502 bad gateway error at wordpress docker-compose setup with nginx

Question

Sadly my docker-compose setup with WordPress and Nginx and a custom SSL certificate for HTTPS does not work.

First I have to deactivate hsts manually in the browser to accept my certificate, even though I added it in the certificates list and my local server as an exception.

It always displays me a 502 bad gateway error for https://localhost, but I am able to call the unencrypted HTTP loopback URL at http://127.0.0.1:8000. What is wrong with my setup?

Thanks in advance for every helpful answer.

My docker-compose.yml:

    version: '3.6'
    
    services:
        db:
            image: mysql:5.7
            volumes:
                - data_db:/var/lib/mysql
            restart: unless-stopped
            environment:
                MYSQL_ROOT_PASSWORD: mypassword
                MYSQL_DATABASE: wordpress
                MYSQL_USER: wordpress
                MYSQL_PASSWORD: wordpress
            networks:
                - wpsite
    
        phpmyadmin:
            image: phpmyadmin/phpmyadmin:latest
            depends_on:
              - db
            restart: unless-stopped
            ports:
                - '9000:80'
            environment:
              PMA_HOST: db
              MYSQL_ROOT_PASSWORD: mypassword
            networks:
                - wpsite
    
        wordpress:
            image: wordpress:5.3.2
            container_name: wordpress
            depends_on:
                - db
            ports:
                - '8000:80'
            restart: unless-stopped
            environment:
                WORDPRESS_DB_HOST: db:3306
                WORDPRESS_DB_USER: wordpress
                WORDPRESS_DB_PASSWORD: wordpress
            volumes:
                - ./config/php.conf.uploads.ini:/usr/local/etc/php/conf.d/uploads.ini
                - ./wp-app:/var/www/html
            networks:
                - wpsite
    
        nginx:
            image: nginx:latest
            depends_on:
                - wordpress
            container_name: nginx
            volumes:
                - ./nginx.conf:/etc/nginx/nginx.conf
                - ./certs:/etc/nginx/certs
            ports:
                - '80:80'
                - '443:443'
            networks:
                - wpsite
    
    networks:
        wpsite:
    volumes:
        data_db:

My nginx.conf:

    worker_processes  2;
    
    pid /var/run/nginx.pid;
    
    worker_rlimit_nofile 65535;
    
    #                          [ debug | info | notice | warn | error | crit ]
    
    error_log  /var/log/nginx.error_log  info;
    
    events {
        worker_connections   2000;
        # use [ kqueue | epoll | /dev/poll | select | poll ];
        # use kqueue;
    }
    
    http {
    
        include       mime.types;
        default_type  application/octet-stream;
    
    
        log_format main      '$remote_addr - $remote_user [$time_local] '
                             '"$request" $status $bytes_sent '
                             '"$http_referer" "$http_user_agent" '
                             '"$gzip_ratio"';
    
        log_format download  '$remote_addr - $remote_user [$time_local] '
                             '"$request" $status $bytes_sent '
                             '"$http_referer" "$http_user_agent" '
                             '"$http_range" "$sent_http_content_range"';
    
        client_header_timeout  3m;
        client_body_timeout    3m;
        send_timeout           3m;
    
        client_header_buffer_size    1k;
        large_client_header_buffers  4 4k;
    
        gzip on;
        gzip_min_length  1100;
        gzip_buffers     4 8k;
        gzip_types       text/plain;
    
        output_buffers   1 32k;
        postpone_output  1460;
    
        sendfile         on;
        tcp_nopush       on;
        tcp_nodelay      on;
        send_lowat       12000;
    
        keepalive_timeout  75 20;
    
