Skip to content

/ nginx-proxy

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

502 Bad Gateway when connecting to backend with VIRTUAL_PROTO=https #1465

Open
devia1234 opened this issue Jul 5, 2020 · 3 comments
Open

502 Bad Gateway when connecting to backend with VIRTUAL_PROTO=https #1465

devia1234 opened this issue Jul 5, 2020 · 3 comments

Comments

@devia1234
Copy link

@devia1234 devia1234 commented Jul 5, 2020

My backend container is nginx that redirects http on port 80 to https on port 443. It uses a self-signed certificate.
When I try to run and access this container without nginx-proxy at all - it works like expected.

Now I want to run it with nginx-proxy in front of it, but despite my efforts I get error 502 Bad Gateway. I must be missing something. What I've done:

  1. I put VIRTUAL_HOST=mydomain.local, VIRTUAL_PROTO=https and VIRTUAL_PORT=443 in docker-compose.yml
  2. When I run nginx-proxy container, I gave it a volume of .crt and .key files named "mydomain.local.crt" and "mydomain.local.key"

Should I do something else? What could be causing the 502 Bad Gateway?
There are no errors in nginx's access/error logs (it's configured to "debug" level). So how can I debug this?

This is the nginx config file:

server {
    listen 80;
    return 301 https://$host$request_uri;
}

server {

    listen 443 ssl;
    listen [::]:443 ssl ipv6only=on;
    ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
    ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

    error_log  /var/www/storage/logs/nginx-error.log debug;
    access_log /var/www/storage/logs/nginx-access.log;

   # Omitted the rest for simplicity...
}

This is docker-compose.yml

version: '3'

services:

  nginx:
    build:
      context: ../
      dockerfile: ./docker/nginx/Dockerfile

    environment:
      - VIRTUAL_HOST=mydomain.local
      - VIRTUAL_PROTO=https
      - VIRTUAL_PORT=443

    volumes:
      - ${BASE_PATH}/public:/var/www/public
      - ${BASE_PATH}/storage/logs/nginx-error.log:/var/www/storage/logs/nginx-error.log
      - ${BASE_PATH}/storage/logs/nginx-access.log:/var/www/storage/logs/nginx-access.log

This is the command I used to generate self-signed certificate:

RUN openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt -subj "/"
@tkw1536
Copy link

@tkw1536 tkw1536 commented Jul 7, 2020

Are nginx-proxy and your nginx container on the same docker network? It could be that this is not related to https at all but a generic connection issue.
@devia1234
Copy link
Author

@devia1234 devia1234 commented Jul 8, 2020

@tkw1536 I'm pretty sure they are on the same network:

  1. docker-compose.yml file is in a folder "mydomain", so when I do docker-compose up, it creates a network called mydomain_default.
  2. I verified it's there with docker-compose network ls. It truly listed mydomain_default
  3. Lastly, I run docker inspect [id-of-my-nginx] and under "Networks" I see mydomain_default

Then I started nginx-proxy container with --net mydomain_default:

  1. docker run -d -p 80:80 -p 443:443 --name nginx-proxy --net mydomain_default -v /Users/myuser/code/nginx-proxy-certs:/etc/nginx/certs -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy
  2. Again I used docker inspect nginx-proxy and under "Networks" it lists mydomain_default as expected.

@tkw1536 what additional steps could I take to verify they are on the same network?
Is it plausible that nginx-proxy drops the connection to my backend nginx because it uses self-signed certificate, not a proper one from trusted authority?
@tkw1536
Copy link

@tkw1536 tkw1536 commented Jul 12, 2020

To verify your containers you could do something like:

docker network inspect -f '{{range .Containers }}{{.Name}} {{end}}' mydomain_default

This will print the names of all containers on the mydomain_default network.

Furthermore, it might indeed be the self-signed certificate that is the problem.
This should be off by default according to nginx docs, nonetheless you could try to create a file /etc/nginx/vhost.d/mydomain.local_location with:

proxy_ssl_verify off;

to turn it off explicitly.

One other thought is that the http 502 comes from the inner (https-servering) nginx. Did you ever try accessing that directly?

Can you provide a complete Dockerfile for the nginx container? Then I might be able to reproduce and debug this on my machine.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
@tkw1536 @devia1234
You can’t perform that action at this time.