I have a Docker stack for my mail server.
My docker-compose.xml contains
version: '3.7'
services:
postfix:
...
dovecot:
....
ports:
- "110:110"
- "995:995"
- "143:143"
- "993:993"
networks:
- mail
....
roundcube:
image: roundcube/roundcubemail
container_name: roundcube
environment:
- ROUNDCUBEMAIL_DEFAULT_HOST=dovecot
# - ROUNDCUBEMAIL_DEFAULT_PORT=993
networks:
- proxy
- mail
I also have a Nginx container running as a proxy for all my web applications. For roundcube I have
set $roundcube_upstream http://roundcube;
location /roundcube/ {
rewrite ^/roundcube/(.*) /$1 break;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_pass $roundcube_upstream;
}
With that configuration it's working. I can go to https://www.mydomain.be/rouncube/ and I can login. The default port is 143. So roundcube si connecting to dovecot with imap.
Now, I'd like to use port 993 and ssl/tls.
I tried decommenting the ROUNDCUBEMAIL_DEFAULT_PORT=993, but also using ssl://dovecot or tls://dovecot or ssl://mail.mydomain.be, ... but nothing is working.
When I click on the connextion button, after a while I receive an nginx error page. In my proxy logs I can see
2019/01/31 09:29:25 [error] 460#460: *82483 upstream timed out (110: Connection timed out) while reading response header from upstream, client: 194.197.210.75, server: www.mydomain.be, request: "POST /roundcube/?_task=login HTTP/1.1", upstream: "http://172.18.0.9:80/?_task=login", host: "www.mydomain.be", referrer: "https://www.mydomain.be/roundcube/"
And I don't understand where the http://172.18.0.9:80/?_task=login is coming from ?
With Thunderbird client I can connect on that port.
What's the problem ?
Edit
Using
- ROUNDCUBEMAIL_DEFAULT_HOST=ssl://dovecot
- ROUNDCUBEMAIL_DEFAULT_PORT=993
I now have a response : connection error to the storage server.
In my roundcube logs :
errors: <1db522a3> IMAP Error: Login failed for me#mydomain.be from 172.18.0.8(X-Real-IP: ...,X-Forwarded-For: ...). Could not connect to ssl://dovecot:993: Unknown reason in /var/www/html/program/lib/Roundcube/rcube_imap.php on line 196 (POST /?_task=login&_action=login)172.18.0.8 - - [31/Jan/2019:13:57:37 +0100] "POST /?_task=login HTTP/1.1" 200 3089 "https://www.mydomain.be/roundcube/?_task=login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0"
and in dovecot logs
2019-01-31T13:57:38.002653+01:00 536ff3507263 dovecot: auth: Debug: auth client connected (pid=35),
2019-01-31T13:57:38.010096+01:00 536ff3507263 dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.240.3, lip=192.168.240.2, TLS, session=<nVssksCAT7LAqPAD>
So dovecot is well contacted but ... ? Don't know whats the problem.
Your issue is that roundcube requires TLS or SSL certificates to be verified by default. Either copy the certificate from the mail server, use letsencrypt to validate your certificate or turn off peer verification in your roundcube configuration.
Related
I am new to nginx and trying to understand what is going on here. I have a docker compose file that starts up a nginx container like so:
proxy:
image: nginx:alpine
container_name: proxy
restart: unless-stopped
ports:
- "80:80"
- "443:443"
volumes:
- ./proxy/default.conf:/etc/nginx/conf.d/default.conf
Which copies my default.conf into the nginx container, which looks like this:
server {
listen 80;
listen [::]:80;
server_name localhost testthis;
return 301 https://www.google.com$request_uri;
}
So if I run curl -I http://localhost, I see google.com as expected
HTTP/1.1 301 Moved Permanently
Server: nginx/1.21.6
Date: Fri, 25 Feb 2022 06:39:39 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Location: https://www.google.com/
But if I run curl -I http://testthis, I get this response:
curl: (6) Could not resolve host: testthis
Why is this happening if the server names are on the same server block? Eventually I am wanting to set up a custom domain and subdomains to forward requests to specific localhost ports per app but not understanding how this works too well.
curl -I http://localhost works because localhost, by default, resolves to an IP from your machine (127.0.0.1), not because it's listed in your nginx's default.conf. And Docker configures your machine to forward traffic on port 80 and 443 (the ones used for HTTP and HTTPS) to that container.
