/flarum/app/public/assets
- ./Volumes/extensions:/flarum/app/extensions
- ./Volumes/nginx:/etc/nginx/conf.d
depends_on:
- mariadb
mariadb:
image: mariadb:10.2
container_name: mariadb
environment:
- MYSQL_ROOT_PASSWORD=password
- MYSQL_DATABASE=flarum
- MYSQL_USER=flarum
- MYSQL_PASSWORD=password
volumes:
- ./Volumes/mysql/db:/var/lib/mysql
Docker Compose creates a seprate network for docker-compose.yaml file.
So you can add your web application as service (eg: webapp) in current compose file. And in nginx.conf directly point to your service. Rather than using IP you can use the service name as DNS which will resolve by Docker for the same network.
location / {
proxy_pass http://webapp:8888/;
}
I am trying to set up nginx as proxy with the following functionality:
If www.mydomain.com is called, hand out static content.
If www.mydomain.com/wekan is called, redirect to my Wekan-Dokan container.
For keeping it simple, everything is on localhost and no network required.
This is my nginx configuration:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
server{
location / {
proxy_pass http://localhost:9050;
}
location /wekan {
proxy_pass http://localhost:3001;
}
location /pics {
proxy_pass http://localhost/example.jpg;
}
location ~ \.(gif|jpg|png)$ {
root /home/myUser/serverTest/data/images;
}
}
server{
listen 9050;
root /home/myUser/serverTest/data/up1;
location / {
}
}
}
And here is my docker-compose for the Wekan App:
version: '2'
services:
wekandb:
image: mongo:3.2.21
container_name: wekan-db
restart: always
command: mongod --smallfiles --oplogSize 128
networks:
- wekan-tier
expose:
- 27017
volumes:
- /home/myUser/wekan/wekan-db:/data/db
- /home/myUser/wekan/wekan-db-dump:/dump
wekan:
image: quay.io/wekan/wekan
container_name: wekan-app
restart: always
networks:
- wekan-tier
ports:
# Docker outsideport:insideport
- 3001:8080
environment:
- MONGO_URL=mongodb://wekandb:27017/wekan
- ROOT_URL=http://localhost
So as my basic understanding of nginx,
calling localhost:3001 and calling localhost/wekan should be the same, since localhost/wekan gets redirected to localhost:3001.
This is not the case (it gets redirected to a wekan "page not found" version)