I am trying to setup Nginx Docker reverse proxy with a single container and am getting connection refused. See attachment for error.Results of browsing to https://IPAddressofServer
I am getting the following error in the logs:
2021/10/21 17:41:00 [warn] 19199#19199: conflicting server name "" on 0.0.0.0:443, ignored
Can anyone assist with this issue?
OS is Ubuntu 20 running on an Azure VM
Here is my .conf configuration within /etc/nginx/sites-enabled
`server {
listen 443 ssl;
server_name DNSNameofServer;
ssl_certificate /etc/ssl/certs/ChainedCertName.pem;
ssl_certificate_key /etc/ssl/certs/KeyFileName.key-plain.key;
ssl_protocols TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
proxy_pass http://DNSNameofServer:8088;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}
}`
Related
I am currently working on a Nginx config to group some of my docker containers into subdomains. Some of these containers are not running permanently and prevent nginx from starting (with error host not found in upstream "somecontainer:5000" in /etc/nginx/conf.d/default.conf:48) because the host defined in the upstream is not reachable. Is there a way to set a fallback upstream server in case the first one is not running?
The config currently looks like that:
upstream somecontainer {
server somecontainer:5000;
# here i need something like: if host is unreachable
# server fallbackserver:5000
}
server {
listen 443 ssl http2;
server_name some.subdomain.com;
root /public_html/;
client_max_body_size 16384m;
ssl on;
server_tokens off;
ssl_certificate sslstuff;
ssl_certificate_key sslstuff;
ssl_buffer_size 8k;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
location / {
proxy_pass http://somecontainer;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
}
}
Unfortunately, it's because of Nginx design.
You can use variable in proxy_pass which will be resolved at runtime, so there is no such error on nginx load:
set $destination_host somecontainer;
proxy_pass http://$destination_host:5000;
But the disadvantage of the solution above is that you can not leverage nginx upstream such as specify load balancing algorithm or weighted balancing...
Additionally, You have to patch nginx if both upstream and dynamic service initialization is a need. I have a patch which change that Nginx design and was discussed here and I'm using it on production environment for a while. You can check it if patching is not a problem to you https://github.com/ZigzagAK/ngx_dynamic_upstream/issues/8#issuecomment-814702336
I deployed Nginx reverse proxy in docker, and it belong to the bridge network which using 172.16.10.0/24. And I have the other web app in docker which in different bridge network 172.16.20.0/24. In order to let Niginx reverse proxy to connect web app, I have set Nginx reverse proxy to join the 172.16.20.0/24 as well.
My web app is hosting in http://localhost:8899, and I have bind host:8899 --> container:80. What I want to try is: when someone visit https://mydomain, and reverse proxy should pass to http://localhost:8899.
My nginx config is as follow:
server {
listen 80;
listen [::]:80;
server_name mydomain;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name mydomain;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
ssl_certificate /ssl/my_domain_cert.pem;
ssl_certificate_key /ssl/my_domain.key;
location / {
proxy_set_header Host $host;
proxy_set_header Cookie $http_cookie;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_pass http://localhost:8899;
proxy_read_timeout 90;
}
}
However, when i connect to https://mydomain, the error is SSL handshake failed (Error code 525). How should I fix the problem?
The 525 HTTP error means, there is no valid SSL certificate installed.
The nginx conf is searching for the SSL certificate files in these locations:
ssl_certificate /ssl/my_domain_cert.pem;
ssl_certificate_key /ssl/my_domain.key;
Unless you created a SSL certificate in your Dockerfile or created one before and put them in these locations, you have to MANUALLY create a SSL certificate.
How to create a key and pem file:
https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-on-centos-7
How to get .pem file from .key and .crt files?
I am trying to set up a home GitLab + GitLab container registry(VM ubuntu omnibus install) behind an Nginx reverse proxy(win10):
I took the Nginx config from here: https://gitlab.com/gitlab-org/gitlab-recipes/-/tree/master/web-server/nginx
server {
listen 443 ssl;
listen 5050 ssl;
#listen [::]:443 ipv6only=on ssl;
server_name my-gitlab.org; ## Replace this with something like gitlab.example.com
server_tokens off; ## Don't show the nginx version number, a security best practice
root /opt/gitlab/embedded/service/gitlab-rails/public;
ssl_certificate /nginx-1.18.0/my-gitlab.crt;
ssl_certificate_key /nginx-1.18.0/my-gitlab.key;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
location / {
client_max_body_size 0;
gzip off;
proxy_cache off;
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass https://my-gitlab-IP;
}
}
Opening GitLab on 433 works so does Docker login on 5050, but when I try to push or pull from the container registry :
Error response from daemon: error parsing HTTP 404 response body: unexpected end of JSON input: ""
tried many suggestions changing the GitLab.rb file, but non-work without the Nginx-revseproxing it Docker push/pull works so I am pretty sure it's something in my Nginx config that is missing, but not sure what.
Can anyone help?
it appears I needed a separate server block for the registry
server
{
listen 5005 ssl;
server_name my-ip:5005;
ssl_certificate /nginx-1.18.0/my-ip.crt;
ssl_certificate_key /nginx-1.18.0/my-ip.key;
location /
{
client_max_body_size 0;
proxy_pass https://my-ip:5005;
}
}
reverted back to default GitLab registry port
I have an ubuntu 18.0.4 lts box with nginx installed and configuered as a reverse proxy:
/etc/nginx/sites-enabled/default:
server {
server_name example.com;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass http://0.0.0.0:3000;
}
I have a website running in a docker container listening on port 3000. With this configuration if I browse to http://example.com I see the site.
I've then installed LetsEncypt using the standard install from their website then I run sudo certbot --nginx and follow the instructions to enable https for mydomain.com.
Now my etc/nginx/sites-enabled/default looks like this and i'm unable to load the site on both https://example.com and http://example.com:
server {
server_name example.com;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass http://0.0.0.0:3000;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
Any ideas?
I figured it out. The problem wasn't with my nginx/letsencrypt config it was a networking issue at the provider level (azure).
I noticed the Network Security Group only allowed traffic on port 80. The solution was to add a rule for 443.
After adding this rule everything now works as expected.
I have hit this roadblock where I am not able get the SSL Certificates from Let's encrypt.
I am using Nginx , Certbot and trying to get SSL running for my site with a node backend.
I tried to follow this post as my knowledge is limited. Any help pointers would be highly appreciated.
https://medium.com/#pentacent/nginx-and-lets-encrypt-with-docker-in-less-than-5-minutes-b4b8a60d3a71
As the post mentions , I first try to run the script to get a dummy certificate. I have modified the script to point to my domain.
But I get this error
Failed authorization procedure. example.org (http-01):
urn:ietf:params:acme:error:connection :: The server could not connect
to the client to verify the domain :: Fetching
http://example.org/.well-known/acme-challenge/Jca_rbXSDHEmXz8-y3bKKckD8g0lsuoQJgAxeSEz5Jo:
Connection refused
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: example.org Type: connection Detail: Fetching
http://example.org/.well-known/acme-challenge/Jca_rbXSDHEmXz8-y3bKKckD8g0lsuoQJgAxeSEz5Jo:
Connection refused
This is my nginx configuration
upstream app {
server app:3000;
}
server {
listen 80;
server_name example.org;
location / {
proxy_pass http://app/;
}
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# location /api/ {
# proxy_pass http://app/;
# proxy_redirect off;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Host $server_name;
# }
}
server {
listen 443 ssl;
server_name example.org;
ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
proxy_pass http://example.org; #for demo purposes
}
}