The server_name directive in nginx's configuration makes it recognize requests with that DNS in the request's Host: header. It does not advertise that as a name for your network.
For that to work, you need to make your computer recognize testthis as a name for your computer. On Linux, edit /etc/hosts and add this line:
127.0.0.1 testthis
On Windows, I don't know, but you can certainly search for "windows hosts file" and get a similar method.
curl --connect-to testthis:80:127.0.0.1:80 http://google.com should do the trick
I am trying to get Ory Hydra working in Docker-Compose with Nginx. Due to my iterative approach, I already had a working system before adding Nginx. In other words, it was working, now it isn't.
The changes which I think might affect this process are: Nginx, Hydra's host name, oauth2 config in my demo application. Also, my setup is based on the Kratos-Hydra integration demo. Of course Kratos and the UI are now also accessed from Nginx, so that obviously has changed as well, but I don't think that's causing problems.
So here's what happens when I try to access a secured endpoint in my demo app:
Redirect to kratos-ui for login
Enter details and send request
Login succeeds
Hydra returns 403: You are not allowed to perform this action.
Nginx:
# kratos-selfservice-ui-node
server {
server_name self.localhost;
proxy_set_header Host self.localhost;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
proxy_pass http://self:3000;
}
}
# kratos
server {
server_name login.localhost;
#proxy_set_header Host ...;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
proxy_pass http://kratos:4433;
}
}
#hydra
server {
server_name oidc.localhost;
#proxy_set_header Host 127.0.0.1:4444;
#proxy_set_header Host oidc.localhost;
#proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
proxy_pass http://hydra:4444;
}
}
Request:
GET /oauth2/auth?client_id=auth-code-client&login_verifier=8b5f6d3f964c4470ab2e42fac90ae1c2&nonce=XTr2FJETXFsr6kxw3SlZsbh7rbQ_RMw8SdK3MeMCAs0&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Flogin%2Foauth2%2Fcode%2Fhydra&response_type=code&scope=openid+profile&state=4OSX7C_A84-u-6MlUZOlzjAAXiBYIzbKGfGwcAp1n1M%3D HTTP/1.1
Host: hydra:4444
User-Agent: <stuff>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://self.localhost/
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
Hydra entry in docker-compose:
# OIDC Server
# Configured to use Kratos for identities
hydra:
image: oryd/hydra:v1.6.0-alpine
container_name: hydra
depends_on:
- hydra-migrate
#ports:
#- 4444:4444 # Public port
#- 4445:4445 # Admin port
#- 5555:5555 # Port for hydra token user
command:
serve all --dangerous-force-http
volumes:
-
type: bind
source: ./config/hydra
target: /home/ory
environment:
- DSN=postgres://pguser:secret#postgres:5432/hydra?sslmode=disable
- OIDC_SUBJECT_IDENTIFIERS_SUPPORTED_TYPES=public,pairwise
- LOG_LEAK_SENSITIVE_VALUES=true
##- URLS_SELF_ISSUER=http://127.0.0.1:4444
##- URLS_SELF_PUBLIC=http://127.0.0.1:4444
#- URLS_SELF_ISSUER=http://hydra:4444
#- URLS_SELF_PUBLIC=http://hydra:4444
- URLS_SELF_ISSUER=http://oidc.localhost
- URLS_SELF_PUBLIC=http://oidc.localhost
- URLS_CONSENT=http://self.localhost/auth/hydra/consent
- URLS_LOGIN=http://self.localhost/auth/hydra/login
- URLS_LOGOUT=http://self.localhost/logout
- SECRETS_SYSTEM=youReallyNeedToChangeThis
- OIDC_SUBJECT_IDENTIFIERS_PAIRWISE_SALT=youReallyNeedToChangeThis
- OAUTH2_EXPOSE_INTERNAL_ERRORS=true;
- OAUTH2_INCLUDE_LEGACY_ERROR_FIELDS=true
restart: on-failure
networks:
- <ory>
Spring Boot App config:
spring:
security:
oauth2:
client:
registration:
hydra:
client-name: Demo OIDC Client with Spring Boot :D
client-id: auth-code-client
client-secret: secret
provider:
hydra:
issuer-uri: http://oidc.localhost/
And here's the client that I created:
docker exec hydra \
hydra clients create \
--endpoint http://127.0.0.1:4445 \
