I want to install a simple web service to browse a file directory tree on an internal server and to comply with company policy it needs to use TLS ("https://...").
First I tried several images including davralin/nginx-autoindex and mounted the directory I want this service to share. It worked like a charm, but it didn't use a TLS connection.
To get something to work with TLS, I started from scratch and created my own default.conf file for nginx:
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name localhost;
ssl_certificate /etc/ssl/certs/my-cert.crt;
ssl_certificate_key /etc/ssl/certs/server.key;
location / {
root /usr/share/nginx/html;
autoindex on;
}
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
Then I created the following Dockerfile:
FROM nginx:stable-alpine
MAINTAINER lsiden at gmail.com
COPY default.conf /etc/nginx/conf.d
COPY my-cert.crt /etc/ssl/certs/
COPY server.key /etc/ssl/certs/
Then I build it:
docker build -t lsiden/nginx-autoindex-tls .
Then I run it:
docker run -dt -v /var/www/data/files:/usr/share/nginx/html:ro -p 3453:80 lsiden/nginx-autoindex-tls
However, I can't reach it even from the host machine. I tried:
$ telnet localhost 3453
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.
I tried to read log messages:
docker logs <container-id>
Silence.
I've already confirmed that the docker proxy is listening to the port:
tcp6 0 0 :::3453 :::* LISTEN 14828/docker-proxy
The port shows up on tcp6 but not "tcp" (ipv4) but I read here that netstat will show only the ipv6 connection even if it is available on both. To be sure, I verified:
sudo sysctl net.ipv6.bindv6only
net.ipv6.bindv6only = 0
To be thorough, I already opened this port in iptables, although iptables can't be playing a role here if I can't even get to it from the same machine via localhost.
I'm hoping someone with good networking chops can tell me where to look next. I can't figure out what I missed.
In case the configuration you shared is complete, you are not listing on port 80 inside your container at all.
change your configuration to something like that in case you want to redirect incomming traffic on port 80 to 443:
server {
listen 80;
listen [::]:80;
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name localhost;
ssl_certificate /etc/ssl/certs/my-cert.crt;
ssl_certificate_key /etc/ssl/certs/server.key;
location / {
root /usr/share/nginx/html;
autoindex on;
}
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
If you don't want to do this, just change your docker run command:
docker run -dt -v /var/www/data/files:/usr/share/nginx/html:ro -p 3453:443 lsiden/nginx-autoindex-tls
Related
I have a Docker container on port 8081 running on Centos7, and a reverse proxy with Nginx.
My domain have a LetsEncrypt SSl installed and it works good when i access "https://my.example.com", it redirects me to my 8081 Docker.
But i when i access "http://my.example.com:8081", i still can reach my Docker application...i don't want to enable this...don't want to enable any http access.
I want to reach 8081 only through Nginx reverse proxy (that forces me to https)...i think it may be some configuration on my iptables, but i don't have experience with it.
Can someone help me?
Thanks!
This is my conf.d file in Nginx
server{
server_name my.example.com;
location / {
proxy_pass http://localhost:8081;}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/my.example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/my.example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server{
if ($host = my.example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name my.example.com;
return 404; # managed by Certbot
}
iptables does not understand the difference between HTTP or HTTPS, it understands only ip; ports and mac levels, if you try to block port 8081 with iptables even your https connection will be dropped or rejected depending on your choice.
If your docker container is accessible from the outside without passing through the reverse proxy, it is a container configuration issue, or if your nginx reverse proxy lets through http packets, then it is an nginx configuration issue, I think we need more details from your side.
I have resolved this issue using the firewall application from my hosting provider(Vultr).
There, i left 8081 only for local access, so now it's not possible to access this without passing through Nginx reverse proxy!
I,m trying to deploy a nginx application in docker. After I have installed certificates with cerbot i have this nginx.conf:
server {
listen 80;
server_name web.com www.web.com;
location / {
return 301 https://$server_name$request_uri;
}
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
}
server {
listen 443 ssl default_server;
server_name web.com www.web.com;
location / {
proxy_pass https://www.web.com;
}
ssl_certificate /etc/letsencrypt/live/web.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/web.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
When I try to access to my web url the browser show 500 Internal Server Error. nginx/1.15.12
I can`t see the logs so I don't know what I have to do.
