Develop Reference

Nginx reverse proxy is loading different sites when refreshing

I want to host multiple websites in one server with nginx reverse proxy by following this tutorial
https://www.datanovia.com/en/lessons/how-host-multiple-https-websites-on-one-server/
The Nginx proxy and each website are launched separately with Docker.
But every time I reload one of the website, it load the content of other website. For example:
Load websiteone.tk 1st time, loaded website ONE's content.
Refresh websiteone.tk , loaded website TWO's content
Refresh websiteone.tk again, loaded website THREE's content
Load websitetwo.tk 1st time, loaded website TWO content
Refresh websitetwo.tk , loaded website THREE content.
I am a beginner for both nginx and docker. I can't tell if the problem happens in nginx or docker. May anyone please kindly advise? Thank you very much.
The nginx-proxy default.conf is
map $http_x_forwarded_proto $proxy_x_forwarded_proto { default $http_x_forwarded_proto;
'' $scheme;
}
map $http_x_forwarded_port $proxy_x_forwarded_port {
default $http_x_forwarded_port;
'' $server_port;
}
map $http_upgrade $proxy_connection {
default upgrade;
'' close;
}
server_names_hash_bucket_size 128;
map $proxy_x_forwarded_proto $proxy_x_forwarded_ssl {
default off;
https on;
}
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss t>log_format vhost '$host $remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'"$upstream_addr"';
access_log off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA3> ssl_prefer_server_ciphers off;
error_log /dev/stderr;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
proxy_set_header X-Original-URI $request_uri;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";
server {
server_name _; # This is just an invalid value which will never trigger on a real hostname.
server_tokens off;
listen 80;
access_log /var/log/nginx/access.log vhost;
return 503;
}
server {
server_name _; # This is just an invalid value which will never trigger on a real hostname.
server_tokens off;
listen 443 ssl http2;
access_log /var/log/nginx/access.log vhost;
return 503;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/default.crt;
ssl_certificate_key /etc/nginx/certs/default.key;
}
# websiteone.tk
upstream websiteone.tk {
## Can be connected with "nginx-proxy" network
# websiteonetk_my-app_1
server 192.168.32.8:80;
}
server {
server_name websiteone.tk;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
# Do not HTTPS redirect Let'sEncrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name websiteone.tk;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/websiteone.tk.crt;
ssl_certificate_key /etc/nginx/certs/websiteone.tk.key;
ssl_dhparam /etc/nginx/certs/websiteone.tk.dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/websiteone.tk.chain.pem;
add_header Strict-Transport-Security "max-age=31536000" always;
include /etc/nginx/vhost.d/default;
location / {
proxy_pass http://websiteone.tk;
}
}
# websitetwo.tk
upstream websitetwo.tk {
## Can be connected with "nginx-proxy" network
# websitetwotk_my-app_1
server 192.168.32.13:80;
}
server {
server_name websitetwo.tk;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
# Do not HTTPS redirect Let'sEncrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name websitetwo.tk;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/websitetwo.tk.crt;
ssl_certificate_key /etc/nginx/certs/websitetwo.tk.key;
ssl_dhparam /etc/nginx/certs/websitetwo.tk.dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/websitetwo.tk.chain.pem;
add_header Strict-Transport-Security "max-age=31536000" always;
include /etc/nginx/vhost.d/default;
location / {
proxy_pass http://websitetwo.tk;
}
}
# websitethree.tk
upstream websitethree.tk {
## Can be connected with "nginx-proxy" network
# websitethreetk_my-app_1
server 192.168.32.3:80;
}
server {
server_name websitethree.tk;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
# Do not HTTPS redirect Let'sEncrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name websitethree.tk;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/websitethree.tk.crt;
ssl_certificate_key /etc/nginx/certs/websitethree.tk.key;
ssl_dhparam /etc/nginx/certs/websitethree.tk.dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/websitethree.tk.chain.pem;
add_header Strict-Transport-Security "max-age=31536000" always;
include /etc/nginx/vhost.d/default;
location / {
proxy_pass http://websitethree.tk;
}
}
The docker-compose for the nginx proxy is
version: '3.6'
services:
nginx:
image: nginx
labels:
com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy: "true"
container_name: nginx
restart: unless-stopped
ports:
- "80:80"
- "443:443"
volumes:
- ./conf.d:/etc/nginx/conf.d
- ./vhost.d:/etc/nginx/vhost.d
- ./html:/usr/share/nginx/html
- ./certs:/etc/nginx/certs:ro
nginx-gen:
image: jwilder/docker-gen
command: -notify-sighup nginx -watch -wait 5s:30s /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf
container_name: nginx-gen
restart: unless-stopped
volumes:
- ./conf.d:/etc/nginx/conf.d
- ./vhost.d:/etc/nginx/vhost.d
- ./html:/usr/share/nginx/html
- ./certs:/etc/nginx/certs:ro
- /var/run/docker.sock:/tmp/docker.sock:ro
- ./nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl:ro
nginx-letsencrypt:
image: jrcs/letsencrypt-nginx-proxy-companion
container_name: nginx-letsencrypt
restart: unless-stopped
volumes:
- ./conf.d:/etc/nginx/conf.d
- ./vhost.d:/etc/nginx/vhost.d
- ./html:/usr/share/nginx/html
- ./certs:/etc/nginx/certs:rw
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
NGINX_DOCKER_GEN_CONTAINER: "nginx-gen"
NGINX_PROXY_CONTAINER: "nginx"
networks:
default:
external:
name: nginx-proxy
The nginx default.conf for one of the website is
server {
root /application2;
index index.php;
location ~ \.php$ {
fastcgi_pass php-fpm:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PHP_VALUE "error_log=/var/log/nginx/application_php_errors.log";
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
include fastcgi_params;
}
}
The docker-compose/yml for one of the website is below.
Websiteone working directory is /application1.
Websitetwo working directory is /application2. etc
version: '3.1'
services:
my-app:
image: 'nginx:alpine'
volumes:
- '.:/application2'
- './phpdocker/nginx/nginx.conf:/etc/nginx/conf.d/default.conf'
restart: always
environment:
- VIRTUAL_HOST=websitetwo.tk
- VIRTUAL_PORT=80
- LETSENCRYPT_HOST=websitetwo.tk
expose:
- 80
mailhog:
image: 'mailhog/mailhog:latest'
ports:
- '21001:8025'
php-fpm:
build: phpdocker/php-fpm
working_dir: /application2
volumes:
- '.:/application2'
- './phpdocker/php-fpm/php-ini-overrides.ini:/etc/php/8.1/fpm/conf.d/99-overrides.ini'
networks:
default:
external:
name: nginx-proxy

