I'm using docker on osx via boot2docker.
I have 2 hosts: site1.loc.test.com and site2.loc.test.com pointed to ip address of docker host.
Both should be available via 80 and 443 ports.
So I'm using jwilder/nginx-proxy for reverse proxy purposes.
But in fact when I'm running all of them via docker-compose every time I try to open via 80 port I get redirect to 443 (301 Moved Permanently).
May be I've missed something in jwilder/nginx-proxy configuration?
docker-compose.yml
proxy:
image: jwilder/nginx-proxy
volumes:
- /var/run/docker.sock:/tmp/docker.sock:ro
- certs:/etc/nginx/certs
ports:
- "80:80"
- "443:443"
site1:
image: httpd:2.4
volumes:
- site1:/usr/local/apache2/htdocs
environment:
VIRTUAL_HOST: site1.loc.test.com
expose:
- "80"
site2:
image: httpd:2.4
volumes:
- site2:/usr/local/apache2/htdocs
environment:
VIRTUAL_HOST: site2.loc.test.com
expose:
- "80"
Just to keep this topic up to date, the jwilder/nginx-proxy meanwhile introduced a flag for that: HTTPS_METHOD=noredirect; To be set as environment variable.
Further reading on github
I think your configuration should be correct, but it seems that this is the intended behaviour of jwilder/nginx-proxy. See these lines in the file nginx.tmpl: https://github.com/jwilder/nginx-proxy/blob/master/nginx.tmpl#L89-L94
It seems that if a certificate is found, you will always be redirected to https.
EDIT: I found the confirmation in the documentation
The behavior for the proxy when port 80 and 443 are exposed is as
follows:
If a container has a usable cert, port 80 will redirect to 443 for that container so that HTTPS is always preferred when available.
You can still use a custom configuration. You could also try to override the file nginx.tmpl in a new Dockefile .
To serve traffic in both SSL and non-SSL modes without redirecting to SSL, you can include the environment variable HTTPS_METHOD=noredirect (the default is HTTPS_METHOD=redirect).
HTTPS_METHOD must be specified on each container for which you want to override the default behavior.
Here is an example Docker Compose file:
version: '3'
services:
nginx-proxy:
image: jwilder/nginx-proxy
ports:
- '80:80'
- '443:443'
volumes:
- /var/run/docker.sock:/tmp/docker.sock:ro
- ./config/certs:/etc/nginx/certs
environment:
DEFAULT_HOST: my.example.com
app:
build:
context: .
dockerfile: ./Dockerfile
environment:
HTTPS_METHOD: noredirect
VIRTUAL_HOST: my.example.com
Note: As in this example, environment variable HTTPS_METHOD must be set on the app container, not the nginx-proxy container.
Ref: How SSL Support Works section for the jwilder/nginx-proxy Docker image.
Related
I set up a Docker network with a db container, a nextcloud container, and a nginx container. I can access the nextcloud website with 'ip-adress':8080, but I want to access it without specifying port 8080. How can I do that?
This is my docker-compose.yml:
version: '2'
volumes:
nextcloud:
db:
services:
db:
image: mariadb
restart: always
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
volumes:
- db:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=
- MYSQL_PASSWORD=
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
app:
image: nextcloud:fpm
restart: always
links:
- db
volumes:
- nextcloud:/var/www/html
environment:
- MYSQL_PASSWORD=
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
- MYSQL_HOST=db
web:
image: nginx
restart: always
ports:
- 8080:80
links:
- app
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf:ro
volumes_from:
- app
What you want is to avoid having to specify the port when you request a URI. One way to do that is to use the default port for the protocol you are using (80 for HTTP, 443 for https, 21 for FTP, etc). Then rely on your client to automatically fallback to the default port.
In a Docker Compose configuration file, the syntax for exposing a port is defined as such: <host_port>:<container_port> (see the documentation). That means 8080:80 exposes port 80 from the container on your docker host on port 8080.
In your case, the service is exposing an HTTP server, which means you have to change it to the default port 80 in order to omit it. Update web.services.ports[0] from 8080:80 to 80:80, and you will be able to access nextcloud from 'ip-adress'.
My problem is similar to this one, which is apparently unsolved to this day :/
I was following this tutorial to setup my Theia IDE, the IDE is working but I want my 8080 port to be open for testing out the node.js backend I host on the Theia IDE using the terminal.
Here are my docker-compose files I used for setting up the open ports and etc:
version: '2.2'
services:
eclipse-theia:
restart: always
image: theiaide/theia:latest
init: true
environment:
- VIRTUAL_HOST=mydomainhere.com
- LETSENCRYPT_HOST=mydomainhere.com
version: '2'
services:
nginx-proxy:
restart: always
image: jwilder/nginx-proxy
ports:
- "80:80"
- "443:443"
- "8080:8080"
volumes:
- "/etc/nginx/htpasswd:/etc/nginx/htpasswd"
- "/etc/nginx/vhost.d"
- "/usr/share/nginx/html"
- "/var/run/docker.sock:/tmp/docker.sock:ro"
- "/etc/nginx/certs"
letsencrypt-nginx-proxy-companion:
restart: always
image: jrcs/letsencrypt-nginx-proxy-companion
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
volumes_from:
- "nginx-proxy"
If I add expose: - "8080" to the eclipse-theia docker-compose file I get a 502 error returned...
