I am trying to run a UI application with Docker using nginx image I am able to access the service on port 80 without any problem but whenever I am trying access it via https on 443 port I am not able to access the applications the site keeps loading and eventually results in not accessible I have updated the nginx.conf file in default.conf to allow access over port 443
Following is my nginx.conf
charset utf-8;
server {
listen 80;
server_name localhost;
root /usr/nginx/html;
}
server {
listen 443;
server_name localhost;
root /usr/nginx/html;
}
I have added the SSL self-signed certificate in the /usr/nginx folder and exposed port 443 via Dockerfile
The following is my Dockerfile
FROM nginx
COPY dist /usr/nginx/html
RUN chmod -R 777 /usr/nginx/html/*
COPY nginx.conf /etc/nginx/conf.d/default.conf
COPY domain.crt /usr/nginx
EXPOSE 80:443
ENTRYPOINT nginx -g 'daemon off;'
Can anyone please explain me is port 443 not allowing any access
For nginx server to allow SSL encryption you need to provide ssl flag while listening in nginx.conf
and only ssl certificate will not be sufficient, you will need the ssl certificate key and password as well and they must be configured.
charset utf-8;
server {
listen 80;
server_name localhost;
root /usr/share/nginx/html;
}
server {
listen 443 ssl;
ssl_certificate /usr/nginx/ssl.crt;
ssl_certificate_key /usr/nginx/ssl.key;
ssl_password_file /usr/nginx/ssl.pass;
server_name localhost;
root /usr/nginx/html;
}
And you need to put the ssl certificate, key and password via volumes or via embedding in docker container. If you are running container over kubernetes cluster, adding them via kubernetes secrets will be better option.
For Dockerfile you can add like
FROM nginx
COPY dist /usr/nginx/html
RUN chmod -R 777 /usr/nginx/html/*
COPY nginx.conf /etc/nginx/conf.d/default.conf
COPY ssl.crt /usr/nginx/
COPY ssl.pass /usr/nginx/
COPY ssl.key /usr/nginx/
EXPOSE 80:443
ENTRYPOINT nginx -g 'daemon off;'
For further info you can refer the Nginx Docker article https://medium.com/#agusnavce/nginx-server-with-ssl-certificates-with-lets-encrypt-in-docker-670caefc2e31
Related
I'm trying to spin up a dockerized website (React JS) being hosted on my Vultr server. I used the one click install feature that Vultr provides to install Docker (Ubuntu 20.04).
I can get my website started with HTTP and a port number 8080. But what I'm looking to accomplish are the following:
How to add SSL to my website with docker(since my website is dockerized).
PS: I already have a domain name.
How to get rid of the port number as it doesn't look very professional.
For number 2, I did try adding a reverse proxy but not sure if I did it correctly.
Also, not sure if this was the right approach, but I did install letsencrypt in my host Vultr machine (nginx was need too for some reason). I navigated to my domain name and sure enough I do see my website secured (https) with the "Welcome to Nginx" landing page. But again, is this the correct way? If so, how do I display my react website secured instead of the default "Welcome to Nginx" landing page.
Or should I have not installed nginx or letsencrypt in the host machine?
As you can see, I'm an absolute beginner in docker!
This is my Dockerfile-prod
FROM node as build
WORKDIR /usr/src/app
COPY package*.json ./
RUN yarn cache clean && yarn --update-checksums
COPY . ./
RUN yarn && yarn build
# Stage - Production
FROM nginx
COPY --from=build /usr/src/app/build /usr/share/nginx/html
EXPOSE 80 443
#Make sites-available directory
RUN mkdir "etc/nginx/sites-available"
#Make sites-enabled directory
RUN mkdir "etc/nginx/sites-enabled"
# add nginx live config
ADD config/*****.com /etc/nginx/sites-available/*****.com
# create symlinks
RUN ln -s /etc/nginx/sites-available/*****.com /etc/nginx/sites-enabled/*****
# make certs dir as volume
VOLUME ["/etc/letsencrypt"]
CMD ["nginx", "-g", "daemon off;"]
I have to configuration files. PS: I was trying following this guy's repo repo
I feel like everything is there in front of me to get it to work, but I just can't figure it out. If you guys can help me out, I'd really appreciate it! Thanks in advance!
config 1 *****-live.com
server {
listen 80;
listen [::]:80;
server_name *****.com www.*****.com;
location ~ /.well-known/acme-challenge {
allow all;
root /var/www/html;
}
}
server {
listen 443 ssl;
server_name *****.com www.*****.com;
ssl_certificate /etc/letsencrypt/live/*****.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/*****.com/privkey.pem;
location / {
proxy_pass http://172.17.0.2:8080;
}
}
config 2 *****-staging.com
server {
listen 80;
listen [::]:80;
server_name *****.com www.*****.com;
location ~ /.well-known/acme-challenge {
allow all;
root /var/www/html;
}
}
This is my host machine directory to letsencrypt/live
I have a Docker container on port 8081 running on Centos7, and a reverse proxy with Nginx.
My domain have a LetsEncrypt SSl installed and it works good when i access "https://my.example.com", it redirects me to my 8081 Docker.
But i when i access "http://my.example.com:8081", i still can reach my Docker application...i don't want to enable this...don't want to enable any http access.
I want to reach 8081 only through Nginx reverse proxy (that forces me to https)...i think it may be some configuration on my iptables, but i don't have experience with it.
Can someone help me?
Thanks!
This is my conf.d file in Nginx
server{
server_name my.example.com;
location / {
proxy_pass http://localhost:8081;}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/my.example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/my.example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server{
if ($host = my.example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name my.example.com;
return 404; # managed by Certbot
}
iptables does not understand the difference between HTTP or HTTPS, it understands only ip; ports and mac levels, if you try to block port 8081 with iptables even your https connection will be dropped or rejected depending on your choice.
