We Keep Coding

How to run docker and node together?

I want run docusaurus with docker which containing nginx and node.
My directories looking like this. Without docker docusaurus working correctly
application/
blog/
docs/
src/
static/
babel.config.js
default.conf
docker-compose.yml
docusaurus.config.js
nginx.dockerfile
nodejs.dockerfile
package.json
package-lock.json
sidebars.js
In the default.conf I have
server {
listen 80;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Inside docker-compose.yml I have
version: '2'
services:
nodejs:
build:
context: .
dockerfile: nodejs.dockerfile
container_name: nodejs
ports:
- "1602:3000"
volumes:
- ./:/var/www/html
networks:
- application
nginx:
build:
context: .
dockerfile: nginx.dockerfile
container_name: nginx
ports:
- "1601:80"
volumes:
- ./:/var/www/html
depends_on:
- nodejs
networks:
- application
networks:
application:
driver: bridge
Inside nginx.dockerfile I have
FROM nginx
COPY ./default.conf /etc/nginx/conf.d/
Inside nodejs.dockerfile I have
FROM node:14
WORKDIR /var/www/html
COPY ./ /var/www/html
RUN npm install
RUN npm start
EXPOSE 1602

HTTPS not working in nginx reverse proxy (docker compose)

I have a rails app, a mysql db and I'm trying to configurate a reverse proxy server using nginx. HTTP connection goes well, but no matter what I try - the HTTPS connection won't go. The nginx server just won't listen on 443. I've tried many solutions (e.g 1, 2, 3) but neither worked.
I use our own certificates rather than letsencrypt or some similar possibilities.
docker-compose.yml:
version: "3"
services:
proxy:
image: jwilder/nginx-proxy
container_name: proxy
restart: always
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/tmp/docker.sock
- /home/ssl:/etc/nginx/certs
- /home/log/nginx:/var/log/nginx
environment:
- DEFAULT_HOST=app.test
db:
container_name: db
image: mysql:8.0
restart: always
.
.
.
ports:
- "3306:3306"
app:
container_name: app
.
.
.
environment:
- VIRTUAL_HOST=app.test
- VIRTUAL_PORTO=https
- HTTPS_METHOD=redirect
- CERT_NAME=app.test
running docker exec -it proxy ls -l /etc/nginx/certs shows certificates are mounted:
total 8
-rw-rw-r-- 1 1000 1000 1391 Nov 8 14:36 app.test.crt
-rw-rw-r-- 1 1000 1000 1751 Nov 8 14:29 app.test.key
running docker exec -it proxy cat /etc/nginx/conf.d/default.conf:
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
default $http_x_forwarded_proto;
'' $scheme;
}
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
# server port the client connected to
map $http_x_forwarded_port $proxy_x_forwarded_port {
default $http_x_forwarded_port;
'' $server_port;
}
# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
# Connection header that may have been passed to this server
map $http_upgrade $proxy_connection {
default upgrade;
'' close;
}
# Apply fix for very long server names
server_names_hash_bucket_size 128;
# Default dhparam
ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
# Set appropriate X-Forwarded-Ssl header based on $proxy_x_forwarded_proto
map $proxy_x_forwarded_proto $proxy_x_forwarded_ssl {
default off;
https on;
}
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost '$host $remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'"$upstream_addr"';
access_log off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
resolver 127.0.0.11;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";
server {
server_name _; # This is just an invalid value which will never trigger on a real hostname.
server_tokens off;
listen 80;
access_log /var/log/nginx/access.log vhost;
return 503;
}
# app.test
upstream app.test {
## Can be connected with "test_default" network
# app
server 192.168.176.4:3000;
}
server {
server_name app.test;
listen 80 default_server;
access_log /var/log/nginx/access.log vhost;
location / {
proxy_pass http://app.test;
}
}
As you can see, no 443 clauses created. When trying to reach, I get ERR_CONNECTION_REFUSED message on chrome but nothing is recorded to neither access.log nor error.log.
Any ideas? I've spend the last three days trying to crack it.

