Reputation: 2281
Apache HTTP ProxyPass inside Docker container linked to other containers: Wrong remote IP interpreted by linked container
I am migrating an Apache configuration from plain host-based Ubuntu to container-based CoreOS. I have only one instance of CoreOS for exploratory purposes and personal use, so I don't really need a cloud infrastructure compatible solution for this task. Assume all containers are running on the same physical machine.
That Apache configuration was a virtual host ProxyPass with ProxyPreserveHost On. On Ubuntu with an Apache installed on the host machine and no Docker, all is well. The objective is to host multiple web services on the same machine, with each web service being on its own subdomain, on port 443.
For instance, I currently have on my CoreOS installation:
- example.com (website)
- gitlab.example.com (gitlab)
- jenkins.example.com (jenkins)
- sonar.example.com (sonar)
- monitoring.app.example.com (python)
- event.api.example.com (java)
- legacy.api.example.com (php)
Every one of these web services are running in separate containers, and their ports are NOT published (not accessible from the Internet). As for Apache, it's running on its own container, and its ports are exposed.
I am using container linking to achieve the virtual hosts to ProxyPass behavior: --link gitlab:gitlab \ and ProxyPass / https://gitlab:443/
I am now facing a problem: If I watch the Apache Logs, I can see incoming connections are logging with the expected client IP address. However, the recorded incoming connections seen by the target containers are a container's IP address i.e. 172.17.0.1.
Due to the diversity of the target container web services (gitlab, python, java, php...), I am NOT able to tweak the implementation of these web services so that they pick the IP from another location let's say X-Forwarded-For.
What would be a way to make it so the target containers see the desired IP address they would have seen if they weren't running in Docker? I am open to solutions that involve throwing away Apache HTTP as long as the desired use case is accomplished (port 443 exposed to Internet: one domain -> one webservice, client IP preserved).
Please note that I was not able to use --net=host on the Apache server, because this option is incompatible with container links.
Upvotes: 1
Views: 1265
Answers (1)
Reputation: 1652
Links are legacy technology which is being phased out, but you are right, container sharing host network cannot be connected to any other network type.
# docker network connect bridge container
Error response from daemon: Container sharing network namespace with another container or host cannot be connected to any other network
Use pipework to connect your apache to the outside network. Put apache and all other containers in the bridge network to provide internal connectivity.
Keep an eye on macvlan driver which you should use instead of pipework once it comes out of "experimental" build.
Upvotes: 1
Related Questions
- Accessing a Docker container from another container
- Using SSH keys inside docker container
- From inside of a Docker container, how do I connect to the localhost of the machine?
- Forward host port to docker container
- Root password inside a Docker container
- Docker expose all ports or range of ports from 7000 to 8000
- How to automatically update your docker containers, if base-images are updated
- Can a Docker container manage other Docker containers?