The situation is: we have service with nginx, which also acts as docker server.
Also we have Java application in docker container, which listens at 8080.
The problem is permissions to connect from nginx to container's published port.
Nginx.error.log shows:
2017/11/23 13:44:12 [crit] 3599#0: *1 connect() to 127.0.0.1:8080 failed (13: Permission denied) while connecting to upstream,
2017/11/23 13:44:13 [error] 3599#0: *1 no live upstreams while connecting to upstream
Site config is:
server {
listen 80 default_server;
server_name _;
location / {
proxy_pass http://localhost:8080;
include proxy.conf;
}
}
Container config:
version: '3'
services:
app:
image: user/appX
restart: always
container_name: appX
ports:
- "8080:8080"
env_file:
- ./appX.env
extra_hosts:
- "host:172.101.0.1"
networks:
mynet:
ipv4_address: 172.101.0.2
networks:
mynet:
external:
name: mynet
Permission happens because nginx user is nginx and docker user is root.
How to fix this problem without moving nginx to container ?
Or maybe there is some work around exists ?
Problem was in SELinux configuration.
Solved by running:
setsebool -P httpd_can_network_connect 1
Related
I have a some issue when trying to deploy a simple FastAPI application with Nginx on Google Cloud Platform. In my case I should use SSH-terminal to run Docker container with Nginx and FastAPI. My nginx.conf configuration looks like:
access_log /var/log/nginx/app.log;
error_log /var/log/nginx/app.log;
server {
server_name example.com;
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /root/ssl/cert.pem;
ssl_certificate_key /root/ssl/key.pem;
location / {
proxy_pass "http://example.com:8004/";
}
}
And my docker-compose.yml looks like:
version: '3.8'
services:
nginx-proxy:
image: nginx
container_name: nginx-proxy
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/tmp/docker.sock:ro
- ./nginx:/etc/nginx/conf.d
- ./ssl/cert1.pem:/root/ssl/cert.pem
- ./ssl/privkey1.pem:/root/ssl/key.pem
- ./ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem
web:
environment: [.env]
build: ./project
ports:
- 8004:8000
command: gunicorn main:app -k uvicorn.workers.UvicornWorker -w 2 -b 0.0.0.0:8000
volumes:
- ./project:/usr/src/app
networks:
default:
external:
name: nginx-proxy
Also, I have a Google Cloud VM instance with Firewall HTTP, HTTPS traffic On option, and additionally configured Firewall with rules allowed TCP connections over 443 and 80 ports (Domain name is provided by Google Cloud also, and redirects to VM's external IP address when I put it in my browser address field).
I run my docker-image from SSH-terminal with docker-compose up --build, then I get 502 Bad Gateway Nginx error in my browser (after going to example.com). I would like to know whether it is possible to run the docker image this way from inside SSH-terminal, as well as which steps did I miss to do it the right way?
I have searched StackOverflow for my problem but I always seem to be hitting the 502 Bad Gateway with my Nginx Docker configuration. I am trying to access pgadmin4 using my domain mydomain.com/pgadmin instead of mydomain.com:8060 where 8060 is the port exposed by it's docker container. My docker-compose.yml file looks like this:
version: '3.5'
services:
reverse-proxy:
image: nginx:1.19.6
restart: always
ports:
- "80:80"
- "443:443"
postgres:
image: postgres:12
ports:
- "5432:5432"
pgadmin:
image: dpage/pgadmin4
depends_on:
- postgres
ports:
- "8060:80"
networks:
default:
external:
name: defaultnetwork
The default.conf file of my nginx container looks like this:
upstream pgadmin {
server 127.0.0.1:8060;
}
server {
listen 80;
listen [::]:80;
server_name mydomain.com;
root /usr/share/nginx/html;
index index.html index.htm;
location /pgadmin {
proxy_pass http://pgadmin;
}
}
With this configuration, I keep getting the 502 Bad Gateway error. Could someone kindly point to me where I am going wrong. I would really appreciate it.
Thanks.
[EDIT]
This is from the docker logs:
2021/02/03 08:07:42 [error] 23#23: *2 connect() failed (111: Connection refused) while connecting to upstream, client: ***.***.***.***, server: mydomain.com, request: "GET /pgadmin HTTP/1.1", upstream: "http://127.0.0.1:8082/pgadmin", host: "mydomain.com"
The 502 problem comes from the loopback IP here:
upstream pgadmin {
server 127.0.0.1:8060;
}
127.0.0.1 or localhost for the NGINX container is the NGINX container itself. You should use the name of the service instead:
upstream pgadmin {
server pgadmin:8060;
}
Name of the service comes from the docker-compose.yml:
services:
pgadmin: # <- this
image: dpage/pgadmin4
If you hit 404 after these changes, this is because you have to change base path of the application. Try using this config:
location /pgadmin/ {
proxy_set_header X-Script-Name /pgadmin;
proxy_set_header Host $host;
proxy_pass http://pgadmin;
proxy_redirect off;
}
Since your containers are working in the same network, you should access the Pgadmin container via 80th port from your Nginx container.