The ssl certificate works fine becaouse the lock appear in the url bar
Can you check if the container is started or not?
If container is starting, you can connect to container and then check the nginx logs (must be available /var/log/nginx/error.log).
I'm trying to serve multiple containers with a static index.html file with a nginx reverse proxy
I've tried to follow the documentation here to create a default location
location / {
root /app;
index index.html;
try_files $uri $uri/ /index.html;
}
If I check my default.conf in my container with
$ docker-compose exec nginx-proxy cat /etc/nginx/conf.d/default.conf
I get this result:
server {
server_name _; # This is just an invalid value which will never trigger on a real hostname.
listen 80;
access_log /var/log/nginx/access.log vhost;
return 503;
}
# xx.example.services
upstream xx.example.services {
## Can be connected with "nginx-proxy" network
# examplecontainer1
server 172.18.0.4:80;
}
server {
server_name xx.example.services;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
location / {
proxy_pass http://xx.example.services;
include /etc/nginx/vhost.d/default_location;
}
}
# yy.example.services
upstream yy.example.services {
## Can be connected with "nginx-proxy" network
# examplecontainer2
server 172.18.0.2:80;
}
server {
server_name yy.example.services;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
location / {
proxy_pass http://yy.example.services;
include /etc/nginx/vhost.d/default_location;
}
}
If i check the content of /etc/nginx/vhost.d/default_location it is exactly what I typed in the beginning, so that's fine
However when i go to xx.example.services I get a 403 forbidden.
To my understanding this means that no index.html file was found, but if i exec into my container and cat app/index.html it does exist!
I've checked that all my containers are on the same network.
I'm running my container with this command
docker run -d --name examplecontainer1 --expose 80 --net nginx-proxy -e VIRTUAL_HOST=xx.example.services my-container-registry
Update
I checked the logs of my nginx-proxy container and found this error message:
[error] 29#29: *1 directory index of "/app/" is forbidden..
Tried removing $uri/ as per this SO post but this just left me with redirect cycles. Right now I'm trying to see if I can set the correct permissions, but I'm struggling
What am I missing?
My issue was a basic misunderstanding that the reverse proxy can reach into the filesystem of my containers as stated by jwilder himself here.
Therefor the default location on the reverse proxy is unnecessary in my case. Instead I can simply let it point to my container, and have the nginx config in my container determine the location of my app.
Hi its simple your containers is missing /app/index.html inside them
I have set up and deployed an application using Capistrano and set up the server and ngnix config file, however, I'm still seeing the Welcome to ngnix welcome screen.
Here is what I have in the /etc/nginx/sites-enabled/default file
server {
listen 80;
listen [::]:80 ipv6only=on;
server_name IP;
passenger_enabled on;
rails_env production;
root /home/poladmin/poetry-out-loud-v2/current/public/;
# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
But as I said when I go to the server IP all I see is
Since you edited /etc/nginx/sites-enabled/default file, try to reload nginx with nginx -s reload command (if you are using Linux, or similar depending on your operating system and nginx version).
As you have edited the nginx config file you can try to restart nginx by doing sudo /etc/init.d/nginx restartto make the config file take effort. Also do not forget to start the real ruby server and make sure it is listening to the same port you configured through nginx.(some times the ruby app may be running on a different port)
I have two docker containers:
One container runs my spring boot application which listens on port 8080:
This container exposes 8080 port to other docker containers.
Container ip in the docker network is 172.17.0.2.
The other container runs nginx which publishes port 80.
I can successfully put my spring boot app behind nginx with the following conf in my nginx container:
server {
server_name <my-ip>;
listen 80;
location / {
proxy_pass http://172.17.0.2:8080/;
}
}
Doing a GET request to my REST API (http://my-ip/context-url) works fine.
I am trying now to put my application behind nginx with https. My nginx conf is as follows:
server {
server_name <my-ip>;
listen 80;
return 301 https://$server_name$request_uri;
}
server {
server_name <my-ip>;
listen 443;
ssl on;
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
location / {
proxy_pass http://172.17.0.2:8080/;
}
}
However I cannot access my application now either through http or https.
http redirects to https and result is ERR_CONNECTION_REFUSED
Problem was that I was not publishing 443 port when running nginx container but only port 80.The nginx configuration is right.