I want using nginx make reverse proxy(docker container). However, there have been some exceptions.
issue context
Centos version: 7.4.1708
nginx version: 1.13.12
docker version: 1.13.1
Open firewall and exposed 80 port
nginx reproxy on docker container: failed (113: No route to host) while connecting to upstream
nginx reproxy on host: function normal
nginx configuration:
server
{
listen 80;
server_name web.pfneo.geo;
location / {
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://172.18.0.249:88;
}
access_log logs/web.tk_access.log;
}
close the firewall
nginx reproxy on docker container: function normal
nginx reproxy on host: function normal
Open firewall not expose port
nginx app service on docker container(88 port): function normal
It seems that this problem is caused by docker?
Docker can ignore the host firewall?
Related
I have a uwsgi (python flask app) running in a Docker exposed port 8080.
I have an nginx running in another Docker ports 80 and 443.
Here is a snippet from my config
upstream backend {
server my-uwsgi:8080;
}
server {
server_name api.my.app my.app;
listen 80;
listen [::]:80;
return 301 https://$host$request_uri;
}
server {
server_name api.my.app my.app;
...
location = /demo1/byAddress
{
include uwsgi_params;
uwsgi_param X-Real-IP $remote_addr;
uwsgi_param X-Forwarded-For $remote_addr;
uwsgi_param Host $host;
uwsgi_pass backend;
}
This does stand up, but is non functional.
In the nginx docker I can do telnet my-uwsgi:8080 so I know it can connect to the uwsgi Docker.
But in /var/log/nginx/error.log This is the first entry:
2022/01/10 00:04:49 [emerg] 9#9: host not found in upstream "my-uwsgi:8080" in `/etc/nginx/conf.d/my.conf:10`
I cannot figure out a combination that works, what is the magic that I am missing here?
Thanx
I'm trying to use nginx as a reverse proxy inside a container points to the different PHP application container.
My PHP container gets requests from external port 8080 and forwards it to internal 80. I want my nginx to get listen to port 80 and forward the request to the PHP container on port 8080 but have issues redirecting the request.
My nginx Dockerfile:
FROM nginx:latest
COPY default.conf /etc/nginx/conf.d/default.conf
My nginx default.conf:
server {
listen 80;
error_page 497 http://$host:80$request_uri;
client_max_body_size 32M;
underscores_in_headers on;
location / {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_pass http://php-container:8080;
proxy_read_timeout 90;
proxy_http_version 1.1;
}
}
I've tried deploying it via docker-compose with the above yml file, but got the same error when CURL to the nginx.
When CURL to HTTP://localhost:8080 (PHP application) and also to HTTP://localhost:80 (nginx) there's a log output from the docker-compose log.
But when CURL to nginx, I got the above error:
You have a misconfiguration here.
nginx (host:80 -> container:8080)
php-app (host:8080 -> container:80)
Nginx can't reach of "localhost" of another container because it's a different container network.
I suggest you create a docker network --network and place both containers to the network. Then in Nginx config, you can refer php-app container by name.
proxy_read_timeout 90;
proxy_redirect http://localhost:80/ http://php-container:8080/;
Besides you can expose only the Nginx port and your backend will be safe.
I'm trying to enable gitlab registry running in docker behing nginx proxy on centos lxd container :)
Nginx's configuration on centos
server {
listen *:80;
server_name registry.site.name;
return 301 https://$server_name$request_uri;
access_log /var/log/nginx/gitlab_access.log;
error_log /var/log/nginx/gitlab_error.log;
}
server{
listen 443 ssl http2;
server_name registry.site.name;
server_tokens off;
ssl_certificate /etc/letsencrypt/live/site.name/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/site.name/privkey.pem;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=63072000" always;
location /{
proxy_pass http://localhost:8085;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Url-Scheme $scheme;
}
}
Gitlab.rb configuration
registry_external_url 'https://registry.site.name'
gitlab_rails['registry_enabled'] = true
registry['enable'] = true
registry['registry_http_addr'] = "git.site.name:8085" # (it is the same as gitlab ip - 172.17.0.3:8085)
registry_nginx['enable'] = false
Docker-compose
version: '2.3'
services:
web:
image: 'gitlab/gitlab-ce:latest'
restart: always
container_name: 'git'
hostname: 'git.site.name'
ports:
- '22:22'
- '8081:8081'
- '8085:8085'
volumes:
- '/data/Projects/git/config:/etc/gitlab'
- '/var/log/git:/var/log/gitlab'
- '/data/Projects/git/data:/var/opt/gitlab'
network_mode: bridge
Looks good. If i make a request to registry.site.name, i see it in gitlab/registry/current log. Registry page also opens good in the project.
