I am trying to gather some information on what could be the possible avenues to look for when nginx-reverseproxy is not forwarding request to a docker container (let's called it app-core).
I am able to access app-core by doing a curl request from nginx-reverseproxy container.
Both nginx-proxy and app-core are running. Both are on the same network.
I don't think there is anything of interest in /etc/nginx/conf.d/default.conf. Nevertheless, I have posted a snippet of it here
upstream \ app-core.com {
# app-core for docker compose
server app-core:80;
}
server {
server_name \ app-core.com;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
return 301 https://$host$request_uri;
}
server {
server_name \ app-core.com;
proxy_connect_timeout 5m;
proxy_send_timeout 5m;
proxy_read_timeout 5m;
send_timeout 5m;
listen 443 ssl ;
access_log /var/log/nginx/access.log vhost;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
ssl_prefer_server_ciphers on;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_certificate /etc/nginx/certs/app-core.com.crt;
ssl_certificate_key /etc/nginx/certs/app-core.com.key;
add_header Strict-Transport-Security "max-age=31536000";
location / {
proxy_pass http://\ app-core.com;
}
}
May I know what could be the possible issue here?
Docker version 17.09.0-ce, build afdb6d4
Thanks
Related
I have installed shopware5 in a docker container and made it to go out with a reverse proxy nginx.
After the installation, the main page of the website works, but when I click on any of it's tabs, it forwards to the container directly and changes the address in the URL to the address and the port of the container. Therefore it shows that the website cant be reached.
I am wondering if this could be something related to the nginx or the shopware itself.
Any advises will be greatly appreciated.
this is the configuration of the proxy:
server {
listen 443 ssl http2;
# listen 80 http2;
server_name domainname.com;
ssl_certificate /etc/nginx/certificates/domainname.crt;
ssl_certificate_key /etc/nginx/certificates/domainname.key;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
ssl_ecdh_curve secp384r1;
# root /var/www/html;
error_log /var/log/nginx/domain-error.log;
access_log /var/log/nginx/domain-access.log;
add_header Access-Control-Allow-Origin *;
location / {
proxy_pass http://localhost:8081/;
}
}
I'm running a docker container together with nginx as reverse proxy. With the container itself, there are no issues. After setting it up and running:
sudo lsof -i -P -n | grep LISTEN
I get (amongst other lines) the following result:
docker-pr 1063031 root 4u IPv4 1059993645 0t0 TCP 127.0.0.1:8001 (LISTEN)
My nginx configuration file for my domain (my.domain.de.conf) looks as follows:
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
server_name my.domain.de;
return 301 https://$host$request_uri;
}
# SSL configuration
server {
listen 443 ssl;
server_name my.domain.de;
ssl_certificate /etc/letsencrypt/live/my.domain.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/my.domain.de/privkey.pem;
# Improve HTTPS performance with session resumption
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
# Enable server-side protection against BEAST attacks
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
# Disable SSLv3
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Diffie-Hellman parameter for DHE ciphersuites
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# Enable HSTS (https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security)
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
# Enable OCSP stapling (http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox)
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/my.domain.de/fullchain.pem;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
location / {
proxy_pass http://127.0.0.1:8001;
proxy_set_header Host $host;
proxy_redirect http:// https://;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
If I am trying to access the (web)service I'm getting a 502 bad request error.
If something is missing to provide a valid answer, please let me know.
Thanks in advance!
my nginx proxy generates the following entry for my nexus:
# nexus.myhost.de
upstream nexus.myhost.de {
## Can be connected with "frontproxy_default" network
# nexus
server 172.23.0.13:8081;
}
server {
server_name nexus.myhost.de;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
# Do not HTTPS redirect Let'sEncrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name nexus.myhost.de;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/nexus.myhost.de.crt;
ssl_certificate_key /etc/nginx/certs/nexus.myhost.de.key;
ssl_dhparam /etc/nginx/certs/nexus.myhost.de.dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/nexus.myhost.de.chain.pem;
add_header Strict-Transport-Security "max-age=31536000" always;
include /etc/nginx/vhost.d/default;
location / {
proxy_pass http://nexus.myhost.de;
}
}
For this I am using these Images:
image: jwilder/nginx-proxy
image: jrcs/letsencrypt-nginx-proxy-companion
From here
https://help.sonatype.com/repomanager3/planning-your-implementation/run-behind-a-reverse-proxy?_ga=2.13238647.112157402.1655493796-115056297.1650880144
I know that I need client_max_body_size in the configuration.
But the configuration file is generated permanently. So how can I keep the automatic updates from letsencrypt and add this parameter to this single configuration?