You should replace this line server 127.0.0.1:8060 with server pgadmin:80 in your Nginx config.
I have tried this:
NGINX reverse proxy not working to other docker container
and this:
Docker nginx-proxy : proxy between containers
and followed nginx config from here:
nginx proxy_pass to a linked docker container
I am simply trying to tell nginx to proxy to a linked api service on port 4000. I do not want to expose 4000 to host machine because there will be multiple services running on this port.
This is my docker-compose.yml:
version: '3'
services:
api:
build: ./api
image: myapi:latest
container_nameE: api
api_nginx:
image: nginx:latest
container_name: api_nginx
depends_on:
- api
links:
- api
ports:
- "80:80"
environment:
- NGINX_SERVER_NAME:localhost
volumes:
- ./nginx:/etc/nginx/conf.d
...
...
and my nginx server is super minimal:
upstream backend {
server api;
}
server {
listen 80;
listen [::]:80;
server_name ${NGINX_SERVEE_NAME};
location / {
resolver 127.0.0.1;
proxy_pass http://backend/$1;
}
}
This is the error is throwing:
...[error] 20#20: *1 no resolver defined to resolve api, client: 172.23.0.1, server: ${nginx_server_name}....
and the page shows a 502 Bad Gateway
What is going on? I've followed other people's nginx configs and it's not working, I have no idea.
While experimenting with docker-compose, I'm running into some issues with NGINX and the dns. The error is the regular "connection refused while connecting to upstream" in NGINX. I think the problem arises due to the port numbers.
Examples online like this one run the NGINX on port 80, which doesn't cause the issue.
The docker-compose.yml:
version: '3'
services:
http-server:
networks:
- mynetwork
image: nginx_image
ports:
- 8080:8080
depends_on:
- frontend
- rest_api
frontend:
networks:
- mynetwork
image: frontend_image
ports:
- 8001:8001
rest_api:
networks:
- mynetwork
image: rest_api_image
ports:
- 8000:8000
networks:
mynetwork:
driver: bridge
nginx.conf for nginx_image has this block:
server {
listen 8080;
location /static/js/ {
proxy_pass http://frontend;
}
location /static/css/ {
proxy_pass http://frontend;
}
location /static/ {
proxy_pass http://rest_api;
}
location / {
proxy_pass http://frontend;
}
location /rest_api/ {
proxy_pass http://rest_api;
}
}
Now, both the frontend and api are called over port 80, while it should be 8001 and 8000.
What am I missing? I would expect docker-compose to make the port mapping automatically.
Thanks in advance!
Kind regards,
DA
EDIT1: here's the error (including the hostname suggestion)
EDIT2: updated the question
http-server_1 | 2018/06/04 14:47:50 [error] 14#14: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 172.18.0.1, server: , request: "GET /rest_api/admin/ HTTP/1.1", upstream: "http://172.18.0.2:80/rest_api/admin/", host: "localhost:8080"
you have to specify hostnames:
frontend:
image: frontend_image
hostname: frontend
ports:
- 8001:8001
rest_api:
hostname: rest_api
I am trying to reverse proxy a request through an nginx container in a swarm to a standalone container which shares the same overlay network.
tldr; I receive the following error:
2018/03/15 19:00:35 [emerg] 1#1: invalid host in upstream "http://nginx" in /etc/nginx/nginx.conf:96
nginx: [emerg] invalid host in upstream "http://nginx" in /etc/nginx/nginx.conf:96
The standalone container contains an app which has another nginx frontend:
version: "3"
services:
nginx:
restart: always
container_name: my.nginx
build: ./nginx
networks:
- default
- my-overlay-network
depends_on:
- another-service
... other services
networks:
my-overlay-network:
external: true
I start this app with docker-compose up -d.
My swarm contains the reverse proxy:
version: "3"
services:
reverseproxy:
build: ./reverseproxy
image: reverse_proxy
networks:
- my-overlay-network
ports:
- "80:80"
- "443:443"
volumes:
- /etc/letsencrypt:/etc/letsencrypt
deploy:
replicas: 10
restart_policy:
condition: on-failure
networks:
my-overlay-network:
external: true
If I startup the nginx swarm without specifying a proxy_pass for the standalone app, I can successfully ping the other host like so:
ping http://nginx/
I can confirm the other host receives this request based on the nginx logs.
However, if I specify the docker standalone app in the reverse proxy:
upstream standalone {
server http://nginx/;
}
and
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
... other stuff ...
location / {
proxy_pass http://standalone/;
}
}
I get the following errors:
2018/03/15 19:00:35 [emerg] 1#1: invalid host in upstream "http://nginx" in /etc/nginx/nginx.conf:96
nginx: [emerg] invalid host in upstream "http://nginx" in /etc/nginx/nginx.conf:96
Try to add resolver before upstream:
resolver 127.0.0.11;
upstream standalone {
server http://nginx/;
}
127.0.0.11 is an address of embedded docker DNS server
The issue is that the syntax for upstream is incorrect: it takes a host and port, so it should be:
upstream standalone {
server nginx;
}