Develop Reference

Use Docker and Nginx to deploy my Application with 2 Vue Frontends and one Spring Backend with SSL - keep getting SSL errors

Context
I have had my application running with a global Nginx as a reverse proxy on my private server without issues. However, for my project I need to deploy it on the servers of my university where I'll need to move all that into my Containers, but I cannot make it work.
General Project Setup
Short introduction to the setup: I have my frontend-ui, which is a simple PWA I built with vue that also uses Firebase Messaging for notifications. Notification tokens are stored via my notification manager - a spring application - in a database and it also performs all database queries such as removing the tokens upon deletion etc. My third ui ist the notification-ui that provides a simple (vue) frontend to send out notifications with firebase, for that it also interacts with the database to retrieve the tokens. All projects are located in one folder with a docker-compose.
I need both of my Frontends to serve https.
Nginx / Docker Setup
frontend-ui
My frontend-ui has the following Nginx configuration and the certificates are in the folder certificates:
server {
listen 80;
server_name SERVERNAME;
# Redirect all traffic to SSL
rewrite ^ https://$server_name$request_uri? permanent;
}
server {
listen 443 ssl;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED";
add_header Strict-Transport-Security "max-age=31536000";
server_name SERVERNAME;
## Access and error logs.
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log info;
## Server certificate and key.
ssl on;
ssl_certificate /etc/nginx/ssl/nginx.cert;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
root /usr/share/nginx/html;
location / {
try_files $uri $uri/ =404;
}
location /api {
proxy_pass http://127.0.0.1:42372;
}
}
and this Dockerfile:
# build stage
FROM node:lts-alpine as build-stage
WORKDIR /app
COPY package*.json /app/
RUN npm install
COPY . .
RUN npm run build
#COPY default.conf /etc/nginx/conf.d/
#COPY certificates/nginx.cert /etc/ssl/
#COPY certificates/nginx.key /etc/ssl/
# production stage
FROM nginx:stable-alpine as production-stage
COPY certificates/nginx.cert /etc/nginx/ssl/
COPY certificates/nginx.key /etc/nginx/ssl/
COPY default.conf /etc/nginx/conf.d/
COPY --from=build-stage /app/dist /usr/share/nginx/html
CMD ["nginx", "-g", "daemon off;"]
notification-ui
My notification-ui has the following Nginx configuration and the certificates are in the folder certificates:
server {
listen 80;
server_name SERVERNAME;
# Redirect all traffic to SSL
rewrite ^ https://$server_name$request_uri? permanent;
}
server {
listen 443 ssl;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED";
add_header Strict-Transport-Security "max-age=31536000";
server_name SERVERNAME;
## Access and error logs.
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log info;
## Server certificate and key.
ssl on;
ssl_certificate /etc/nginx/ssl/nginx.cert;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
root /usr/share/nginx/html;
location / {
try_files $uri $uri/ =404;
}
location /api {
proxy_pass http://127.0.0.1:42372;
}
}
and this Dockerfile:
# build stage
FROM node:lts-alpine as build-stage
WORKDIR /app
COPY package*.json /app/
RUN npm install
COPY . .
RUN npm run build
#COPY default.conf /etc/nginx/conf.d/
#COPY certificates/nginx.cert /etc/ssl/
#COPY certificates/nginx.key /etc/ssl/
# production stage
FROM nginx:stable-alpine as production-stage
COPY certificates/nginx.cert /etc/nginx/ssl/
COPY certificates/nginx.key /etc/nginx/ssl/
COPY default.conf /etc/nginx/conf.d/
COPY --from=build-stage /app/dist /usr/share/nginx/html
CMD ["nginx", "-g", "daemon off;"]
Notification-backend
