I wanted to setup https reverse proxy with nginx on docker container either ubuntu/centos. On Browser side, I am getting connection refused error. And also, I cannot see anything under /var/log/nginx/access.log or /var/log/nginx/error.log.
I am able to setup http reverse proxy with nginx on docker container again. And, also https reverse proxy with nginx on normal ubuntu and centos virtual machines.
Can understand the reason why https reverse proxy with nginx on docker containers is failing to connect from browser.?
If any additional information needed, I can provide you. Thanks in advance.
For reference, Please check this sites-available/default file.
server {
listen 80;
server_name localhost;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /etc/nginx/ssl/cert.pem;
ssl_certificate_key /etc/nginx/ssl/cert.key;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
location ~* /rabbitmq/(.*) {
rewrite ^\/rabbitmq\/(.*)$ /$1 break;
proxy_pass http://127.0.0.1:15672;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_redirect http:// https://;
}
location ~* /api/(.*) {
rewrite ^/api/(.*)$ /$1 break;
proxy_pass http://127.0.0.1:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_redirect http:// https://;
}
}
Thanks,
Ganesh
Looks, I need to expose both HTTP and HTTPS ports, since nginx reverse proxy configured to server only HTTPS traffic.
docker run -d -p 80:80 -p 443:443 nginx-container
When I started exposing HTTPS port, then it worked.
You're probably running your container in "bridge" network mode (it's default), which means that your 127.0.0.1 is not what you think it is. It would use virtualised network adapter for your container running nginx. To quickly fix it you can add
--net=host
parameter to your docker run command. There are other options, but I need to know more about your setup and requirements to suggest them.
Related
I'm trying to get my subdomain to redirect to a different machine I have a wiki on.
So basically I've got one machine with Nginx and another machine with the Wiki. (Being Wiki.js)
I'm struggling a little with trying to get this setup honestly. The Nginx server has a different internal IP from the Wiki machine.
I've currently been trying this with little success:
server {
listen 80;
server_name wiki.testsite.co.uk;
#ssl_certificate /etc/nginx/cert.crt;
#ssl_certificate_key /etc/nginx/cert.key;
#ssl on;
#ssl_session_cache builtin:1000 shared:SSL:10m;
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
#ssl_prefer_server_ciphers on;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://192.168.1.184:3000;
proxy_read_timeout 90;
proxy_redirect http://127.0.0.1 https://192.168.1.184:3000;
}
}
This is also inside the available site file for the actual domain the normal website runs on. I've also tried this in a config file for reverse proxies.
As for the cloudflare DNS here you are:
Type: A
Name: wiki
Content: mypublicip
Proxy status: DNS only
TTL: Auto
Not sure what I'm doing wrong honestly but it's been fun messing around with this.
~Blood
We have been trying for days (we tested hundreds of setups) to make a Nginx Reverse Proxy successfully reverse proxy a web application that needs FQDNs (this is mandatory for this web application to work).
Using the configuration below for the Nginx Reverse Proxy together with a local DNS service (see resolver attribute) that knows the FQDN we can successfully make these http calls...
server {
access_log /var/log/nginx/apps.mbr.domain.abc-access.log;
error_log /var/log/nginx/apps.mbr.domain.abc-error.log;
server_name *.apps.mbr.domain.abc;
location / {
proxy_pass https://$host$request_uri;
resolver 127.0.0.1:53;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_ssl_server_name on;
}
listen 443;
ssl_certificate /etc/letsencrypt/live/apps.mbr.domain.abc/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/apps.mbr.domain.abc/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
... , however if I change the proxy_pass attribute to using an IP as shown here...
server {
access_log /var/log/nginx/apps.mbr.domain.abc-access.log;
error_log /var/log/nginx/apps.mbr.domain.abc-error.log;
server_name *.apps.mbr.domain.abc;
location / {
proxy_pass https://10.2.0.18:443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_ssl_server_name on;
}
listen 443;
ssl_certificate /etc/letsencrypt/live/apps.mbr.domain.abc/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/apps.mbr.domain.abc/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
... the web application reports not knowing the URL (error). In other words, clearly there is some parameter/data (we don't know what it is) that is added by the DNS service to the http call.
QUESTION: What is the local DNS service provided parameter/data that Nginx Reverse Proxy is not providing?
NOTE: We are asking this because we believe this is something that can be provided by the Nginx Reverse Proxy itself so that we will not need to use the local DNS service.
Thanks! =D
I am trying to install Apache OpenMeetings. I however wants to use Nginx as the reverse proxy to run the application on port 443 using Let's Encrypt free SSL.
If I try to load the application on port 5080, I successfully get the interface, but when try using the domain name on port 443 HTTPS, It is not loading the resources.
Image with Errors.
Here's my nginx virtual host file.
upstream openmeetings {
server 127.0.0.1:5080;
}
server {
listen 80;
server_name openmeetings.example.com;
return 301 https://$host$request_uri;
}
server {
listen 443;
server_name openmeetings.example.com;
ssl_certificate /etc/letsencrypt/live/openmeetings.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/openmeetings.example.com/privkey.pem;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/openmeetings.access.log;
location / {
proxy_pass http://openmeetings;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_redirect off;
}
}
I faced same problem. (vit Openmeetings 5.0.0-M4)
I found next:
Openmeetings use ajax over WebSocket.
adding
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
to http section
and
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
to location
It solve status 400 problem
Then I meet problem with Content Security Policy
I feel like connect-src policy configured automatic on first connect to server.