--id auth-code-client \
--secret secret \
--grant-types authorization_code,refresh_token \
--response-types code,id_token \
--scope openid,profile \
--callbacks http://localhost:8080/login/oauth2/code/hydra
/etc/hosts stuff I added:
# Dev stuff
127.0.0.1 self.localhost
127.0.0.1 login.localhost
127.0.0.1 oidc.localhost
127.0.0.1 oidc-demo.localhost
127.0.0.1 hello.localhost
Hydra logs:
< THIS IS FROM THE INITIAL REQUEST TO THE KRATOS UI >
time=2022-01-24T12:49:00Z level=info msg=started handling request http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 accept-encoding:gzip, deflate accept-language:en-US,en;q=0.5 cache-control:no-cache user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:96.0) Gecko/20100101 Firefox/96.0] host:127.0.0.1:4444 method:GET path:/oauth2/auth query:response_type=code&client_id=auth-code-client&state=-__end_skoEpW7KSAfzng1yZyOdJoF2-Cfzls-dccD4%3D&redirect_uri=http://localhost:8080/login/oauth2/code/hydra remote:192.168.16.11:43608 scheme:http]
time=2022-01-24T12:49:00Z level=info msg=access allowed audience=audit http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 accept-encoding:gzip, deflate accept-language:en-US,en;q=0.5 cache-control:no-cache user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:96.0) Gecko/20100101 Firefox/96.0] host:127.0.0.1:4444 method:GET path:/oauth2/auth query:response_type=code&client_id=auth-code-client&state=-__end_skoEpW7KSAfzng1yZyOdJoF2-Cfzls-dccD4%3D&redirect_uri=http://localhost:8080/login/oauth2/code/hydra remote:192.168.16.11:43608 scheme:http] service_name=ORY Hydra service_version=v1.6.0
time=2022-01-24T12:49:00Z level=info msg=completed handling request http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 accept-encoding:gzip, deflate accept-language:en-US,en;q=0.5 cache-control:no-cache user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:96.0) Gecko/20100101 Firefox/96.0] host:127.0.0.1:4444 method:GET path:/oauth2/auth query:response_type=code&client_id=auth-code-client&state=-__end_skoEpW7KSAfzng1yZyOdJoF2-Cfzls-dccD4%3D&redirect_uri=http://localhost:8080/login/oauth2/code/hydra remote:192.168.16.11:43608 scheme:http] http_response=map[status:302 text_status:Found took:15.9869ms]
time=2022-01-24T12:49:00Z level=info msg=started handling request http_request=map[headers:map[accept:application/json] host:hydra:4445 method:GET path:/oauth2/auth/requests/login query:login_challenge=3a6891edb669434f821a0d5413519bfe remote:192.168.16.2:54218 scheme:http]
time=2022-01-24T12:49:00Z level=info msg=completed handling request http_request=map[headers:map[accept:application/json] host:hydra:4445 method:GET path:/oauth2/auth/requests/login query:login_challenge=3a6891edb669434f821a0d5413519bfe remote:192.168.16.2:54218 scheme:http] http_response=map[status:200 text_status:OK took:3.034ms]
< THIS IS AFTER LOGIN >
time=2022-01-24T12:49:59Z level=info msg=started handling request http_request=map[headers:map[accept:application/json] host:hydra:4445 method:GET path:/oauth2/auth/requests/login query:login_challenge=3a6891edb669434f821a0d5413519bfe remote:192.168.16.2:54292 scheme:http]
time=2022-01-24T12:49:59Z level=info msg=completed handling request http_request=map[headers:map[accept:application/json] host:hydra:4445 method:GET path:/oauth2/auth/requests/login query:login_challenge=3a6891edb669434f821a0d5413519bfe remote:192.168.16.2:54292 scheme:http] http_response=map[status:200 text_status:OK took:3.7631ms]
time=2022-01-24T12:49:59Z level=info msg=started handling request http_request=map[headers:map[accept:application/json] host:hydra:4445 method:PUT path:/oauth2/auth/requests/login/accept query:login_challenge=3a6891edb669434f821a0d5413519bfe remote:192.168.16.2:54296 scheme:http]
