Develop Reference

How to set https to one nginx and one docker nginx on one server

I have one nginx and one docker nginx on one server.
I already setup a Https server (port is 80) at one nginx success,
I open https://subdomain1.domain, it will show web page success.
but I setup docker nginx https (port is 8080) fail.
I open https://subdomain2.domain:8080, it will show error below.
This site can’t provide a secure connection
subdomain2.domain sent an invalid response.
Try running Windows Network Diagnostics.
ERR_SSL_PROTOCOL_ERROR
This is my docker process information.
root#server:~/# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c798c72861fa 13b3 "/bin/bash /app/dock…" 13 days ago Up 16 minutes 443/tcp, 8000/tcp, 0.0.0.0:8080->8080/tcp nginx
And I have 4 nginx conf, I don't know how to adjust nginx conf to make docker https work.
in host /usr/local/nginx/conf/nginx.conf below.
user www www;
worker_processes auto;
worker_cpu_affinity auto;
error_log /home/wwwlogs/nginx_error.log crit;
pid /usr/local/nginx/logs/nginx.pid;
#Specifies the value for maximum file descriptors that can be opened by this process.
worker_rlimit_nofile 51200;
events
{
use epoll;
worker_connections 51200;
multi_accept off;
accept_mutex off;
}
http
{
include mime.types;
default_type application/octet-stream;
server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
client_max_body_size 50m;
sendfile on;
sendfile_max_chunk 512k;
tcp_nopush on;
keepalive_timeout 60;
tcp_nodelay on;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 256k;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.1;
gzip_comp_level 2;
gzip_types text/plain application/javascript application/x-javascript text/javascript text/css application/xml application/xml+rss;
gzip_vary on;
gzip_proxied expired no-cache no-store private auth;
gzip_disable "MSIE [1-6]\.";
#limit_conn_zone $binary_remote_addr zone=perip:10m;
##If enable limit_conn_zone,add "limit_conn perip 10;" to server section.
server_tokens off;
access_log off;
include vhost/*.conf;
}
in host /usr/local/nginx/conf/vhost/subdomain1.domain.conf
server {
listen 80 default;
server_name _;
index index.php index.html index.htm;
return 301;
}
server {
listen 443 default ssl http2;
server_name _;
index index.php index.html index.htm;
ssl_certificate /usr/local/nginx/conf/vhost/server.crt;
ssl_certificate_key /usr/local/nginx/conf/vhost/server.key;
return 302;
}
server {
listen 443 ssl http2;
server_name subdomain1.domain;
ssl_certificate /usr/local/nginx/conf/vhost/server.crt;
ssl_certificate_key /usr/local/nginx/conf/vhost/server.key;
index index.html index.htm index.php default.html default.htm default.php;
root /home/wwwroot/default/[project name]/backstage;
include rewrite/other.conf;
include enable-php-pathinfo.conf;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {
expires 30d;
}
location ~ .*\.(js|css)?$ {
expires 12h;
}
location ~ /.well-known {
allow all;
}
location ~ /\. {
deny all;
}
access_log /home/wwwlogs/www.xxxx.com.log;
error_log /home/wwwlogs/www.xxxx.error.log;
}
in docker /etc/nginx/conf.d/[appName].conf
server {
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_comp_level 2;
gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png;
gzip_vary off;
gzip_disable "MSIE [1-6]\.";
client_max_body_size 200m;
root /app/dist;
index index.html;
location /api/ {
rewrite /api/(.*) /$1 break;
proxy_pass https://localhost:8000/;
}
listen 443 ssl http2;
server_name subdomain2.domain;
ssl_certificate /app/nginx/server.crt;
ssl_certificate_key /app/nginx/server.key;
#enable ssl
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
}
in docker /app/nginx/[appName].conf
server {
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_comp_level 2;
gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png;
gzip_vary off;
gzip_disable "MSIE [1-6]\.";
client_max_body_size 200m;
root /app/dist;
index index.html;
location /api/ {
rewrite /api/(.*) /$1 break;
proxy_pass https://localhost:8000/;
}
listen 443 ssl http2;
server_name subdomain2.domain;
ssl_certificate /app/nginx/server.crt;
ssl_certificate_key /app/nginx/server.key;
#enable ssl
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
;
}
server {
listen 8080 ;
server_name subdomain2.domain;
return 308 https://$server_name$request_uri;
}
How to fix subdomain2.domain https setup?