So that's not the way to go I guess. I also tried running netcat to check whether the port 8080 was open and it was.
UPDATE
I get the following error in the logs when I get the 502 error:
[error] 136#136: *21 no live upstreams while connecting to upstream
If I add ports: - "8080" instead I get a HSTS error..
UPDATE 2
I tried the following config following the advice from the answer below:
version: '2.2'
services:
eclipse-theia:
restart: always
image: theiaide/theia:latest
init: true
environment:
- VIRTUAL_HOST=mysubdomain1.domain.com,mysubdomain2.domain.com
- VIRTUAL_PORT=80,8080
- LETSENCRYPT_HOST=mysubdomain1.domain.com,mysubdomain2.domain.com
- LETSENCRYPT_EMAIL=mymail#domain.com
But this appears to not work either, Port 8080 seems to simply not work. I also tried specifying port 8080 on the nginx-proxy config, it does not work :/
do you use port 8080 on the proxy for something else?
I just use 80 and 443 on the proxy...
If you use 8080 just on your eclipse-theia, why not define
ports:
- "8080:8080"
on the docker compose of theia instead of the nginx-proxy?
The proxy has the sense, to use several domains/subdomains on ports 80 and 443 instead of using weird port mess.
I cant explain how to use it like you described, cause since it makes no sense to me to use it that way i wont dive into that further.
So what I had to do was set the config to:
version: '2.2'
services:
eclipse-theia:
restart: always
image: theiaide/theia:latest
init: true
environment:
- VIRTUAL_HOST=mysubdomain1.domain.com,mysubdomain2.domain.com
- LETSENCRYPT_HOST=mysubdomain1.domain.com,mysubdomain2.domain.com
- LETSENCRYPT_EMAIL=mymail#domain.com
and in the jwilder/nginx-proxy container there is apt installed so just execute apt install nano and then execute nano /etc/nginx/conf.d/default.conf and edit the second upstream port from 3000 to 8080 and voilá it works!
P.S. Don't add ports 8080 to the nginx-proxy config, that's completely unnecessary!
I have been attempting to configure nginx reverse proxy with php support in docker compose that runs an app service on port 3838. I want the app to run the nginx-proxy on port 80. I have combed through several tutorials online but none of them has helped me resolve the problem. I also tried to follow this https://github.com/dmitrym0/simple-lets-encrypt-docker-compose-sample/blob/master/docker-compose.yml but it didn't work. Here is my current docker compose file.
docker-compose.yml
version: '3'
services:
nginx-proxy:
image: jwilder/nginx-proxy
ports:
- "82:80"
- "444:443"
volumes:
- "/etc/nginx/vhost.d"
- "/usr/share/nginx/html"
- "/var/run/docker.sock:/tmp/docker.sock:ro"
- "/etc/nginx/certs"
app:
build:
context: .
dockerfile: ./app/Dockerfile
image: rocker/shiny
container_name: docker-app
restart: always
ports:
- 3838:3838
Am I missing something. Sometimes I see virtual_host environment variables include in the docker-compose file. Is that needed? Also do I have to manually configure nginx config files and attach them to the jwilder/nginx-proxy dockerfile? I a newbie at docker and and I really need some help.
Please refer to the Multiple Ports section of the nginx-proxy official docs. In your case, besides setting a mandatory VIRTUAL_HOST env variable (without this a container won't be reverse proxied by the nginx-proxy service), you have to set the VIRTUAL_PORT variable as the nginx-proxy will default to the service running on port 80, but your app service is bind to 3838 port.
Try this docker-compose.yml file to see if it works:
version: "3"
services:
nginx-proxy:
image: jwilder/nginx-proxy
ports:
- "80:80"
volumes:
- /var/run/docker.sock:/tmp/docker.sock:ro
app:
build:
context: .
dockerfile: ./app/Dockerfile
image: rocker/shiny
container_name: docker-app
restart: always
expose:
- 3838
environment:
- VIRTUAL_HOST=app.localhost
- VIRTUAL_PORT=3838
I am currently in the process of containerizing wordpress apps for development. And that has been going reasonably well so far :)
At the moment I am using one docker-compose.yml file (and some configs) per app. Each app consists of an nginx-webserver, a database and wordpress with fpm. (example docker-compose.yml below). Each app handles it's ssl on it's own and I have confirmed, that it works.
The next step in my masterplan is to use an nginx reverse proxy to have all app containers up at the same time without the need to use different ports on the host.