The solution has appeared here, needed to add CERT_NAME to the proxy environment and mount the certificates directory to the app as well:
docker-compose.yml:
version: "3"
services:
proxy:
image: jwilder/nginx-proxy
container_name: proxy
restart: always
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/tmp/docker.sock
- /home/ssl:/etc/nginx/certs
- /home/log/nginx:/var/log/nginx
environment:
- DEFAULT_HOST=app.test
- CERT_NAME=app.test
db:
container_name: db
image: mysql:8.0
restart: always
.
.
.
ports:
- "3306:3306"
app:
container_name: app
.
.
.
volumes:
.
.
.
- /home/ssl:/etc/ssl/certs:ro
environment:
- VIRTUAL_HOST=app.test
- CERT_NAME=app.test

Docker-compose nginx with letsencrypt -> ln: failed to create symbolic link - Not supported

Setup: Docker on OpenSuse-Server on local Intel-NUC
Here is my docker.compose.yml
version: '3.5'
services:
proxy:
image: jwilder/nginx-proxy:alpine
labels:
- "com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy=true"
container_name: nextcloud-proxy
networks:
- nextcloud_network
dns:
- 192.168.178.15
ports:
- 443:443
- 80:80
volumes:
- ./proxy/conf.d:/etc/nginx/conf.d:rw
- ./proxy/vhost.d:/etc/nginx/vhost.d:ro
- ./proxy/html:/usr/share/nginx/html:rw
- ./proxy/certs:/etc/nginx/certs:rw
- /var/run/docker.sock:/tmp/docker.sock:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
restart: unless-stopped
letsencrypt:
image: jrcs/letsencrypt-nginx-proxy-companion
container_name: nextcloud-letsencrypt
depends_on:
- proxy
networks:
- nextcloud_network
dns:
- 192.168.178.15 #need for access the letdyencrypt API
volumes:
- ./proxy/acme:/etc/acme.sh
- ./proxy/certs:/etc/nginx/certs:rw
- ./proxy/vhost.d:/etc/nginx/vhost.d:rw
- ./proxy/html:/usr/share/nginx/html:rw
- /etc/localtime:/etc/localtime:rw
- /var/run/docker.sock:/tmp/docker.sock:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
NGINX_PROXY_CONTAINER: "nextcloud-proxy"
DEFAULT_EMAIL: "mymail#pm.me"
restart: unless-stopped
db:
image: mariadb
container_name: nextcloud-mariadb
networks:
- nextcloud_network
dns:
- 192.168.178.15
volumes:
- db-data2:/var/lib/mysql:rw
- /etc/localtime:/etc/localtime:ro
environment:
- MYSQL_ROOT_PASSWORD=Tstrong
- MYSQL_PASSWORD=Tstrong
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
restart: unless-stopped
app:
image: nextcloud:latest
container_name: nextcloud-app
networks:
- nextcloud_network
depends_on:
- letsencrypt
- proxy
- db
dns:
- 192.168.178.15
# - 8.8.8.8
# ports:
# - 10000:80 -> makes the app available without nginx and ssl
volumes:
- nextcloud-stage:/var/www/html
- ./app/config:/var/www/html/config
- ./app/custom_apps:/var/www/html/custom_apps
- ./app/data:/var/www/html/data
- ./app/themes:/var/www/html/themes
- /etc/localtime:/etc/localtime:ro
environment:
- VIRTUAL_HOST=mydomain.chickenkiller.com
- LETSENCRYPT_HOST=mydomain.chickenkiller.com
- LETSENCRYPT_EMAIL=mymail#pm.me
- "ServerName=nextcloud"
restart: unless-stopped
volumes:
nextcloud-stage:
db-data2:
networks:
nextcloud_network:
# external:
driver: bridge
name: nginx-proxy
And then it throws this Warning/Info and the SSL does not work.
The application would only be available over port 80 if I open the port on this container - which is clearly wrong.
So is this warning actual a problem or do I miss something else?
nextcloud-letsencrypt | ln: failed to create symbolic link '/etc/nginx/certs/mydomain.chickenkiller.com.dhparam.pem': Not supported
I need to specify the DNS so letsencrypt container is able to communicate with the API, so I did point the Docker DNS to my local router 192.168.178.15. Do I need this setting also for the other services? Or is that the problem that breaks the symbolic link?
nextcloud-letsencrypt | [Wed Dec 23 10:47:19 CET 2020] Your cert is in /etc/acme.sh/mymail#pm.me/mydomain.chickenkiller.com/mydomain.chickenkiller.com.cer
nextcloud-letsencrypt | [Wed Dec 23 10:47:19 CET 2020] Your cert key is in /etc/acme.sh/mymail#pm.me/mydomain.chickenkiller.com/mydomain.chickenkiller.com.key
nextcloud-letsencrypt | [Wed Dec 23 10:47:19 CET 2020] The intermediate CA cert is in /etc/acme.sh/mymail#pm.me/mydomain.chickenkiller.com/ca.cer
