I have a rails app, a mysql db and I'm trying to configurate a reverse proxy server using nginx. HTTP connection goes well, but no matter what I try - the HTTPS connection won't go. The nginx server just won't listen on 443. I've tried many solutions (e.g 1, 2, 3) but neither worked.
I use our own certificates rather than letsencrypt or some similar possibilities.
docker-compose.yml:
version: "3"
services:
proxy:
image: jwilder/nginx-proxy
container_name: proxy
restart: always
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/tmp/docker.sock
- /home/ssl:/etc/nginx/certs
- /home/log/nginx:/var/log/nginx
environment:
- DEFAULT_HOST=app.test
db:
container_name: db
image: mysql:8.0
restart: always
.
.
.
ports:
- "3306:3306"
app:
container_name: app
.
.
.
environment:
- VIRTUAL_HOST=app.test
- VIRTUAL_PORTO=https
- HTTPS_METHOD=redirect
- CERT_NAME=app.test
running docker exec -it proxy ls -l /etc/nginx/certs shows certificates are mounted:
total 8
-rw-rw-r-- 1 1000 1000 1391 Nov 8 14:36 app.test.crt
-rw-rw-r-- 1 1000 1000 1751 Nov 8 14:29 app.test.key
running docker exec -it proxy cat /etc/nginx/conf.d/default.conf:
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
default $http_x_forwarded_proto;
'' $scheme;
}
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
# server port the client connected to
map $http_x_forwarded_port $proxy_x_forwarded_port {
default $http_x_forwarded_port;
'' $server_port;
}
# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
# Connection header that may have been passed to this server
map $http_upgrade $proxy_connection {
default upgrade;
'' close;
}
# Apply fix for very long server names
server_names_hash_bucket_size 128;
# Default dhparam
ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
# Set appropriate X-Forwarded-Ssl header based on $proxy_x_forwarded_proto
map $proxy_x_forwarded_proto $proxy_x_forwarded_ssl {
default off;
https on;
}
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost '$host $remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'"$upstream_addr"';
access_log off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
resolver 127.0.0.11;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";
server {
server_name _; # This is just an invalid value which will never trigger on a real hostname.
server_tokens off;
listen 80;
access_log /var/log/nginx/access.log vhost;
return 503;
}
# app.test
upstream app.test {
## Can be connected with "test_default" network
# app
server 192.168.176.4:3000;
}
server {
server_name app.test;
listen 80 default_server;
access_log /var/log/nginx/access.log vhost;
location / {
proxy_pass http://app.test;
}
}
As you can see, no 443 clauses created. When trying to reach, I get ERR_CONNECTION_REFUSED message on chrome but nothing is recorded to neither access.log nor error.log.
Any ideas? I've spend the last three days trying to crack it.