nginx container proxy_pass to another docker container

nginx.conf:
user nginx;
worker_processes auto;
error_log /dev/null;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
multi_accept on;
use epoll;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
log_format compression '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" "$gzip_ratio"';
access_log off;
error_log /dev/null;
log_not_found off;
server_tokens off;
server_names_hash_bucket_size 64;
server_names_hash_max_size 2048;
server_name_in_redirect off;
client_body_timeout 300s;
client_header_timeout 300s;
keepalive_timeout 0;
send_timeout 300s;
client_body_buffer_size 64m;
client_header_buffer_size 2m;
client_max_body_size 48m;
proxy_connect_timeout 70s;
proxy_send_timeout 90s;
proxy_read_timeout 90s;
large_client_header_buffers 4 8k;
##
# Gzip Settings
##
gzip on;
gzip_http_version 1.1;
gzip_disable "msie6";
gzip_static on;
gzip_vary on; #vary header
gzip_min_length 0; # compress though it's volume
gzip_proxied any;
gzip_comp_level 3; #low performance server: 2 and good server: 6
gzip_buffers 16 8k;
gzip_types text/plain text/css text/javascript text/xml application/javascript application/json application/x-javascript application/xml application/xml+rss image/svg+xml image/svg;
limit_conn_zone $binary_remote_addr zone=ddos_conn:10m;
limit_req_zone $binary_remote_addr zone=ddos_req:10m rate=4r/s;
limit_req_status 500;
server {
listen 8010;
server_name 0.0.0.0;
client_max_body_size 48m;
client_body_timeout 5s;
client_header_timeout 5s;
location / {
proxy_pass http://0.0.0.0:8002;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
#proxy_ignore_client_abort on;
proxy_redirect off;
proxy_connect_timeout 70s;
proxy_send_timeout 90s;
proxy_read_timeout 90s;
keepalive_timeout 90;
limit_req zone=ddos_req burst=4 nodelay;
limit_conn ddos_conn 8;
}
}
server {
listen 8011;
location / {
return 200 'pong';
keepalive_timeout 90;
}
}
}
and commands:
for nginx container:
docker run --name nginx_con -d -p 0.0.0.0:8011:8011 -p 0.0.0.0:8010:8010 --restart always -v /Users/mac/docker/conf_files/nginx.conf:/etc/nginx/nginx.conf:ro -v /Users/mac/docker/conf_files/error_log:/var/log/nginx/error_log -v /Users/mac/dcoker/conf_files/access_log:/var/log/nginx/access_log nginx:1.15.8-alpine
for api container:
sudo docker run --name was_con -d -p 0.0.0.0:8002:8002 --net=host --restart always -e MODE='deploy' -v /Users/mac/docker/conf_files/uwsgi.ini:/uwsgi.ini apiaccount/apiproject:latest
When I go to url 0.0.0.0:8011, It works. (returns 'pong' well)
and I go to url 0.0.0.0:8002 It works well
but I go to url 0.0.0.0:8010 It not works.
return 502 bad gateway.
How to solve it?
I'm running it on mac OS..

