Docker Community Forums

Share and learn in the Docker community.

Can't get nginx to work over SSL


(Mylifelineio) #1

Hi guys,

Issue Type:

Nginx as reverse proxy over ssl:

My app succesfully are working when I browse using just http and the port but for the live of me I can’t get this working using nginx as a reverse proxy over ssl. I am using asp.net core.

OS build: Ubuntu 16.04
App version: ASP.Net Core 2.1.2

Steps to reproduce:

docker ps:

docker-compose.yml

version: '3.4'

services:
  mylifeline.monitor:
    image: mylifelineio/monitor
    container_name: mylifeline.monitor
    restart: always
    environment:
      DB_CONNECTION_STRING: "host=postgres_image;port=5432;database=user;username=user;password=mypassword"
    ports:
      - "5000:80"
      - "5001:443"
    depends_on:
      - postgres_image

  postgres_image:
    image: postgres:alpine
    restart: always
    volumes:
      - data:/var/lib/postgresql/data
      - ./postgres/init.sql:/docker-entrypoint-initdb.d/init.sql
    ports:
      - "5432"
    environment:
        POSTGRES_USER: "user"
        POSTGRES_PASSWORD: "mypassword"
        POSTGRES_DB: "user"
  proxy:
    image: nginx
    container_name: nginx
    restart: always
    ports:
      - "80:80"
      - "443:443"
    links:
      - mylifeline.monitor
    volumes: 
     - /etc/nginx-docker/:/etc/nginx/

volumes:
  data: {}

nginx.conf

worker_processes  4;  ## Default: 1

events {
  worker_connections  4096;  ## Default: 1024
}

http {
    limit_req_zone $binary_remote_addr zone=one:10m rate=5r/s;
    server_tokens off;

    sendfile on;
    keepalive_timeout 29; # Adjust to the lowest possible value that makes sense for your use case.
    client_body_timeout 10; client_header_timeout 10; send_timeout 10;

    upstream app_servers{
        server mylifeline.monitor:5001;
    }

    server {
        listen 80 default_server;
	listen [::]:80 default_server;
        add_header Strict-Transport-Security max-age=15768000;
        return 301 https://$host$request_uri;
    }

    server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
        server_name     *.mylifeline.io;
        ssl_certificate		/etc/nginx/certs/ssl-bundle.crt;
	ssl_certificate_key	/etc/nginx/certs/mylifeline.key;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
	ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_session_tickets off;
        ssl_stapling off; #ensure your cert is capable
        ssl_stapling_verify off; #ensure your cert is capable

        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;

        #Redirects all traffic
        location / {
            proxy_pass  http://app_servers;
            limit_req   zone=one burst=10 nodelay;
        }
    }
}

Browser error:
502 bad Gateway, certificate is however showing green

Logs

mylifeline.monitor    | Hosting environment: Development
mylifeline.monitor    | Content root path: /app
mylifeline.monitor    | Now listening on: http://[::]:80
mylifeline.monitor    | Application started. Press Ctrl+C to shut down.
nginx                 | 2018/08/16 11:54:20 [error] 8#8: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 105.226.197.228, server: *.mylifeline.io, request: "GET / HTTP/2.0", upstream: "ht"test.mylifeline.io"
nginx                 | 105.226.197.228 - - [16/Aug/2018:11:54:20 +0000] "GET / HTTP/2.0" 502 568 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36"
nginx                 | 2018/08/16 11:54:20 [error] 8#8: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 105.226.197.228, server: *.mylifeline.io, request: "GET /favicon.ico HTTP/2.0", up1/favicon.ico", host: "test.mylifeline.io", referrer: "https://test.mylifeline.io/"
nginx                 | 105.226.197.228 - - [16/Aug/2018:11:54:20 +0000] "GET /favicon.ico HTTP/2.0" 502 568 "https://test.mylifeline.io/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Ch36"
nginx                 | 51.68.227.88 - - [16/Aug/2018:11:55:07 +0000] "GET /xmlrpc.php HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"
nginx                 | 2018/08/16 11:56:40 [error] 7#7: *6 connect() failed (111: Connection refused) while connecting to upstream, client: 67.21.36.3, server: *.mylifeline.io, request: "GET /robots.txt HTTP/1.1", upstream: "http://172.18.0.3:5001/robots.txt", host: "46.101.187.31"
nginx                 | 67.21.36.3 - - [16/Aug/2018:11:56:40 +0000] "GET /robots.txt HTTP/1.1" 502 166 "-" "Mozilla/5.0 zgrab/0.x"

(Mylifelineio) #2

Got this working:

In the Dockerfile you must have the following:

ENV ASPNETCORE_URLS http://+:5000
EXPOSE 5000

Leave the upstream to point to port 5000 in the nginx file

Make sure your docker-compose for the app dont use port but just expose 5000