I’m trying to host an API on AWS EC2 running ubuntu and the communication need to be through HTTPS
I’m building the code in R and using Plumber to create an API and build a docker image
First I build the image:
docker build github.com/eaoestergaard/UNPIE -t eaoestergaard/unpie
And then run the image on port 8001
docker run -d -p 8001:8000 --name unpie1 eaoestergaard/unpie
Then I follow this (awesome) guide in order to set up nginx with Let's Encrypt and Certbot, but substitute the production site with my API
My docker-compose.yml look like this
version: '3.1'
services:
production-nginx-container:
container_name: 'production-nginx-container'
image: nginx:latest
ports:
- "80:80"
- "443:443"
volumes:
- ./production.conf:/etc/nginx/conf.d/default.conf
- ./production-site:/usr/share/nginx/html
- ./dh-param/dhparam-2048.pem:/etc/ssl/certs/dhparam-2048.pem
- /docker-volumes/etc/letsencrypt/live/example.com/fullchain.pem:/etc/letsencrypt/live/example.com/fullchain.pem
- /docker-volumes/etc/letsencrypt/live/example.com/privkey.pem:/etc/letsencrypt/live/example.com/privkey.pem
networks:
- docker-network
depends_on:
- unpie1
unpie1:
image: eaoestergaard/unpie
restart: always
ports:
- "7001:8000"
networks:
docker-network:
driver: bridge
And my Nginx configuration file production.conf
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
location ^~ /.well-known/acme-challenge {
root /usr/share/nginx/html;
default_type text/plain;
allow all;
}
location / {
rewrite ^ https://$host$request_uri? permanent;
}
}
#https://example.com
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com;
server_tokens off;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_buffer_size 8k;
ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_ecdh_curve secp384r1;
ssl_session_tickets off;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8;
location ^~ /.well-known/acme-challenge {
root /usr/share/nginx/html;
default_type text/plain;
allow all;
}
location /unpie1/ {
proxy_pass http://unpie1:8000/;
proxy_set_header Host $host;
}
return 301 https://www.example.com$request_uri;
}
#https://www.example.com
server {
server_name www.example.com;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_tokens off;
ssl on;
ssl_buffer_size 8k;
ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_ecdh_curve secp384r1;
ssl_session_tickets off;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
location ^~ /.well-known/acme-challenge {
root /usr/share/nginx/html;
default_type text/plain;
allow all;
}
location / {
#security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
#CSP
add_header Content-Security-Policy "frame-src 'self'; default-src 'self'; script-src 'self' 'unsafe-inline' https://maxcdn.bootstrapcdn.com https://ajax.googleapis.com; img-src 'self'; style-src 'self' https://maxcdn.bootstrapcdn.com; font-src 'self' data: https://maxcdn.bootstrapcdn.com; form-action 'self'; upgrade-insecure-requests;" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
}
root /usr/share/nginx/html;
index index.html;
}
Both created with inspiration from the plumber documentation section 7.4.2
Then spin up the docker container
cd /docker/letsencrypt-docker-nginx/src/production
sudo docker-compose up -d
I can connect to the API at http (eg http://example.com:7001/fv.annuity), but unfortunately not at https - I suspect my configuration files to be incomplete, but as I'm new into this it's not clear to me what I'm missing.
I have a staging rails app running with passenger on nginx. I want to secure the connections with SSL. I have read a lot of resources online but I have yet to make it run on SSL.
So far, my server block on nginx.conf is:
server {
listen 80;
listen 443 default deferred;
server_name example.com;
root /home/deploy/app/public;
passenger_enabled on;
passenger_set_cgi_param HTTP_X_FORWARDED_PROTO https;
ssl on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:RSA+3DES:!ADH:!AECDH:!MD5;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /etc/ssl/server.crt;
ssl_certificate_key /etc/ssl/server.key;
}
The site is running but not on HTTPS.
I've just made the decission to go with SSL myself and found an article on the DigitalOcean site on how to do this. It might be the listen 443 default deferred;, which according to that article should be ssl not deferred.
Here's the nginx block they use;
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
listen 443 ssl;
root /usr/share/nginx/html;
index index.html index.htm;
server_name your_domain.com;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
location / {
try_files $uri $uri/ =404;
}
}
UPDATE:
I now have my own site running on SSL. Along with the above I just told Rails to force SSL. In your production environment config;
# ./config/environments/production.rb
config.force_ssl = true
Optionally, you can add these setting in the nginx.conf;
http {
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
keepalive_timeout 70;
}
UPDATE: 2015-09
Since I wrote this answer I've added a few of extra things to my nginx config, which I believe everyone should also include. Add the following to your server block;
server {
ssl_prefer_server_ciphers On;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
add_header X-Frame-Options DENY;
}
The first three lines (ssl_prefer_server_ciphers, ssl_protocols, ssl_ciphers) are the most import as they make sure you have a good strong SSL settings.
The X-Frame-Options prevents your site from being included via the <iframe> tags. I expect most people will benefit from including this setting.