You should:
Stop nginx service in host
Build new container nginx again and expose port 443 to the host.
docker run -d --name containter_name -p 8080:443 image
then access: https://subdomain2.domain:8080
You should copy ssl_certificate and key to the container

nginx redirect for urls without trailing slash doesn't work in docker when not using default port 80

Here is a website based on gatsby.
When running with -p 80:80, it's accessible to http://localhost/docs/infrastructure/components, which has no trailing slash.
docker run -itd -p 80:80 --env-file env.list --name docs.kubesphere.io kubesphere/docs.kubesphere.io:v2.1
When running with -p 81:80, it's not accessible to http://localhost:81/docs/infrastructure/components. The browser received a redirect to http://localhost/docs/infrastructure/components/, not http://localhost:81/docs/infrastructure/components/.
docker run -itd -p 81:80 --env-file env.list --name docs.kubesphere.io kubesphere/docs.kubesphere.io:v2.1
nginx conf is as follows:
daemon off;
worker_processes 1;
user root;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
keepalive_timeout 15;
autoindex off;
server_tokens off;
port_in_redirect off;
sendfile off;
tcp_nopush on;
tcp_nodelay on;
client_max_body_size 64k;
client_header_buffer_size 16k;
large_client_header_buffers 4 16k;
## Cache open FD
open_file_cache max=10000 inactive=3600s;
open_file_cache_valid 7200s;
open_file_cache_min_uses 2;
## Gzipping is an easy way to reduce page weight
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_types application/javascript application/x-javascript application/rss+xml text/javascript text/css image/svg+xml;
gzip_buffers 16 8k;
gzip_comp_level 6;
access_log /dev/stdout;
error_log /dev/stderr error;
server {
listen 80;
root /pub;
index index.html;
autoindex off;
charset utf-8;
error_page 404 /404.html;
location ~* \.(html)$ {
add_header Cache-Control "no-store";
expires off;
}
location ~* \.(ico|jpg|jpeg|png|gif|svg|js|jsx|css|less|swf|eot|ttf|otf|woff|woff2)$ {
add_header Cache-Control "public";
expires +1y;
}
rewrite ^([^.]*[^/])$ $1/ permanent;
try_files $uri $uri/ $uri/index.html =404;
}
}
Without rewrite ^([^.]*[^/])$ $1/ permanent;, the browser still can reveive 301 Moved Permanently (from disk cache) and then appended a trailing slash when using -p 80:80. Changing to -p 81:81 found some pages can receive 81 port in its response header, but some can't.
I'm wondering why the browser can recevie 301 status code?
Is it sent by nginx?
How can I verify it?

Nginx with Cloudflare: Error 525 SSL Handshake failed

I'm trying to deploy my nginx on docker container with Cloudflare.
docker-compose.yml
version: "3.5"
services:
nginx:
image: xxx/panel-nginx:VERSION
volumes:
- type: volume
source: panel_nginx_certs
target: /etc/nginx/certs
ports:
- target: 443
published: 443
protocol: tcp
mode: host
networks:
- panel_nginx
stop_grace_period: 1m
deploy:
replicas: 1
update_config:
parallelism: 1
delay: 180s
restart_policy:
condition: on-failure
networks:
panel_nginx:
external: true
volumes:
panel_nginx_certs:
external: true
nginx.conf
upstream panel-uwsgi {
server panel_app:8000;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name panel.xxx.com;
ssl_certificate /etc/nginx/certs/panel.pem;
ssl_certificate_key /etc/nginx/certs/panel.key;
location / {
include uwsgi_params;
uwsgi_pass panel-uwsgi;
}
# location /media/ {
# root /usr/share/nginx/html;
# try_files $uri $uri/;
# access_log off;
# expires 30d;
# }
location /static/ {
access_log off;
expires 30d;
}
location = /favicon.ico {
return 204;
access_log off;
log_not_found off;
}
# error_page 404 /404.html;
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# root /usr/share/nginx/html;
# }
}
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305";
ssl_ecdh_curve secp384r1;
ssl_dhparam /etc/nginx/certs/dhparam.pem;
ssl_session_timeout 24h;
ssl_session_cache shared:SSL:12m;
ssl_session_tickets off;
ssl_stapling on;
ssl_trusted_certificate /etc/nginx/certs/cloudflare_origin_ecc.pem;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
server_names_hash_bucket_size 64;
ssl_client_certificate /etc/nginx/certs/cloudflare.crt;
ssl_verify_client on;
server_tokens off;
charset utf-8;
add_header X-Robots-Tag none;
add_header Warning 'This computer system including all related equipment, network devices (specifically including Internet access), are provided only for authorized use. Unauthorized use may subject you to criminal prosecution. By accessing this system, you have agreed to the term and condition of use and your actions will be monitored and recorded.';
Deploying with this config cause 525 Error: SSL handshake failed.
I have dedicated IP and NSI. I'm using chacha-poly ciphers. I'm publishing 443 port.
Any thoughts why i'm getting this error?
Thanks
Disclaimer: Stackoverflow, please remove the warning about too much code and not enough text. Thanks

In my case, replacing OpenSSL with LibreSSL solved the problem.