time=2022-01-24T12:49:59Z level=info msg=completed handling request http_request=map[headers:map[accept:application/json] host:hydra:4445 method:PUT path:/oauth2/auth/requests/login/accept query:login_challenge=3a6891edb669434f821a0d5413519bfe remote:192.168.16.2:54296 scheme:http] http_response=map[status:200 text_status:OK took:8.8812ms]
time=2022-01-24T12:49:59Z level=info msg=started handling request http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 accept-encoding:gzip, deflate accept-language:en-US,en;q=0.5 cache-control:no-cache referer:http://self.localhost/ user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:96.0) Gecko/20100101 Firefox/96.0] host:127.0.0.1:4444 method:GET path:/oauth2/auth query:client_id=auth-code-client&login_verifier=fedb596a040648b8b626e0f7e4f3f04a&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Flogin%2Foauth2%2Fcode%2Fhydra&response_type=code&state=-__end_skoEpW7KSAfzng1yZyOdJoF2-Cfzls-dccD4%3D remote:192.168.16.11:43694 scheme:http]
time=2022-01-24T12:49:59Z level=info msg=access denied audience=audit error=map[message:request_forbidden reason:You are not allowed to perform this action. status:Forbidden status_code:403] http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 accept-encoding:gzip, deflate accept-language:en-US,en;q=0.5 cache-control:no-cache referer:http://self.localhost/ user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:96.0) Gecko/20100101 Firefox/96.0] host:127.0.0.1:4444 method:GET path:/oauth2/auth query:client_id=auth-code-client&login_verifier=fedb596a040648b8b626e0f7e4f3f04a&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Flogin%2Foauth2%2Fcode%2Fhydra&response_type=code&state=-__end_skoEpW7KSAfzng1yZyOdJoF2-Cfzls-dccD4%3D remote:192.168.16.11:43694 scheme:http] service_name=ORY Hydra service_version=v1.6.0
time=2022-01-24T12:49:59Z level=info msg=completed handling request http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 accept-encoding:gzip, deflate accept-language:en-US,en;q=0.5 cache-control:no-cache referer:http://self.localhost/ user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:96.0) Gecko/20100101 Firefox/96.0] host:127.0.0.1:4444 method:GET path:/oauth2/auth query:client_id=auth-code-client&login_verifier=fedb596a040648b8b626e0f7e4f3f04a&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Flogin%2Foauth2%2Fcode%2Fhydra&response_type=code&state=-__end_skoEpW7KSAfzng1yZyOdJoF2-Cfzls-dccD4%3D remote:192.168.16.11:43694 scheme:http] http_response=map[status:302 text_status:Found took:8.6448ms]
Update
In the course of trying out everything before posting this question to stackoverflow.com, I went back to an older git commit which was working.
Bad news, it doesn't work anymore. I have the official kratos-hydra integration checked out and built ($ git status -> On branch hydra-integration \n Your branch is up to date with 'origin/hydra-integration'.), and I did the required steps, and now I get this:
$ docker exec hydra_hydra_1 \
hydra token user \
--client-id auth-code-client \
--client-secret secret \
--endpoint http://127.0.0.1:4444/ \
--port 5555 \
--scope openid,offline
Config file not found because "Config File ".hydra" Not Found in "[/home/ory]""
Setting up home route on http://127.0.0.1:5555/
Setting up callback listener on http://127.0.0.1:5555/callback
Press ctrl + c on Linux / Windows or cmd + c on OSX to end the process.
If your browser does not open automatically, navigate to:
http://127.0.0.1:5555/
< then I navigate to 127.0.0.1:5555, click on authorize application, I have to enter log in details, and then I get redirected to an error page >
Got error: The request is not allowed
http: Server closed
The browser doesn't add much info to that:
An error occurred
request_forbidden
The request is not allowed
You are not allowed to perform this action.
I've tried deleting all containers, images, volumes, and networks, browser cookies, using a different browser, restarting docker, restarting my computer. Same problem.