But, i can't use CLI
Every time i'm trying to docker login registry.site.name it fails with
Error response from daemon: Get https://registry.site.name/v2/: remote error: tls: protocol version not supported
And this request stopped before git docker container, my nginx proxy logs:
2020/08/05 10:42:21 [crit] 268168#0: *9 SSL_do_handshake() failed (SSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol) while SSL handshaking, client: 10.200.3.1, server: 0.0.0.0:443
The same error is triggered if i try to check tls1.2 connection with
curl -I -v -L --tlsv1.2 --tls-max 1.2 registry.site.name
So maybe docker login uses tls 1.2 but i don't understand why it is not working, because i set it up in nginx config.
I also tried nginx configuraton from that question gitlab docker registry with external nginx and omnibus
but still no luck
The mistake was that nginx config FOR git.site.conf didn't contain TLSv1.2
So be sure that both config (git®istry) have tls 1.2 support
I'm trying to host several websites on my droplet. I'm to do that, I'm using NGINX (not container) as reverse proxy to Dockerized apps. One such app I'm using is the dockerized Mediawiki set to run on 0.0.0.0:8081.
Mediawiki container is based on php7.2-apache.
Nginx configuration :
server {
listen 443 ssl;
index index.php;
server_name my.website.com;
ssl_stapling on;
ssl_stapling_verify on;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://0.0.0.0:8081;
}
ssl_certificate /etc/letsencrypt/live/my.website.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/my.website.com/privkey.pem; # managed by Certbot
}
I run the application on port 8081, as can be seen by through docker ps -a
CONTAINER IMAGE PORTS
e40c9815d6cc mediawiki 0.0.0.0:8081 -> 80/tcp
I can access my.website.com, but it shows the default Apache Ubuntu default page. Accessing other pages and resources (index.php, /folder/index.php, images/pic.jpg) returns 404.
Testing the container with similar setup on my machine local works. I think there maybe something up I didn't get with the NGINX config.
Help?
Hi I have a machine (server) and nginx(native) installed on this server.
My domain is hotels.com(for example)
And subdomain api.hotels.com
this is the conf file for subdomain on machine (native nginx):
server {
listen 80;
server_name api.hotels.com;
location / {
proxy_pass http://127.0.0.1:3000$request_uri;;
}
}
I build my app with microservices architecture, 2 services:
users-service:3030 , payment-service:3080
i want to expose api.hotels.com/users/ AND api.hotels.com/payment
so i choose to use nginx(docker container) as apiGateway on port:3000 and i want to proxy to specific service, so use this config
server {
listen 3000;
location /users/ {
proxy_pass http://users:3030/;
}
location /payment/ {
proxy_pass http://users:3080/;
}
}
in localhost it work fine for me but in server and with domain something wrong happen.
if i try to get http://api.hotels.com i get nginx from nginx(machine): Good
but if try to get http://api.hotels.com/users it rewrite the url in browser to http://127.0.0.1/users and then break.
*Note: i use docker-compose to up this 2 services and nginx container.
Questions:
1) how to fix this?
2) my flow is ok, or have any other flow for this app?
My purpose flow example:
1) Client http://api.hotels.com/users
2) Server all api.hotels.com ==> http://localhost:3000(api gateway)
3) Nginx Container(on port:3000) ==> proxy to spesific service by name (users in this example)
Your application looks good, the problem is only configuration.
you can try this configuration:
server {
server_name api.hotels.com;
listen 80;
location /users/ {
proxy_pass http://users:3030/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host
}
location /payment/ {
proxy_pass http://users:3080/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host
}
}
in this case your nginx container expose ports => INCOMING_PORT:80
then in your example it will look like this in docker-compose.yml
...
services:
api-gateway:
image: nginx:latest
ports:
- "3000:80"
...
in this way your api gateway is more dynamically. you can change the income port any time and nginx inside container will listen for port 80, and will proxy for spesific service by name.
good luck :)