My backend doesn't have an Nginx config, as it does not need it per se. The Dockerfile looks like this:
### BUILDER
FROM maven:3.6.3-jdk-11-slim as builder
RUN mkdir -p /build
WORKDIR /build
COPY pom.xml /build
#Download dependencies
#RUN mvn -B dependency:resolve dependency:resolve-plugins
#copy src-code
COPY src /build/src
#Build application
RUN mvn clean install
### RUNTIME
FROM openjdk:11-slim as runtime
ENV APP_HOME /
#Create folders for config and logging
RUN mkdir $APP_HOME/config
RUN mkdir $APP_HOME/log
VOLUME $APP_HOME/log
VOLUME $APP_HOME/config
WORKDIR $APP_HOME
#Copy jar from builder
COPY --from=builder /build/target/*.jar notificationmanager.jar
ENTRYPOINT ["java","-jar","notificationmanager.jar", "de.hsa.frontend.notificationmanager.NotificationmanagerApplication"]
Deployment
I deploy the network using a docker-compose:
version: '3.2'
services:
backend:
image: notificationmanager-be:1
build:
context: ./notificationmanager
dockerfile: ./Dockerfile
ports:
- "42372:8085"
networks:
- notificationmanager
restart: on-failure:5
notification-ui:
image: notificationmanager-ui:1
build:
context: ./notificationmanager-ui
dockerfile: ./Dockerfile
ports:
- "42373:80"
- "42376:443"
networks:
- notificationmanager
db:
image: postgres
ports:
- "42374:5432"
environment:
- POSTGRES_USER=USERNAME
- POSTGRES_PASSWORD=PASSWORD
- POSTGRES_DB=DATABASE
volumes:
- data:/var/lib/postgresql/data/
restart: on-failure:5
frontend-ui:
image: frontend-ui:1
build:
context: ./frontend-ui
dockerfile: ./Dockerfile
ports:
- "42375:80"
- "42377:443"
networks:
- notificationmanager
networks:
notificationmanager:
driver: bridge
volumes:
data:
driver: local
The mapping of port 443 I added as a last idea as to why it might not work so I can also take it out again. I cannot really see much of a difference from online-Tutorials I have viewed, but I still get a SSL-error (ERR_SSL_PROTOCOL_ERROR) when trying to open the webpages, the Dev-Tools don't show any errors, the logs from the frontend-ui look like this (others are similar):
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: /etc/nginx/conf.d/default.conf differs from the packaged version
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2021/03/29 11:55:04 [warn] 1#1: the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/conf.d/default.conf:23
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/conf.d/default.conf:23
10.144.43.100 - - [29/Mar/2021:11:55:53 +0000] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03\xB1\xC7" 400 157 "-" "-" "-"
10.144.43.100 - - [29/Mar/2021:11:55:53 +0000] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03:X\xFB\x83\xAD\x18\x13n^\xF4\x06:\xED\x93~;\xB2%j\xD0\xAC\xDC\xFB#W\xCB)b\x16r\xC9\xCE \xFE\x1Fu\xA3Y;\xB2\xC0\xFB\x11 \x02\xDE\x91=$U" 400 157 "-" "-" "-"
10.144.43.100 - - [29/Mar/2021:11:55:54 +0000] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03Bp\x91\xA8\xC6h)\x81\xA41\x12\xAAl\xF4\xD1q\xA8\xEA\xC6{\xC4\x0B\x83\xA9\xE1\xFCJ#1#\x1F\xB9 ?\xCFV\xA7\x0Fvx\x1C\xF5\xF5\xA4\x0B\xAF\xA2Z>\xB4\xCA\xC4!i;F6\xC0\x1F\xB5H\x94\xC4\xBC\x19\x00\x22::\x13\x01\x13\x02\x13\x03\xC0+\xC0/\xC0,\xC00\xCC\xA9\xCC\xA8\xC0\x13\xC0\x14\x00\x9C\x00\x9D\x00/\x005\x00" 400 157 "-" "-" "-"
10.144.43.100 - - [29/Mar/2021:11:55:54 +0000] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03\x9D#Ju;j24\xC0\xF6\xEA\xDC\xBF\xFA\x0E;\xBDJ\x030\xD4\xF6\xE8V\x88I\xB8/'\xA6Vj \xA1B\x17\x5C$" 400 157 "-" "-" "-"
I did a bit of renaming to improve the readability and tried to remove all my (failed) attempts on possible issues so I apologize if I failed that somewhere. I had to remove some values (like login data for the database) so I just wrote placeholders there, of course the files are filled completely.
Can anyone point me to my error?