Something that seems odd is that the app always asks me to log in, even if I am logged in already when I go to the UI url manually. I remember that if I was already logged in, it wouldn't ask me to log in again?
Update
I was on the hydra-integration branch for some reason, instead of the hydra-integration-2021, which is why going to back to the basics didn't work. That's my mistake.
The actual project is not working, but after reevaluating the work required and benefits/drawbacks/requirements I decided to switch from Kratos to werther.
To bring some sanity to this I would first update to good internal and external URLs. The crux of the problem feels like you need to configure Ory Hydra (running inside the cluster) with an internet URL used in browsers etc, and this will be different to Ory Hydra's physical URL.
SIMILAR CURITY EXAMPLE
This feels like a similar setup to yours - it's worth taking a little time to understand resources:
Docker Compose
Tutorial Article
Authorization Server Configuration
Look at the base-url property at the top of the third link above, which is what internet clients such as browsers use to connect to the Authorization Server. There will be a property like this that you can set in Hydra.
Environment setup
I have an application which is composed by some services:
jenkins server
nginx server with angular
nginx server as a proxy
Those services are defined in the docker-compose file:
version: '3'
services:
reverse:
container_name: reverse-proxy
build:
context: /app/mywallet/MyWalletFe/reverse-proxy
ports:
- "80:80"
networks:
- net
jenkins:
container_name: jenkins
image: jenkins/jenkins
volumes:
- "$PWD/jenkins_home:/var/jenkins_home"
- "/var/run/docker.sock:/var/run/docker.sock"
networks:
- net
angular:
container_name: mywallet_fe
build:
context: /app/mywallet/MyWalletFe
networks:
- net
networks:
net:
I defined the following configuration file for the reverse-proxy:
upstream client {
# angular is the name of the service in docker-compose file
server angular:4200;
}
upstream jenkins {
server jenkins:8080;
}
server {
listen 80;
location / {
proxy_pass http://client;
}
location /jenkins {
proxy_pass http://jenkins;
}
}
Finally, here is the Dockerfile for the reverse-proxy service, which copies the configuration file in the nginx container:
FROM nginx
# override default files if present
COPY ./default.conf /etc/nginx/conf.d/default.conf
Goal
My goal is to access Jenkins with SERVER_IP/jenkins
Output
When I run the whole application and try to access to SERVER_IP/jenkins, I get the following error in the reverse-proxy logs:
2020/04/15 21:44:55 [error] 6#6: *10 connect() failed (111: Connection
refused) while connecting to upstream, client: MY_CLIENT_IP, server: ,
request: "GET /login?from=%2Fjenkins HTTP/1.1", upstream:
"http://172.18.0.5:4200/login?from=%2Fjenkins", host: "SERVER_IP",
referrer: "http://SERVER_IP/jenkins" MY_CLIENT_IP
[15/Apr/2020:21:44:55 +0000] "GET /favicon.ico HTTP/1.1" 502 559
"http://SERVER_IP/login?from=%2Fjenkins" "Mozilla/5.0 (Windows NT
10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36" "-" 2020/04/15 21:44:55 [error]
6#6: *10 connect() failed (111: Connection refused) while connecting
to upstream, client: MY_CLIENT_IP, server: , request: "GET
/favicon.ico HTTP/1.1", upstream:
"http://172.18.0.5:4200/favicon.ico", host: "SERVER_IP",
referrer: "http://SERVER_IP/login?from=%2Fjenkins"
where MY_CLIENT_IP is my laptop IP and SERVER_IP is the IP of the server where the application runs.
What's wrong in the configuration of the reverse proxy? If I expose the jenkins and angular services I can reach them, while through the proxy I can't.
Similar question, which doesn't help me (or I don't understand how would those help me)
Docker nginx reverse proxy returns 502 bad gateway "connection refused while connecting to upstream"
Connection refused while connection to upstream - Docker
connect() failed (111: Connection refused) while connecting to upstream for nginx+php-fpm docker
docker nginx connection refused while connecting to upstream
I'm setting up an app with multiple containers, and use nginx to redirect requests to correct container. However, I got stuck with the 502 Bad Gateway error.
Actually, the code is from a course on Udemy: Docker and Kubernetes.