nginx can't find 0.0.0.0:8002 in docker. You have to provide the ip address or dns name of the api container in docker.
so e.g. proxy_pass http://was_con:8002. The IP you can find with the docker inspect was_con command
"Networks": {
"name": {
IPAddress": "172.18.0.9"
But you're running the api on host network, then you need the host IP as seen from docker, default is 172.17.0.1

Nginx refuses connections to flask app, flask app without nginx works fine

I have 2 docker containers deployed using docker compose.
One is nginx and the other is my flask application. I am only using nginx as a static server for let's encrypt certification.
If I deploy my flask app without nginx, I can successfully curl / ping my server. However, the moment nginx is introduced, I am not able to connect.
What I want to do is at least access my server via numeric external ip e.g. xx.xx.xx.xx and then my domain which points to the same ip. (My domain is actually a subdomain e.g. api.domain.com)
My docker compose is:
services:
nginx:
build:
context: ./nginx
dockerfile: Dockerfile
args:
DOMAIN: ${DOMAIN}
FLASK: application
ports:
- 80:80
- 443:443
volumes:
- /etc/letsencrypt:/etc/letsencrypt
depends_on:
- application
application:
build:
context: ./flask_app
dockerfile: Dockerfile
ports:
- 5000:5000
nginx.conf
user nginx;
worker_processes auto;
worker_rlimit_nofile 8192;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
charset utf-8;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
log_not_found off;
types_hash_max_size 2048;
client_max_body_size 16M;
include mime.types;
default_type application/octet-stream;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_ciphers 'TLS13+AESGCM+AES128:TLS13+AESGCM+AES256:TLS13+CHACHA20:EECDH+AESGCM:EECDH+CHACHA20';
ssl_stapling on;
ssl_stapling_verify on;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
include conf.d/*.conf;
}
flask_app.conf
server {
listen 80;
listen [::]:80;
server_name www.${DOMAIN} ${DOMAIN};
location ^~ /.well-known/acme-challenge/ {
root /var/www/_letsencrypt;
}
location / {
return 301 https://${DOMAIN}${DOLLAR}request_uri;
}
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name www.${DOMAIN} ${DOMAIN};
ssl_certificate /etc/letsencrypt/live/${DOMAIN}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${DOMAIN}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/${DOMAIN}/chain.pem;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
# You might want to change the CSP policy to fit your needs - see https://content-security-policy.com/
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header Allow "GET, POST, HEAD" always;
access_log /var/log/nginx/${DOMAIN}.access.log;
error_log /var/log/nginx/${DOMAIN}.error.log warn;
location / {
proxy_http_version 1.1;
proxy_cache_bypass ${DOLLAR}http_upgrade;
proxy_hide_header X-Powered-By;
proxy_hide_header Server;
proxy_hide_header X-AspNetMvc-Version;
proxy_hide_header X-AspNet-Version;
proxy_set_header Proxy "";
proxy_set_header Upgrade ${DOLLAR}http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host ${DOLLAR}host;
proxy_set_header X-Real-IP ${DOLLAR}remote_addr;
proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme;
proxy_set_header X-Forwarded-Host ${DOLLAR}host;
proxy_set_header X-Forwarded-Port ${DOLLAR}server_port;
proxy_pass http://application:5000;
}
location ~* \.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|woff2|svg)${DOLLAR} {
expires 7d;
add_header Pragma public;
add_header Cache-Control public;
proxy_pass http://application:5000;
}
if ( ${DOLLAR}request_method !~ ^(GET|POST|HEAD)${DOLLAR} ) {
return 405;
}
if (${DOLLAR}http_user_agent ~* LWP::Simple|BBBike|wget) {
return 403;
}
location ~ /\.(?!well-known) {
deny all;
}
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
}

I'm not sure why your nginx config contains ${DOLLAR} in multiple places. I don't think this is valid syntax, and can't find any documentation relating to this. Lines like:
proxy_set_header Host ${DOLLAR}host;
Should actually be:
proxy_set_header Host $host;
As for using ${DOMAIN} in the nginx conf, I would avoid this and opt for a more simple configuration. Just specify the domain in the nginx config file:
server_name www.example.com example.com;
I'd familiarise yourself with the official nginx image docs under "Complex configuration" it shows you how to copy a working config out of a running container, then modify this to your needs.
Once you have this working, if you really want to specify the domain in your docker-compose file, and treat your nginx config as a template which is modified at container-start time, you could proceed to read the section "Using environment variables in nginx configuration" which shows a workaround to use envsubst to acehive this. This is probably not required for single site deployments however.