I don't see where you are exposing the ports in the dockerfiles. I think you'll want to add this to your nginx dockerfiles
EXPOSE 80 443
And this to your java dockerfile
EXPOSE 8085
Once you expose those ports, you'll probably run into a problem with the reverse proxy. Each container has it's own localhost, so in your nginx configs, this line won't work.
proxy_pass http://127.0.0.1:42372;
You can access the backend container "directly" without going through the docker host. Try changing that line to
proxy_pass http://backend:8085;
Similarly, I suspect you're trying to connect to your db using localhost:42374. You'll probably need to change that to db:5432.

nginx permission issue serving static file on centos 7

I have Nginx installed with PHP-FPM ( php 7.2) on a CentOS 7
I created a new account with name deploy
I added deploy to group deploy, added deploy to group Nginx
I created a folder in deploy's home web/public, then set permission 777 -R web/public/
then I changed user = deploy, group = deploy in /etc/opt/remi/php72/php-fpm.d/www.conf
SELinux disabled
My problem is:
- I can run php, but cannot access static file ( css, js... ) via browser
This is an error message:
- 19/04/27 22:51:22 [error] 4165#0: *1601 open() "/home/deploy/web/public/robots.txt" failed (13: Permission denied), client: 216.244.66.xxx, server: _, request: "GET /robots.txt HTTP/1.1", host: "domain.com"
This is Nginx setting
server {
listen 80;
server_name domain.con;
root /home/deploy/web/public;
index index.html index.php;
error_log /var/logs/nginx/error_log error;
location ~* \.(jpg|jpeg|gif|css|png|js|ico|html)$ {
root /home/deploy/web/public;
autoindex on;
access_log on;
expires max;
log_not_found on;
}
Please help me
Update, solution is:
chmod +x /home/deploy
chmod +x /home/deploy/public

Run commands:
chmod +x /home/deploy
chmod +x /home/deploy/public

Nginx resolving system in Docker container

I got strange situation with Nginx in the Docker.
I have 3 containers that run as a services in the Docker swarm.
Docker version is: 17.03.1-ce, build c6d412e.
Docker command to run swarm is: docker deploy -c docker-compose.yml synergy
Docker compose file is here: https://raw.githubusercontent.com/sodrian/synergy/master/docker-compose.yml
The strange thing is as follows:
If I use 80 port nginx server directives similar to this ones, everything is ok:
server {
listen 80;
server_name SOME_NAME.com;
location / {
uwsgi_pass synergy_uwsgi:8001;
include uwsgi_params;
}
}
If 443 directives are used I keep getting the error:
server {
listen 443 ssl;
server_name SOME_NAME.com;
ssl_certificate SOME_PATH;
ssl_certificate_key SOME_OTHER_PATH;
location / {
uwsgi_pass synergy_uwsgi:8001;
include uwsgi_params;
}
}
The Nginx error: host not found in upstream "synergy_uwsgi"
I had to write the script
https://raw.githubusercontent.com/sodrian/synergy/master/deploy/nginx/synergy_uwsgi_resolve.sh
and change CMD on nginx container to:
CMD sh /etc/nginx/synergy_uwsgi_resolve.sh && nginx -g "daemon off;"
to make it run.
So the question is: why can nslookup resolve synergy_uwsgi host, but nginx can't?

How to resolve Nginx "proxy_pass 502 Bad Gateway" error

I have trying to add proxy_set_header in my nginx.conf file. When I try to add proxy_pass and invoke the URL it throws 502 Bad Gateway nginx/1.11.1 error.
Not sure how to resolve this error:
upstream app-server {
# connect to this socket
server unix:///tmp/alpasso-wsgi.sock; # for a file socket
}
server {
server_name <name>;
listen 80 default_server;
# Redirect http to https
rewrite ^(.*) https://$host$1 permanent;
}
server {
server_name <name>;
listen 443 ssl default_server;
recursive_error_pages on;
location /azure{
proxy_pass http://app-server;
}
ssl on;
ssl_certificate /etc/nginx/server.crt;
ssl_certificate_key /etc/nginx/server.key;
ssl_client_certificate /etc/nginx/server.crt;
ssl_verify_client optional;
}

Had similar problem with proxy_pass, if your Linux server is using SELINUX then you may want to try this.
$ setsebool -P httpd_can_network_connect true
Refer to Warren's answer: https://unix.stackexchange.com/questions/196907/proxy-nginx-shows-a-bad-gateway-error

502 is sent when your upstream is not reachable.
Try to switch on error log and you might see failed to connect to upstream,
for this you need to check whether your upstream server is running or not, sudo service upstream status, and try to switch that on.

