CODEWITHSUNDEEP
dockernginx
Richard Dakin
Richard Dakin

Reputation: 443

nginx config reverse proxy + docker + http to https redirect

Context

I have a nginx container in front of several other containers. One of them running node.js front end that is presenting on 10001:3000

I've managed to piece together a nginx config that partially works, allowing SSL termination on 443 to the container on 10001.

However, I now need to re-direct all traffic to HTTPS and ideally prevent port 10001 from working, some sort of http catch all?

Here is my localhost config for this.

user  www-data;

error_log  /var/log/nginx/error.log warn;
pid        /run/nginx.pid;

worker_processes  2;


events {
    worker_connections  1024;
    multi_accept off;
}

stream {
    upstream stream_backend {
         server 172.17.0.1:10001;
        # server backend2.example.com:12345;
         #server backend3.example.com:12345;
    }

    server {
        listen                443 ssl;
        proxy_pass            stream_backend;

        ssl_certificate /etc/letsencrypt/live/localhost/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/localhost/fullchain.pem;
        ssl_protocols         SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers           HIGH:!aNULL:!MD5;
        ssl_session_cache     shared:SSL:20m;
        ssl_session_timeout   4h;
        ssl_handshake_timeout 30s;


        #...
    }
}

Beyond this everything I try I get a syntax error or some other error. Can anyone offer some plain advice?

Upvotes: 0

Views: 1043

Answers (1)

Ethan
Ethan

Reputation: 53

If you are using docker-compose and adding your API and nginx to the same bridge network, you can expose the port to your api container, and remove the ports directive. This will allow nginx to communicate with the api container, but there will be no open port to the api that is publically available.

ports:
  - "8000:80"
expose:
  - "8000"

Above, the ports directive opens port 8000 to the public. Expose makes 8000 available only over the local subnet or bridge network. So, in this scenario, my suggestion is to remove the ports section. Expose also works with the run command but you will need to create a bridge network manually in that case.

I had the same issue recently. Actually, I had several issues, but this was one of them. See my question and answer here for more detail.

NGINX reverse proxy not working for .NET core webAPI running in Docker

Upvotes: 1

Related Questions