I just copy and paste the code, it ran on instructor machine, but not mine. I tried on my windows and my macbook, restart docker, but still no hope. I looked for solutions on other stackoverflow posts, some other articles, but none of them tell me why it works on others' machines, but not mine.
Here is the repo of the code.
docker-compose.yml (full code):
version: "3"
services:
postgres:
...
redis:
...
nginx:
restart: always
build:
dockerfile: Dockerfile.dev
context: ./nginx
ports:
- "3050:80"
api:
...
client:
...
worker:
...
nginx/Dockerfile.dev
FROM nginx
COPY ./default.conf /etc/nginx/conf.d/default.conf
nginx/default.conf
upstream client {
server client:3000;
}
upstream api {
server api:5000;
}
server {
listen 80;
server_name localhost;
location / {
proxy_pass http://client;
}
location /api {
rewrite /api/(.*) /$1 break;
proxy_pass http://api;
}
}
It runs just fine on instructor's machine and other learners', but not on my machines. I got error when connecting http://localhost:3050 and http://localhost:3050/api:
nginx_1 | 2019/07/08 02:52:35 [error] 6#6: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 172.25.0.1, server: , request: "GET / HTTP/1.1", upstream: "http://125.235.4.59:3000/", host: "localhost:3050"
nginx_1 | 172.25.0.1 - - [08/Jul/2019:02:52:35 +0000] "GET / HTTP/1.1" 502 559 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36" "-"
nginx_1 | 2019/07/08 02:52:57 [error] 6#6: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 172.25.0.1, server: , request: "GET /favicon.ico HTTP/1.1", upstream: "http://125.235.4.59:3000/favicon.ico", host: "localhost:3050", referrer: "http://localhost:3050/"
nginx_1 | 172.25.0.1 - - [08/Jul/2019:02:52:57 +0000] "GET /favicon.ico HTTP/1.1" 502 559 "http://localhost:3050/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36" "-"
Any help is appreciated.
Needed to amend the docker-compose.yml:
the upstream services should expose their ports so that the nginx service can connect i.e.:
api:
expose:
- '5000'
client:
expose:
- '3000'
the nginx service depends_on the upstream services:
nginx:
depends_on:
- 'client'
- 'api'
I have a docker-compose.yaml similar to this (shortened for simplicity):
# ...
services:
my-ui:
# ...
ports:
- 5402:8080
networks:
- my-net
networks:
my-net:
external:
name: my-net
and I'm trying to set up nginx as a reverse proxy with this configuration:
upstream client {
server my-ui:5402;
}
server {
listen 80;
location / {
proxy_pass http://client;
}
}
and this is the docker-compose.yaml I have for nginx:
# ...
services:
reverse-proxy:
# ...
ports:
- 5500:80
networks:
- my-net
networks:
my-net:
external:
name: my-net
What happens now is that when I run my-ui and reverse-proxy (each using its own docker-compose up), and I go to http://localhost:5500, I get a Bad Gateway message, and my nginx logs says this:
connect() failed (111: Connection refused) while connecting to
upstream, client: 172.19.0.1, server: , request: "GET / HTTP/1.1",
upstream: "http://172.19.0.5:5402/", host: "localhost:5500"
If I exec into my nginx container and use ping:
ping my-ui
ping 172.19.0.5
Both are successful, but if I want to, for example, curl:
curl -L http://my-ui
curl -L http://my-ui:5402
curl -L http://172.19.0.1
All of them fail with connection refused message. What am I missing here?
PS: I'm not sure, but it might be useful to add that my-ui is a basic vuejs application, running on Webpack dev server.
PS2: I also tried passing host headers etc. but same result
The name of the container (my-ui) resolves to the IP of the container. Therefor you have to provide in upstream the port of the container and not the port you have mapped to the host.
upstream client {
server my-ui:8080;
}
server {
listen 80;
location / {
proxy_pass http://client;
}
}
You could also configure your upstream with the name of your host machine and use the mapped port. (server <name of host>:5402) But this could get quite messy and you would lose the advantage of isolating services with docker networks.
Furthermore you could also remove the port mapping unless you need to access the webservice without reverse proxy:
# ...
services:
reverse-proxy:
# ...
# ports:
# - 5500:80