nextcloud-letsencrypt | [Wed Dec 23 10:47:19 CET 2020] And the full chain certs is there: /etc/acme.sh/mymail#pm.me/mydomain.chickenkiller.com/fullchain.cer
nextcloud-letsencrypt | [Wed Dec 23 10:47:19 CET 2020] Installing cert to:/etc/nginx/certs/mydomain.chickenkiller.com/cert.pem
nextcloud-letsencrypt | [Wed Dec 23 10:47:19 CET 2020] Installing CA to:/etc/nginx/certs/mydomain.chickenkiller.com/chain.pem
nextcloud-letsencrypt | [Wed Dec 23 10:47:19 CET 2020] Installing key to:/etc/nginx/certs/mydomain.chickenkiller.com/key.pem
nextcloud-letsencrypt | [Wed Dec 23 10:47:20 CET 2020] Installing full chain to:/etc/nginx/certs/mydomain.chickenkiller.com/fullchain.pem
nextcloud-letsencrypt | ln: failed to create symbolic link '/etc/nginx/certs/mydomain.chickenkiller.com.crt': Not supported
nextcloud-letsencrypt | ln: failed to create symbolic link '/etc/nginx/certs/mydomain.chickenkiller.com.key': Not supported
nextcloud-letsencrypt | ln: failed to create symbolic link '/etc/nginx/certs/mydomain.chickenkiller.com.dhparam.pem': Not supported
nextcloud-letsencrypt | ln: failed to create symbolic link '/etc/nginx/certs/mydomain.chickenkiller.com.chain.pem': Not supported
nextcloud-letsencrypt | Reloading nginx proxy (ac49344ba0acb6026615358abf5568dc6a1df173a308a936b615fa00e413f767)...
nextcloud-letsencrypt | 2020/12/23 09:47:20 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification ''
nextcloud-letsencrypt | 2020/12/23 09:47:20 [notice] 115#115: signal process started
nextcloud-letsencrypt | Sleep for 3600s
Nginx throws Error 503 when accessing the application from WAN using the IP (and not the DynDNS)
So local port forwarding should also be correct, right? Port 80 and 443 forwarded from Router to NUC
Using DynDNS to access the application from WAN leads to SSL-error (HSTS)
So I think it is just the connection (symbolic link) from the certificate folder to the application?
Let me know if I can provide more information/logs
Cheers
UDPATE:
Here is the NGINX config from /proxy/conf.d/default.conf
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
default $http_x_forwarded_proto;
'' $scheme;
}
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
# server port the client connected to
map $http_x_forwarded_port $proxy_x_forwarded_port {
default $http_x_forwarded_port;
'' $server_port;
}
# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
# Connection header that may have been passed to this server
map $http_upgrade $proxy_connection {
default upgrade;
'' close;
}
# Apply fix for very long server names
server_names_hash_bucket_size 128;
# Default dhparam
ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
# Set appropriate X-Forwarded-Ssl header
map $scheme $proxy_x_forwarded_ssl {
default off;
https on;
}
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost '$host $remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
resolver 127.0.0.11;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";
server {
server_name _; # This is just an invalid value which will never trigger on a real hostname.
listen 80;
access_log /var/log/nginx/access.log vhost;
return 503;
}
server {
server_name _; # This is just an invalid value which will never trigger on a real hostname.
listen 443 ssl http2;
access_log /var/log/nginx/access.log vhost;
return 503;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/default.crt;
ssl_certificate_key /etc/nginx/certs/default.key;
}
# mydomain.chickenkiller.com
upstream mydomain.chickenkiller.com {
## Can be connected with "nginx-proxy" network
# nextcloud-app
server 172.23.0.5:80;
}
server {
server_name mydomain.chickenkiller.com;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
include /etc/nginx/vhost.d/default;
location / {
proxy_pass http://mydomain.chickenkiller.com;
}
}
server {
server_name mydomain.chickenkiller.com;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
return 500;
ssl_certificate /etc/nginx/certs/default.crt;
ssl_certificate_key /etc/nginx/certs/default.key;
}

