Reverse proxy on windows using docker - nginx is not forwarding https to IIS

Question

I have a win10 box where I run docker and two containers with Windows as depicted by the diagram below where one is running Nginx and acts as a reverse proxy to the other container running IIS. It works fine for http but the redirection from nginx to IIS fails for https.

The individual containers accept https on its own so I know the certificates are installed correctly. I use self-signed certificates. I'm thinking that there might be a setting in nginx.conf that I am not aware of that is causing it.

I can do

+---------------------------+--------------------------+------+
| https://localhost         | points to nginx          | OK   | 
+---------------------------|--------------------------|------|
| https://localhost:5003    | points to iis            | OK   |
+---------------------------|--------------------------|------|
| https://localhost/mysite  | points to iis via nginx  | FAIL |
+---------------------------+--------------------------+------+

And the error:

There are questions e.g. this and this but they refer to http only. There is a tutorial on DigitalOcean that describes how to set up nginx with https which I have largely followed but it still doesn't work.

Nginx - access.log:

"GET /mysite HTTP/1.1" 504 585 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36"

Nginx - error.log:

*5 upstream timed out (10060: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond) while connecting to upstream, client: 172.18.0.1, server: localhost, request: "GET /mysite HTTP/1.1", upstream: "https://172.18.0.2:5003/", host: "localhost"

IIS Logs:

C:\inetpub\logs is empty

Question

How can make nginx forward https to the IIS container?

---

Setup

Setting up docker network: docker network create -d nat --subnet=172.18.0.0/16 nginx-proxy-network

Build commands:

cd nginx-proxy
docker build -t nginx-proxy .
Cd ..\iis
Docker build -t iis .

Starting nginx container: docker run -d -p 80:80 -p 443:443 --network nginx-proxy-network --ip 172.18.0.3 nginx-proxy

Starting iis container: docker run -d -p 5002:80 -p 5003:443 --network nginx-proxy-network --ip 172.18.0.2 iis

Nginx

Generate certificates for nginx¹: C:\openssl\openssl.exe genrsa -des3 -out localhost.key 2048

C:\openssl\openssl.exe req -new -key localhost.key -out localhostcsr -config C:\openssl\openssl.conf

C:\openssl\openssl.exe x509 -req -days 365 -in localhost.csr -signkey localhost.key -out localhost.crt

It asks for a password that I then store in a txt file.

Nginx.conf:

worker_processes 1;
events {
    worker_connections 1024;
}

http {
    include mime.types;
    default_type application/octet-stream;
    sendfile on;
    keepalive_timeout 65;
    server {
        listen 80;
        server_name localhost ; 

        location /mysite {
            proxy_pass http://172.18.0.2/; 
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }
        location / {
            root html;
            index index.html index.htm;
        }
# redirect server error pages to the static page /50x.html
#
        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
            root html;
        }
}
# HTTPS server
    server {
        listen *:443 ssl;
        server_name localhost ;
        ssl on;
        ssl_password_file C:\cert\pwdcert.txt; 
        ssl_certificate C:\cert\localhost.crt; 
        ssl_certificate_key C:\cert\localhost.key;
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout 5m;
        ssl_ciphers HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;
        add_header Strict-Transport-Security "max-age=63072000;        includeSubdomains; preload";
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
        add_header X-Frame-Options "SAMEORIGIN";

        location /mysite {
            proxy_pass https://172.18.0.2:5003/;
            # proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }

        location / {
            root html;
            index index.html index.htm;
        }
    }
}

Nginx - Docker file:

FROM microsoft/windowsservercore
COPY nginx/ /nginx
RUN mkdir "C:\\cert" 
COPY *.crt /cert
COPY *.key /cert
COPY pwdcert.txt /cert
WORKDIR /nginx
CMD ["nginx"]

IIS

IIS Docker file:

FROM microsoft/aspnet
COPY iisscripts.ps1 /
RUN powershell -noexit "C:\iisscripts.ps1"
COPY mysite/ /inetpub/wwwroot/

iisscripts.ps1:

$cert = New-SelfSignedCertificate -DnsName "localhost" -    CertStoreLocation cert:\LocalMachine\My
New-WebBinding -Name "Default Web Site" -IP "*" -Port 443 -Protocol https
new-item -path IIS:\SslBindings\0.0.0.0!443 -Value $cert

Answer 1

Are you able to curl the IIS URL from the container running nginx?

exec into the nginx container using ssh then:-

https://[my domain or IP address]

Answer 2

Just as I thought. As the certificate you have installed in your IIS contianer is not trusted by the container running NGINX it will not proxy the connection. You either need to tell NGINX to not verify ssl by adding the following to your NGINX configuration.

ssl_verify_client off

Or use a trusted certificate.