CODEWITHSUNDEEP
sslnginxdocker
mrbit01
mrbit01

Reputation: 201

Nginx load balancer upstream SSL and Docker

I'm trying to balance between differents Docker containers, each Docker container has an Nginx and the web server has an SSL certificate.

$ docker ps

CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                   NAMES
b1364b46632c        web         "/usr/bin/supervisord"   22 minutes ago      Up 21 minutes       0.0.0.0:8001->443/tcp   webserver01
b1364b46632c        web         "/usr/bin/supervisord"   22 minutes ago      Up 21 minutes       0.0.0.0:8002->443/tcp   webserver02

And my Nginx load balancer configuration, /etc/nginx/conf.d/default.conf

upstream pool_webservers {
    server localhost:8001;
    server localhost:8002;
}

server {
    listen 443;
    location / {
        proxy_pass https://pool_webservers;
    }
}

I can't make it works, if I run a curl -vvv https://localhost:8001 or curl -vvv https://localhost:8002 the server response fine with the SSL certificate, but if a run a curl -vvv https://localhost:443, returns 

$ curl -vvv https://localhost:443
* Rebuilt URL to: https://localhost:443/
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -12263 (SSL_ERROR_RX_RECORD_TOO_LONG)
* SSL received a record that exceeded the maximum permissible length.
* Closing connection 0
curl: (35) SSL received a record that exceeded the maximum permissible length.

Thanks!

UPDATE 1: I was reading and the best solution, it's add the SSL certificate on the side of the load balancer, and the Docker containers (nginx web server) without the certificate.

Like this:

$ docker ps

CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                           NAMES
ec14fa21ef3d    dignajar/bludit   "/usr/bin/supervisord"       2 hours ago         Up 2 hours          0.0.0.0:8001->80/tcp          webserver01
ac14fa21ef1a    dignajar/bludit   "/usr/bin/supervisord"       2 hours ago         Up 2 hours          0.0.0.0:8002->80/tcp          webserver02

Here is my virtual host for Nginx, with the SSL certificate of mydomain.

upstream pool_webservers {
    server localhost:8001;
    server localhost:8002;
}

server {
    listen 443 ssl;
    server_name mydomain.here.com;

    ssl_certificate         /etc/...;
    ssl_certificate_key     /etc/...;
    ....

    location / {
        proxy_pass http://pool_webservers;
    }
}

PD: have everything on the same server is not good idea, it's just for this example.

Upvotes: 2

Views: 1851

Answers (1)

boyvinall
boyvinall

Reputation: 1907

change the listen line to specify ssl?

listen 443 ssl;

Upvotes: 2

Related Questions