        #lingering_time     30;
        #lingering_timeout  10;
        #reset_timedout_connection  on;
    
        server {
                listen 80;
                listen 443 ssl;
                ssl_certificate /etc/nginx/certs/localhost/localhost.crt;
                ssl_certificate_key /etc/nginx/certs/localhost/localhost.key;
                client_max_body_size 500M;
                add_header Strict-Transport-Security max-age=31536000;
    
                location / {
                    proxy_pass         http://127.0.0.1:8000;
                    proxy_redirect     off;
                    proxy_set_header   Host $host;
                    proxy_set_header   X-Real-IP $remote_addr;
                    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_set_header   X-Forwarded-Host $server_name;
                    #proxy_set_header   X-Forwarded-Proto https;
                    #proxy_http_version 1.1;
                    #proxy_set_header Upgrade $http_upgrade;
                    #proxy_set_header Connection "upgrade";
                    #proxy_read_timeout 86400;
    
                }
        }
    }

My docker-compose output in bash:

    sudo docker-compose up
    Starting wordpress_db_1 ... done
    Starting wordpress              ... done
    Starting wordpress_phpmyadmin_1 ... done
    Starting nginx                  ... done
    Attaching to wordpress_db_1, wordpress_phpmyadmin_1, wordpress, nginx
    db_1          | 2020-12-11 12:16:32+00:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 5.7.32-1debian10 started.
    nginx         | /docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
    nginx         | /docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
    wordpress     | AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.18.0.3. Set the 'ServerName' directive globally to suppress this message
    nginx         | /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
    wordpress     | AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.18.0.3. Set the 'ServerName' directive globally to suppress this message
    db_1          | 2020-12-11 12:16:32+00:00 [Note] [Entrypoint]: Switching to dedicated user 'mysql'
    phpmyadmin_1  | AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.18.0.4. Set the 'ServerName' directive globally to suppress this message
    nginx         | 10-listen-on-ipv6-by-default.sh: info: IPv6 listen already enabled
    wordpress     | [Fri Dec 11 12:16:34.004185 2020] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.38 (Debian) PHP/7.3.16 configured -- resuming normal operations
    wordpress     | [Fri Dec 11 12:16:34.004235 2020] [core:notice] [pid 1] AH00094: Command line: 'apache2 -D FOREGROUND'
    phpmyadmin_1  | AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.18.0.4. Set the 'ServerName' directive globally to suppress this message
    nginx         | /docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
    phpmyadmin_1  | [Fri Dec 11 12:16:32.766144 2020] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.38 (Debian) PHP/7.4.11 configured -- resuming normal operations
    phpmyadmin_1  | [Fri Dec 11 12:16:32.766183 2020] [core:notice] [pid 1] AH00094: Command line: 'apache2 -D FOREGROUND'
    db_1          | 2020-12-11 12:16:32+00:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 5.7.32-1debian10 started.
    db_1          | 2020-12-11T12:16:32.625996Z 0 [Warning] TIMESTAMP with implicit DEFAULT value is deprecated. Please use --explicit_defaults_for_timestamp server option (see documentation for more details).
    db_1          | 2020-12-11T12:16:32.627056Z 0 [Note] mysqld (mysqld 5.7.32) starting as process 1 ...
    nginx         | /docker-entrypoint.sh: Configuration complete; ready for start up
    db_1          | 2020-12-11T12:16:32.629055Z 0 [Note] InnoDB: PUNCH HOLE support available
    db_1          | 2020-12-11T12:16:32.629065Z 0 [Note] InnoDB: Mutexes and rw_locks use GCC atomic builtins
    db_1          | 2020-12-11T12:16:32.629067Z 0 [Note] InnoDB: Uses event mutexes