As I understand jwilder/nginx-proxy is the best tool for the job. So I was thinking - and please correct me if that is not best practice - that I could create a compose.yml file for the nginx-proxy that could run all the time and that would expose ports 80 and 443 to the host while automatically generating the nginx-configs for every container I' spin up afterwards.
version: '3.6'
services:
nginx-proxy:
image: jwilder/nginx-proxy
container_name: nginx_proxy
ports:
- '80:80'
- '443:443'
volumes:
- /var/run/docker.sock:/tmp/docker.sock:ro
networks:
default:
external:
name: nginx-proxy
I tried that with an nginx-proxy which exposed port 80 to the host and a wordpress app setup in its own docker-compose.yml file using the mariadb:latest and wordpress:latest images. That did indeed work simply by adding the expose: \ -80 and the VIRTUAL_HOST environment variable.
But I don't quite get how to use the reverse proxy in front of my aforementioned wordpress apps. The documentation states this:
SSL Backends
If you would like the reverse proxy to connect to your backend using HTTPS instead of HTTP, set VIRTUAL_PROTO=https on the backend container.
Note: If you use VIRTUAL_PROTO=https and your backend container exposes port 80 and 443, nginx-proxy will use HTTPS on port 80. This is almost certainly not what you want, so you should also include VIRTUAL_PORT=443.
so I tried adding these environment variables to the app's docker-compose.yml file. Specifically on the nginx service inside and added exposed ports 80 and 443.
version: '3.6'
services:
wordpress:
image: wordpress:4.7.2-php7.1-fpm
volumes:
- ../public:/var/www/html
environment:
- WORDPRESS_DB_NAME=${WORDPRESS_DB_NAME:-wordpress}
- WORDPRESS_TABLE_PREFIX=${WORDPRESS_TABLE_PREFIX:-wp_}
- WORDPRESS_DB_HOST=${WORDPRESS_DB_HOST:-mysql}
- WORDPRESS_DB_USER=${WORDPRESS_DB_USER:-root}
- WORDPRESS_DB_PASSWORD=${WORDPRESS_DB_PASSWORD:-password}
depends_on:
- db
restart: always
db:
image: mariadb:${MARIADB_VERSION:-latest}
volumes:
- tss-data:/var/lib/mysql
# - ./db:/docker-entrypoint-initdb.d/
environment:
- MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD:-password}
- MYSQL_USER=${MYSQL_USER:-root}
- MYSQL_PASSWORD=${MYSQL_PASSWORD:-password}
- MYSQL_DATABASE=${MYSQL_DATABASE:-wordpress}
restart: always
nginx:
image: nginx:${NGINX_VERSION:-latest}
container_name: nginx
volumes:
- ${NGINX_CONF_DIR:-./nginx}:/etc/nginx/conf.d
- ${NGINX_LOG_DIR:-./logs/nginx}:/var/log/nginx
- ${WORDPRESS_DATA_DIR:-./wordpress}:/var/www/html
- ${SSL_CERTS_DIR:-./certs}:/etc/letsencrypt
- ${SSL_CERTS_DATA_DIR:-./certs-data}:/data/letsencrypt
environment:
- VIRTUAL_HOST:local.my-app.com
- VIRTUAL_PROTO:https
- VIRTUAL_PORT:443
expose:
- 80
- 443
depends_on:
- wordpress
restart: always
volumes:
tss-data:
networks:
default:
external:
name: nginx-proxy
Alas, if I try to browse to local.my-app.com on port 80 I get
503 Service Temporarily Unavailable
If I try on port 443 the nginx reverse proxy does not respond at all. I feel like I am missing something fairly obvious but I can't seem to find it and I would really appreciate any thoughts on the matter.
In the end, I opted to not handle the SSL encryption in each individual app. But instead I changed the reverse proxy to
version: '3.6'
services:
nginx-proxy:
image: jwilder/nginx-proxy:alpine
container_name: nginx_proxy
ports:
- '80:80'
- '443:443'
volumes:
- ./certs:/etc/nginx/certs
- /var/run/docker.sock:/tmp/docker.sock:ro
restart: unless-stopped
networks:
default:
external:
name: nginx-proxy
So now I can reach each app on Port 80 until I add a cert for it in which case it becomes reachable on port 443.
I tried this in the docker-compose.yml file but can't get php working in the nginx server. What I try to do is simply have nginx with php working
web:
image: nginx:latest
ports:
- "8080:80"
volumes:
- ./docker-nginx-php/html:/usr/share/nginx/html
links:
- php
php:
image: php:7-fpm
volumes:
- ./docker-nginx-php/html:/usr/share/nginx/html
Hope someone knows how to get it working!
I have on my host system apache2 installed which serves some of my apps but I want to have nginx with php server another domain so port 80 is currently in use by apache2 listener that's why I use port 8080:80 instead in this example above
You also need to specify the environment variable VIRTUAL_HOST on the php container as well as opening the port within docker for connection with other containers, like:
php:
image: php:7-fpm
environment:
- VIRTUAL_HOST=domain.example.com
ports:
- 80
volumes:
- ./docker-nginx-php/html:/usr/share/nginx/html