0

I want to install a simple web service to browse a file directory tree on an internal server and to comply with company policy it needs to use TLS ("https://...").

First I tried several images including davralin/nginx-autoindex and mounted the directory I want this service to share. It worked like a charm, but it didn't use a TLS connection.

To get something to work with TLS, I started from scratch and created my own default.conf file for nginx:

server {
    listen      443 ssl;
    listen      [::]:443 ssl;
    server_name  localhost;

    ssl_certificate     /etc/ssl/certs/my-cert.crt;
    ssl_certificate_key /etc/ssl/certs/server.key;

    location / {
        root   /usr/share/nginx/html;
        autoindex on;
    }

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}

Then I created the following Dockerfile:

FROM nginx:stable-alpine
MAINTAINER lsiden at gmail.com
COPY default.conf /etc/nginx/conf.d
COPY my-cert.crt /etc/ssl/certs/
COPY server.key /etc/ssl/certs/

Then I build it:

docker build -t lsiden/nginx-autoindex-tls .

Then I run it:

docker run -dt -v /var/www/data/files:/usr/share/nginx/html:ro -p 3453:80 lsiden/nginx-autoindex-tls

However, I can't reach it even from the host machine. I tried:

$ telnet localhost 3453
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.

I tried to read log messages:

docker logs <container-id>

Silence.

I've already confirmed that the docker proxy is listening to the port:

tcp6       0      0 :::3453                 :::*                    LISTEN      14828/docker-proxy

The port shows up on tcp6 but not "tcp" (ipv4) but I read here that netstat will show only the ipv6 connection even if it is available on both. To be sure, I verified:

sudo sysctl net.ipv6.bindv6only
net.ipv6.bindv6only = 0

To be thorough, I already opened this port in iptables, although iptables can't be playing a role here if I can't even get to it from the same machine via localhost.

I'm hoping someone with good networking chops can tell me where to look next. I can't figure out what I missed.

Lawrence I. Siden
  • 9,191
  • 10
  • 43
  • 56

1 Answers1

1

In case the configuration you shared is complete, you are not listing on port 80 inside your container at all.

change your configuration to something like that in case you want to redirect incomming traffic on port 80 to 443:

server {
    listen 80;
    listen [::]:80;

    location / {
        return         301 https://$server_name$request_uri;
       }
}

server {
    listen      443 ssl;
    listen      [::]:443 ssl;

    server_name  localhost;

    ssl_certificate     /etc/ssl/certs/my-cert.crt;
    ssl_certificate_key /etc/ssl/certs/server.key;

    location / {
        root   /usr/share/nginx/html;
        autoindex on;
    }

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}

If you don't want to do this, just change your docker run command:

docker run -dt -v /var/www/data/files:/usr/share/nginx/html:ro -p 3453:443 lsiden/nginx-autoindex-tls

Timo Stark
  • 2,721
  • 1
  • 10
  • 23
  • 1
    I caught that shortly after I posted this while I was having dinner. I just forgot to change my docker run command which is in a script. I'm an idiot. I meant to thank you sooner, but I guess I got distracted again. – Lawrence I. Siden Mar 26 '20 at 17:36
  • No worries! Believe me - I was in similiar situations like that at least 100 times :D so I am happy to help! Sometimes its something like can't see the forst for the trees! – Timo Stark Apr 02 '20 at 19:42