So after change used domain I need restart Openmeetings.
Problem with media stream play
On Check setup recording produce long browser console message ending with
onaddstream is deprecated! Use peerConnection.ontrack instead.
...
Remote ICE candidate received
Look like it incompatibility with old Firefox 54.0 on Linux
On latest Firefox 75.0 on Windows it works!
It is also necessary to rewrite server.xml referring to
nginx managed SSL with Tomcat 7
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="x-forwarded-for"
remoteIpProxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto"
/>
I'm trying to setup Nginx so I can have sub domains like
www.MySite.com - Main website (Works correctly)
jenkins.MySite.com - sub domain for Jenkins
gitlab.MySite.com - sub domain for Gitlab
I've tried following various tutorials and I seem to have included everything required to make this work, but still to no avail.
I've followed this: https://www.digitalocean.com/community/tutorials/how-to-configure-nginx-with-ssl-as-a-reverse-proxy-for-jenkins
and various other sources online.
[Nginx Server Block]
I've edited my nginx.conf file, I've created a new nginx/sites-available conf file for Jenkins and symlinked it to sites-enabled.
This is my default jenkins JENKINS_ARGS
JENKINS_ARGS="--webroot=/var/cache/jenkins/war --httpListenAddress=127.0.0.1 --httpPort=$HTTP_PORT -ajp13Port=$AJP_PORT"
This is an example of my jenkins server block in nginx
server
{
listen 80;
return 301 https://$host$request_uri;
}
server
{
listen 443;
server_name jenkins.MySite.com;
#ssl_certificate /etc/nginx/cert.crt;
#ssl_certificate_key /etc/nginx/cert.key;
#ssl on;
#ssl_session_cache builtin:1000 shared:SSL:10m;
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
#ssl_prefer_server_ciphers on;
access_log /var/log/nginx/jenkins/access.log;
location /
{
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Fix the “It appears that your reverse proxy set up is broken" error.
proxy_pass http://127.0.0.1:8080;
proxy_read_timeout 90;
proxy_redirect http://127.0.0.1:8080 https://jenkins.MySite.com;
}
}
I've also created an A record in DigitalOcean - Network
and also a CNAME
Much help would be appreciated.
Thanks
All these 3-setups need separate ngnix config files and supervirosor files as you did for main site. make soft link of those files and put them in respective etc/nginx/sites-avai and sites-enable and also soft link the supervisor files to etc/supervisor/conf.d
To check whether the nginx file is properly configured, you need to test it.
sudo nginx -t
I am trying to set up ssl for our artifactory server. For this I wish to configure nginx as the reverse proxy. So far I have done the following
-- Installed artifactory pro using its docker image
docker run --name artifactory-registry -p 8081:8081 -v $ARTIFACTORY_HOME/data -v $ARTIFACTORY_HOME/logs -v $ARTIFACTORY_HOME/backup -v $ARTIFACTORY_HOME/etc jfrog-docker-reg2.bintray.io/jfrog/artifactory-pro:latest
-- Insatlled nginx using sudo apt-get install nginx
I have the webapp accessible at http://localhost:8081/artifactory/webapp/#/home
and teh following config file under $ARTIFACTORY_HOME/tomcat/conf/server.xml
<Service name="Catalina">
<Connector port="8081"/>
<!-- This is the optional AJP connector -->
<Connector port="8019" protocol="AJP/1.3"/>
<Engine name="Catalina" defaultHost="localhost">
<Host name="localhost" appBase="webapps"/>
</Engine>
</Service>
From sources found online, the following configuration is needed for the nginx to act as a reverse proxy
server {
listen 80;
server_name yourdomain.com;
root /etc/tomcat7/webapps/apple;
proxy_cache one;
location / {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8080/;
}
}
What should be the 'server_name' and 'root' in this path? Also how do I test the reverse proxiness of this setup?
Usually you will configure SSL on it's default HTTPs port (443).
Take a look at this page for configuring nginx with SSL.
The server_name is the host from which you will connect to your nginx (from the browser for example). Usually you will have a DNS address from your company (like artifactory.mycompany.com) and you will use that, but if everything is local you can just put localhost instead.
Here is a working SSL configuration on port 443:
server {
listen 443;
server_name artifactory.mycompany.com;
access_log /var/log/nginx/artifactory.access.log;
error_log /var/log/nginx/artifactory.error.log;
ssl on;
ssl_certificate /etc/nginx/ssl/artifactory.crt;
ssl_certificate_key /etc/nginx/ssl/artifactory.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;
location /artifactory {
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:8081;
proxy_pass_header Server;
proxy_read_timeout 90;
}
}
Simply put your SSL certificates at the configured locations and you are good to go.
Connecting to https://artifactory.mycompany.com from your browser should now work (or https://localhost if you used that for server_name).