If your docker container is accessible from the outside without passing through the reverse proxy, it is a container configuration issue, or if your nginx reverse proxy lets through http packets, then it is an nginx configuration issue, I think we need more details from your side.
I have resolved this issue using the firewall application from my hosting provider(Vultr).
There, i left 8081 only for local access, so now it's not possible to access this without passing through Nginx reverse proxy!
I have my docker file which deploys angular app on nginx docker container. I need to make it work with https and I am creating the default-ssl.conf and copying it to the container. Currently I want it to work with localhost and we do not have any domain. Please advise if there is any way to have https working with localhost to use the deployed app on nginx docker container. Thanks!
1st Dockerfile:
FROM nginx
COPY /meg /usr/share/nginx/html
ADD server.crt /etc/nginx/certs/
ADD server.key /etc/nginx/certs/
COPY default-ssl.conf /etc/nginx/conf.d/default-ssl.conf
COPY nginx.conf /etc/nginx/conf.d/nginx.conf
RUN ls /etc/nginx/certs/
COPY /Home /usr/share/nginx/html
2nd Dockerfile:
FROM nginx
ADD server.crt /etc/nginx/certs/
ADD server.key /etc/nginx/certs/
COPY nginx.conf /etc/nginx/conf.d/nginx.conf
RUN ls /etc/nginx/certs/
nginx.conf
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /etc/nginx/certs/server.crt;
ssl_certificate_key /etc/nginx/certs/server.key;
location / {
proxy_pass http://localhost:8081/;
error_log /var/log/front_end_errors.log;
}
}
Two containers will be built using above docker files.
I am running nginx as a reverse proxy in a docker environment.
the follwing is the Dockerfile used to create the instance.
FROM nginx:1.18.0
ENV https_proxy=http://someproxy.nt.gov.au:8080
ENV http_proxy=http://someproxy.nt.gov.au:8080
RUN env
COPY nginx.conf /etc/nginx/nginx.conf
COPY server-chain.cert /etc/nginx/server.cert
COPY server-chain.key /etc/nginx/server.key
COPY /html /usr/share/nginx/html
RUN echo 'alias ll="ls -la"' >> ~/.bashrc
EXPOSE 80
EXPOSE 443
STOPSIGNAL SIGQUIT
CMD ["nginx", "-g", "daemon off;"]
the following is the upstream directive and the server {} section of the nginx.conf file - the rest is default
upstream cics-liberty {
server some-app-server:3000 ;
}
and
server {
listen 80;
listen 443 ssl;
listen [::]:80;
server_name localhost;
ssl_certificate server.cert;
ssl_certificate_key server.key;
#charset koi8-r;
#access_log /var/log/nginx/host.access.log main;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
location /offtocics/ {
proxy_pass http://cics-liberty ;
}
location /barcode/ {
proxy_pass http://cics-liberty ;
}
location /birt_wlp_s1/ {
proxy_pass http://cics-liberty ;
}
location /scope2/ {
proxy_pass http://cics-liberty ;
}
...
}
the docker command to instantiate the server is
docker run -it --name webserver -d -p 8047:80 -p 8046:443 webserver:0.1
i am running 2 of these instances, one using a self signed certificate. the other has a certificate bundle signed by our corporate CA.
the server using the self signed certificate behaves as expected.
the server using the certificates signed by the corporate CA refuses connections on both the http and the https ports.
the logging output from both is the same, other than the sever refusing connections has nothing in the access log. it looks like it is being refused even before it gets to the webserver.
The docker environment does not have any firewalls in its internal virtual network
I have rebuilt the failing webserver with the self signed certificates and it works as expected.
This was a configuration error on my part.
I reformatted the certificate bundle from PCKS7 to PEM format, however i did not decrypt the associated private key.
once i installed the decrypted version of the private key - all ok.
I try to deploy a simple static index.html and style.css website with docker.
server {
#root /var/www/html;
# Add index.php to the list if you are using PHP
#index index.html index.htm index.nginx-debian.html;
server_name data-mastery.com; # managed by Certbot
location /blog {
proxy_pass http://127.0.0.1:5000;
}
listen 443 ssl; # managed by Certbot
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /etc/letsencrypt/live/data-mastery.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/data-mastery.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = data-mastery.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 ;
listen [::]:80 ;
server_name data-mastery.com;
return 404; # managed by Certbot
}
This is my simple Dockerfile:
FROM nginx:alpine
COPY . /usr/share/nginx/html
I started the container with the following command:
sudo docker run -p 5000:5000 blog
I am not sure that this line means when I run docker ps:
80/tcp, 0.0.0.0:5000->5000/tcp
Is everything correct here or not?
How can I make it running on port 5000?
Thank you!
Updated answer:
Your use case is addressed in nginx docker image documentation, so I'll paraphrase it.
$ docker run --name my-blog -v /path/to/your/static/content/:/usr/share/nginx/html:ro -d nginx
Alternatively, a simple Dockerfile can be used to generate a new image that includes the necessary content (which is a much cleaner solution than the bind mount above):
FROM nginx
COPY . /usr/share/nginx/html
Place this file in the same directory as your directory of content , run docker build -t my-blog ., then start your container:
$ docker run --name my-blog -d my-blog
Exposing external port
$ docker run --name some-nginx -d -p 8080:80 some-content-nginx
Then you can hit http://localhost:8080 or http://host-ip:8080 in your browser.
Initial answer:
You should try something like:
sudo docker run -p 80:5000 blog
docker will proxy connection to localhost:5000 to your_container:80
on your_container:80 nginx is listening and will proxy to your_container:500 where your blog is answering
I hope that helps