I had this exact issue. For me, the volume the certificates were being save to was a mounted file share in Azure and those don't support symlinks out of the box.
See: https://learn.microsoft.com/en-us/azure/storage/files/storage-troubleshoot-linux-file-connection-problems.
I am using autofs but adding ",mfsymlinks" to the end of the "fstype" part worked fine once restarted.

Failing to debug Nginx load-balancer

I'm trying to set up a load balancer using Nginx for a perl Dancer2 app which runs inside docker containers.
And i have this problem i don't know how to debug:
If in my nginx.conf i set just one server in to the upstrem block it runs fine. But the second i add an other server it fails to execute login
My nginx.conf file looks like this:
worker_processes 2;
events { worker_connections 512; }
http {
upstream pb {
server pearlbee:5000 weight=10 max_fails=3 fail_timeout=30s;
server pearlbee2:5000 weight=10 max_fails=3 fail_timeout=30s;
}
server {
listen *:80;
location / {
proxy_pass http://pb;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
#proxy_redirect off;
#proxy_set_header Host $host;
#proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header X-Forwarded-Host $server_name;
}
}
}
My docker-compose file looks like this :
version: '2'
services:
web:
image: nginx
ports:
- "80:80"
volumes:
# here i pass my configuration to nginx
- ./nginx.conf:/etc/nginx/nginx.conf
links:
- pearlbee
volumes_from:
- pearlbee
pearlbee:
build: pearlbee
command: carton exec starman bin/app.psgi
#ports:
#- "5000:5000"
volumes:
- ./config.yml:/config.yml
environment:
- MYSQL_PASSWORD=secret
depends_on:
- mysql
pearlbee2:
build: pearlbee
command: carton exec starman bin/app.psgi
ports:
- "5000"
volumes:
- ./config.yml:/config.yml
environment:
- MYSQL_PASSWORD=secret
depends_on:
- mysql
mysql:
image: mysql
environment:
- MYSQL_ROOT_PASSWORD=secret
- MYSQL_USER=root

How to redirect URL with HAProxy

I need redirect www.foo.com and foo.com to www.bar.com in haproxy, this is my configuration:
frontend http-in
bind *:80
acl bar.com hdr(host) -i www.bar.com
...
use_backend bar.com_cluster if bar.com
...
redirect prefix http://foo.com code 301 if { hdr(host) -i www.bar.com }
redirect prefix http://www.foo.com code 301 if { hdr(host) -i www.bar.com }
...
backend bar.com_cluster
balance roundrobin
option httpclose
option forwardfor
server bar 10.0.0.1:80 check
I have tried with redirect prefix but don't work, any idea?

Change order of the hostname:
redirect prefix http://www.bar.com code 301 if { hdr(host) -i foo.com }
redirect prefix http://www.bar.com code 301 if { hdr(host) -i www.foo.com }
instead of
redirect prefix http://foo.com code 301 if { hdr(host) -i www.bar.com }
redirect prefix http://www.foo.com code 301 if { hdr(host) -i www.bar.com }