    db_1          | 2020-12-11T12:16:32.629069Z 0 [Note] InnoDB: GCC builtin __atomic_thread_fence() is used for memory barrier
    db_1          | 2020-12-11T12:16:32.629070Z 0 [Note] InnoDB: Compressed tables use zlib 1.2.11
    db_1          | 2020-12-11T12:16:32.629072Z 0 [Note] InnoDB: Using Linux native AIO
    db_1          | 2020-12-11T12:16:32.629290Z 0 [Note] InnoDB: Number of pools: 1
    db_1          | 2020-12-11T12:16:32.629357Z 0 [Note] InnoDB: Using CPU crc32 instructions
    db_1          | 2020-12-11T12:16:32.630430Z 0 [Note] InnoDB: Initializing buffer pool, total size = 128M, instances = 1, chunk size = 128M
    db_1          | 2020-12-11T12:16:32.635432Z 0 [Note] InnoDB: Completed initialization of buffer pool
    db_1          | 2020-12-11T12:16:32.636946Z 0 [Note] InnoDB: If the mysqld execution user is authorized, page cleaner thread priority can be changed. See the man page of setpriority().
    db_1          | 2020-12-11T12:16:32.648034Z 0 [Note] InnoDB: Highest supported file format is Barracuda.
    db_1          | 2020-12-11T12:16:32.657250Z 0 [Note] InnoDB: Creating shared tablespace for temporary tables
    db_1          | 2020-12-11T12:16:32.657322Z 0 [Note] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...
    db_1          | 2020-12-11T12:16:32.674418Z 0 [Note] InnoDB: File './ibtmp1' size is now 12 MB.
    db_1          | 2020-12-11T12:16:32.675043Z 0 [Note] InnoDB: 96 redo rollback segment(s) found. 96 redo rollback segment(s) are active.
    db_1          | 2020-12-11T12:16:32.675054Z 0 [Note] InnoDB: 32 non-redo rollback segment(s) are active.
    db_1          | 2020-12-11T12:16:32.675323Z 0 [Note] InnoDB: 5.7.32 started; log sequence number 1169658257
    db_1          | 2020-12-11T12:16:32.675397Z 0 [Note] InnoDB: Loading buffer pool(s) from /var/lib/mysql/ib_buffer_pool
    db_1          | 2020-12-11T12:16:32.675519Z 0 [Note] Plugin 'FEDERATED' is disabled.
    db_1          | 2020-12-11T12:16:32.677250Z 0 [Note] InnoDB: Buffer pool(s) load completed at 201211 12:16:32
    db_1          | 2020-12-11T12:16:32.681616Z 0 [Note] Found ca.pem, server-cert.pem and server-key.pem in data directory. Trying to enable SSL support using them.
    db_1          | 2020-12-11T12:16:32.681628Z 0 [Note] Skipping generation of SSL certificates as certificate files are present in data directory.
    db_1          | 2020-12-11T12:16:32.682038Z 0 [Warning] CA certificate ca.pem is self signed.
    db_1          | 2020-12-11T12:16:32.682062Z 0 [Note] Skipping generation of RSA key pair as key files are present in data directory.
    db_1          | 2020-12-11T12:16:32.682406Z 0 [Note] Server hostname (bind-address): '*'; port: 3306
    db_1          | 2020-12-11T12:16:32.682490Z 0 [Note] IPv6 is available.
    db_1          | 2020-12-11T12:16:32.682501Z 0 [Note]   - '::' resolves to '::';
    db_1          | 2020-12-11T12:16:32.682513Z 0 [Note] Server socket created on IP: '::'.
    db_1          | 2020-12-11T12:16:32.683847Z 0 [Warning] Insecure configuration for --pid-file: Location '/var/run/mysqld' in the path is accessible to all OS users. Consider choosing a different directory.
    db_1          | 2020-12-11T12:16:32.690930Z 0 [Note] Event Scheduler: Loaded 0 events
    db_1          | 2020-12-11T12:16:32.691172Z 0 [Note] mysqld: ready for connections.
    db_1          | Version: '5.7.32'  socket: '/var/run/mysqld/mysqld.sock'  port: 3306  MySQL Community Server (GPL)
    nginx         | 2020/12/11 12:16:34 [warn] 1#1: "send_lowat" is not supported, ignored in /etc/nginx/nginx.conf:51
    nginx         | nginx: [warn] "send_lowat" is not supported, ignored in /etc/nginx/nginx.conf:51

Answer 1

I use docker for all my local docker wordpress projects, but I cannot find away to away to run http://localhost over https protocol.

The only work around for https local docker wordpress development is to tunnel the local environment though an SSH tunnelling provider.

I use ngrok which is really easy to set up and cheap. Here are the docs for wordpress ngrok tunnelling.

This gives you https access to you local wp environment for endpoints etc.