Nginx proxy with unix socket troubleshooting:
Check nginx conf:
nginx -t
Check socket:
netstat --protocol=unix -nlp | grep alpasso-wsgi.socket
Check is app working:
curl --unix-socket /tmp/alpasso-wsgi.sock http:/your-path-on-app
(Must be html code on screen output)
If not, check your app. If yes:
Check nginx error log
sudo tail -f /var/log/nginx/error.log
In case you get a nginx permissions error, check nginx user rights for socket:
Determine which username nginx use:
ps aux | grep nginx
And, for example, if nginx user is www-data, give to www-data user required rights. Add www-data user to required group:
sudo usermod -a -G your-socket-file-group www-data
and check permissions of a socket file,
or use ACL:
sudo setfacl -R -m u:www-data:rwX /path-to-your-unix-socket
sudo setfacl -Rd -m u:www-data:rwX /path-to-your-unix-socket
Im my opinion, ACL is better for security. Because you give rights to nginx only to one file, not for all files which belongs to group.

Nginx Not Port Listening when it runs as service

l'm configuring Nginx on my CentOS 7. l could run the nginx through the command but no through the service. l appreciate any help.
Run Nginx through command
When l start the nginx with
$ sudo nginx
l could see the port is listening, and l've connected to nginx with lynx successfully.
$ netstat -nap | grep 8000
(No info could be read for "-p": geteuid()=1000 but you should be root.)
tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN -
No issue with wget as well,
$ wget http://127.0.0.1:8000
--2016-04-05 13:33:01-- http://127.0.0.1:8000/
Connecting to 127.0.0.1:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html.2’
[ <=> ] 11 --.-K/s in 0s
2016-04-05 13:33:01 (1.53 MB/s) - ‘index.html.2’ saved [11]
Run Nginx through Systemd
However, when l start the nginx through systemd
$ sudo systemctl start nginx
Nothing is listening on the port 8000.
$ netstat -nap | grep 8000
(No info could be read for "-p": geteuid()=1000 but you should be root.)
This is the result of wget
$ wget http://127.0.0.1:8000
--2016-04-05 13:34:52-- http://127.0.0.1:8000/
Connecting to 127.0.0.1:8000... failed: Connection refused.
l've checked the error log (/var/log/nginx/error.log),
Apr 5 12:57:24 localhost systemd: Starting The NGINX HTTP and reverse proxy server...
Apr 5 12:57:24 localhost nginx: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
Apr 5 12:57:24 localhost nginx: nginx: configuration file /etc/nginx/nginx.conf test is successful
Apr 5 12:57:24 localhost systemd: Failed to read PID from file /var/run/nginx.pid: Invalid argument
Apr 5 12:57:24 localhost systemd: Started The NGINX HTTP and reverse proxy server.
The config file has passed the test
$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
This is the main config file /etc/nginx/nginx.conf
$ cat /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log debug;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
This is the nginx config file /etc/nginx/conf.d/test_nginx.conf
# the upstream component nginx needs to connect to
upstream django {
server 0.0.0.0:8001;
}
# configuration of the server
server {
# the port your site will be served on
listen 8000;
# the domain name it will serve for
server_name 0.0.0.0; # substitute your machine's IP address or FQDN
charset utf-8;
# max upload size
client_max_body_size 75M; # adjust to taste
location /static {
alias /src/frontend/DjangoServer/static;
}
# Finally, send all non-media requests to the Django server.
location / {
uwsgi_pass django;
include /src/frontend/DjangoServer/uwsgi_params; # the uwsgi_params file you installed
}
}
This is the nginx systemd config file
$ cat /etc/systemd/system/nginx.service
[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target

Probably SELinux is not allowing nginx to read the configs under /etc/nginx/sites-enabled/, I had the same problem when copying the configuration from another site.
chcon -R -t httpd_config_t /etc/nginx
should fix it. If not check in /var/log/audit to see if there is any other problem related to SELinux

This answer is specific to Docker.
I experienced the same issue I could run the nginx through the command but no through the service. on Docker (Debian).
The cause is that daemon tools (init.d, service, systemd) don't work on Docker by default. In Linux, the init process has to have PID 1. However, Docker doesn't run them as PID 1. PID 1 is occupied by dumb-init -- sh -c ...... which executes the CMD statement in you Docker config file. That was why my nginx didn't start as a service.
You can either 'hack' Docker to use systemd, which I don't think is a recommended practice at least according to what I've read on SO, or you could include the nginx start command sorta via terminal as in:
CMD ["sh", "-c", "systemctl start nginx (or "service nginx start" etc.) && (your original command)"]