Nginx reverse SSL proxy docker-compose

I'm trying to set up nginx as a reverse proxy on my Ubuntu 18.04 server.
I've set up what I thought was correct below, but hitting http://web.service.com lands me on the default nginx welcome screen (whereas it should redirect to https:// and going to https://web.service.com I end up with a 404 error screen.
I've got the following docker-compose.yml configuration:
version: "3"
services:
web_service:
image: "test/webservice"
container_name: "webservice"
hostname: "webservice"
mysql:
image: "mysql:5.7"
container_name: "mysql"
hostname: "mysql"
nginx:
build:
context: .
dockerfile: "Dockerfile"
image: "nginx"
container_name: "nginx"
hostname: "nginx"
ports:
- "80:80"
- "443:443"
volumes:
- "/var/nginx/data/certs:/etc/nginx/certs"
Note: web_service hosts a web page on port 8080
And I've got my default nginx.conf
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
And my custom web_service.conf which is build into the new nginx image.
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl default_server;
server_name www.web.server.com web.server.com;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log info;
keepalive_timeout 75 75;
ssl_certificate /etc/nginx/certs/web_server.com.crt;
ssl_certificate_key /etc/nginx/certs/web_server.com.key;
ssl_session_timeout 5m;
add_header Strict-Transport-Security "max-age=7200";
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://webservice:8080;
proxy_read_timeout 90;
proxy_redirect http://webservice:8080 https://web.service.com;
}
}
Previously I just the web_service and mysql in the compose file and I exposed port 80:8080 for web_server.
Any thoughts as to the issue?

Managed to solve my issue using the following config:
upstream docker-webapp {
server webapp:8080;
}
server {
listen 80;
server_name _;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
server_name www.example.com example.com;
## Access and error logs.
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log info;
## Keep alive timeout set to a greater value for SSL/TLS.
keepalive_timeout 75s;
## Server certificate and key.
ssl_certificate /etc/ssl/certs/certificate.crt;
ssl_certificate_key /etc/ssl/certs/certificate.key;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
location / {
proxy_pass http://docker-webapp;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
}
as well as info found here: https://cipherli.st/
As a side note, the webapp I deployed needed to healthcheck itself, so I needed to install the public certificate into the webapp container's keystore. On top of that it also only supported up to TLSv1.2 hence why I added TLSv1.2 to the ssl_protocols line.

This doesn't directly answer your question, but you might give this Nginx container a try; it really makes automatically handling SSL a walk in the park.
https://hub.docker.com/r/linuxserver/letsencrypt

Due to in your image you're lacking of config of certificate, so you need to add ca-certificate to docker system certificates to use https (you can check it on the internet).
Another thing about security risk in your config file is SSLv3. You should remove it to avoid POODLE attack .

Unable to cache static contents with nginx for ruby on rails application

I am using Ruby On Rails application with Rails 4.1 in digitalocean droplet. I have installed nginx with passenger and my application working perfect over here.
Now I want to cache static content with nginx and I have did following configuration for nginx.conf file. I don't know what is wrong over here. Please give me suggestion for working the same.
My nginx.conf file:
user www-data;
worker_processes 4;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
log_format cache '***$time_local '
'$upstream_cache_status '
'Cache-Control: $upstream_http_cache_control '
'Expires: $upstream_http_expires '
'"$request" ($status) '
'"$http_user_agent" ';
access_log /var/log/nginx/cache.log cache;
proxy_cache_path /data/nginx/cache keys_zone=one:10m levels=1:2 loader_threshold=300 loader_files=200 max_size=200m;
proxy_temp_path /data/nginx/cache/tmp;
server {
listen 80;
proxy_cache one;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto http;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://api.xyz.com;
}
location ~ ^/(stylesheets|javascripts|images|system/avatars) {
expires 720h;
}
}
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Logging Settings
##
# set client body size to 20M #
client_max_body_size 20M;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
##
# nginx-naxsi config
##
# Uncomment it if you installed nginx-naxsi
##
# include /etc/nginx/naxsi_core.rules;
##
# Phusion Passenger config
##
# Uncomment it if you installed passenger or passenger-enterprise
##
passenger_root /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini;
passenger_ruby /usr/local/bin/ruby;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
Please let me know if you need anything else for caches static content with nginx.

Since Rails 3.1, it use assets precompile in production environment. I use this for my rails app in nginx:
location ~ ^/assets/ {
expires 1y;
add_header Cache-Control public;
add_header ETag "";
break;
}
Read about it here: http://guides.rubyonrails.org/v4.1.8/asset_pipeline.html