If the record is gray clouded (not proxied through Cloudflare) are you able to connect to the server using SSL? It's likely an issue on the origin server int he config, but eliminating Cloudflare at least temporarily makes troubleshooting easier.
You can also try curl -Ikv --resolve panel.backupner.com:443:your.ip.address https:://panel.backupner.com for additional details which may be helpful in troubleshooting.
Actually just checked... looks like your site is working now, if you figured out the root cause it would be helpful to post what the issue was. :)

can't create file from nginx to docker-gen

I'm using jwilder/nginx-proxy in order to have a project in my domain.tld and one in api.domain.tld. I followed this tutorial and I'm facing a problem with my custom default.conf. First I'm running the image from my project
docker container run -d --expose 80 --expose 443 -e VIRTUAL_HOST=domain.tld -e VIRTUAL_PORT=80,443 --name my_site my_site
then I'm running nginx-proxy:
docker run -d -p 80:80 -p 443:443 -v /home/myuser/docker_proxy.conf:/etc/nginx/conf.d/default.conf:ro -v /var/run/docker.sock:/tmp/docker.sock -v /etc/ssl/certs/dhparam.pem:/etc/ssl/certs/dhparam.pem -v /etc/letsencrypt:/etc/letsencrypt:rw -v /etc/nginx/snippets/fastcgi-php.conf:/etc/nginx/snippets/fastcgi-php.conf -v /etc/nginx/fastcgi.conf:/etc/nginx/fastcgi.conf --name proxy jwilder/nginx-proxy
but I'm receiving the below error:
WARNING: /etc/nginx/dhparam/dhparam.pem was not found. A pre-generated dhparam.pem will be used for now while a new one
is being generated in the background. Once the new dhparam.pem is in place, nginx will be reloaded.
forego | starting dockergen.1 on port 5000
forego | starting nginx.1 on port 5100
dockergen.1 | 2017/10/16 18:56:26 Unable to create dest file /etc/nginx/conf.d/default.conf: rename /etc/nginx/conf.d/docker-gen123335743 /etc/nginx/conf.d/default.conf: device or resource busy
forego | starting dockergen.1 on port 5100
forego | sending SIGTERM to nginx.1
forego | sending SIGTERM to dockergen.1
default.conf file:
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
default $http_x_forwarded_proto;
'' $scheme;
}
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
# server port the client connected to
map $http_x_forwarded_port $proxy_x_forwarded_port {
default $http_x_forwarded_port;
'' $server_port;
}
# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
# Connection header that may have been passed to this server
map $http_upgrade $proxy_connection {
default upgrade;
'' close;
}
# Apply fix for very long server names
server_names_hash_bucket_size 128;
# Default dhparam
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# Set appropriate X-Forwarded-Ssl header
map $scheme $proxy_x_forwarded_ssl {
default off;
https on;
}
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost '$host $remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log off;
resolver 168.63.129.16;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";
server {
server_name _; # This is just an invalid value which will never trigger on a real hostname.
listen 80;
access_log /var/log/nginx/access.log vhost;
return 503;
}
# domain.tld
upstream domain.tld {
## Can be connect with "bridge" network
# my_site
server 172.17.0.3:80;
}
server {
server_name domain.tld;
server_name www.domain.tld;
listen 443;
root /var/www/public/;
index index.php index.html index.htm index.nginx-debian.html;
ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-$";
ssl_session_cache shared:SSL:10m;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl on;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php5-fpm.sock;
}
location ~ \.php$ {
try_files $uri /index.php =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
access_log /var/log/nginx/access.log vhost;
location / {
try_files $uri $uri/ /index.php?$query_string;
proxy_pass http://domain.tld;
}
}
My main site is implemented in Laravel.
I'm a bit confused because I couldn't find any relative information neither in google nor in GitHub issues.
Is something wrong with my default.conf file or I didn't set the containers right?
Thank you.

The problem was the name of the config file. I replaced default.conf with my_proxy.conf and it worked.

How can I configure phusion passenger with nginx to support ssl in rails?

I followed the instructions here at DigitalOcean: https://www.digitalocean.com/community/tutorials/how-to-create-an-ssl-certificate-on-nginx-for-ubuntu-14-04
Here is my nginx.conf file... which does not seem to work.
events {
worker_connections 1024;
}
http {
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
keepalive_timeout 70;
server {
listen 80;
listen 443;
ssl on;
server_name localhost;
ssl_certificate /Users/sambit/Documents/Projects/SBOOKS/nginx.crt;
ssl_certificate_key /Users/sambit/Documents/Projects/SBOOKS/nginx.key;
# Extra protections
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
gzip on;
gzip_min_length 1000;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain application/font-woff2 application/x-javascript text/css application/javascript text/javascript text/xml application/json application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/xml font/eot font/opentype font/otf image/svg+xml;
# Tell Nginx and Passenger where your app's 'public' directory is
root /Users/sambit/Documents/Projects/SBOOKS/public;
location ~ ^/(assets|images|javascripts|stylesheets|swfs|system)/ {
gzip_static on;
expires max;
add_header Cache-Control public;
add_header Last-Modified "";
add_header ETag "";
}
# Turn on Passenger
passenger_enabled on;
passenger_ruby /Users/sambit/.rvm/rubies/ruby-2.2.2/bin/ruby;
}
}
I'm trying to test this on a mac.. (el capitan)
The error I get in chrome is (ERR_SSL_PROTOCOL_ERROR)
I'm also running my rails app with foreman on port 7200
foreman start -p 7200
My interim solution is to use passenger to serve http requests and spawn puma on the same machine to handle https requests (both via foreman). I know this is hacky so I'm looking for a better passenger-based solution.

Passenger author here. You must also set ssl on.