0

I'm trying to use Nginx reverse proxy to expose Ombi publicly. Both Nginx and Ombi are running in containers on an Ubuntu 22 host. Opening http://hostname:3579 (3579 is the port it's using) works fine, and if I open up 3579 in my router then http://MYDOMAIN.dev:3579 works. However, using the config below just returns a 502 Bad Gateway if I try to connect to https://ombi.MYDOMAIN.dev.

Docker-compose.yaml:

services:
  ombi:
    image: lscr.io/linuxserver/ombi:latest
    container_name: ombi
    environment:
      - PUID=1004
      - PGID=1004
      - TZ=America/Los_Angeles
      # - BASE_URL=/ombi #optional
    volumes:
      - /mnt/vault/data/ombi/config:/config
    ports:
      - 3579:3579
    restart: unless-stopped
  nginx:
    image: lscr.io/linuxserver/nginx:latest
    container_name: nginx
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=America/Los_Angeles
    volumes:
      - /mnt/vault/data/nginx:/config
      - /mnt/vault/data/nginx/certbot/www:/var/www/certbot/:ro
    ports:
      - 80:80
      - 443:443
    restart: unless-stopped

Nginx-base.conf

server {
 listen 443 ssl http2; 
 listen [::]:443 ssl http2;

 server_name ombi.MYDOMAIN.dev;

 location / { 
  proxy_pass http://localhost:3579; 
  proxy_http_version 1.1; 
  proxy_set_header Upgrade $http_upgrade; 
  proxy_set_header Connection "upgrade";

  # Added the below per the advice of the following Stack Overflow
  # https://stackoverflow.com/questions/47091356/docker-nginx-reverse-proxy-gives-502-bad-gateway
  proxy_buffering off; 
  proxy_buffer_size 16k; 
  proxy_busy_buffers_size 24k; 
  proxy_buffers 64 4k; }
 
 # This allows access to the actual api
 location /api { 
  proxy_pass http://localhost:3579; 
 }
 
 # This allows access to the documentation for the api
 location /swagger { 
  proxy_pass http://localhost:3579; 
 } 
}

SSL.conf

Note: /config/keys/ is an obfuscation but Nginx can find the keys and I have registered the appropriate domain through certbot.

ssl_certificate /config/keys/fullchain.pem;
ssl_certificate_key /config/keys/privkey.pem; 
ssl_session_timeout 1d; 
ssl_session_cache shared:MozSSL:10m; 

ssl_dhparam /config/dhparams.pem;

ssl_protocols TLSv1.2 TLSv1.3; 
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; 
ssl_prefer_server_ciphers off;

# OCSP stapling
ssl_stapling on; 
ssl_stapling_verify on;

Perhaps most confusingly, I don't see anything in the logs. When I run docker logs nginx I just get the system startup logs, and when I check the logs in the Ombi UI it doesn't mention anything about failed connections. I'm at a loss as to how to troubleshoot this.

I've tried a bunch of variations here, including (a) turning Ombi's base_url on/off and (b) setting up the reverse proxy as a URI path, i.e. https://MYDOMAIN.dev/ombi. Anyone who can help me figure this out will earn my undying gratitude.

safetymonkey
  • 83
  • 6

1 Answers1

0

Well, I figured it out just a few minutes after posting here. I believe the problem is that localhost means something different to the containers than it does to the host server. I fixed this be replacing localhost with the IP address of the host machine and everything started working.

I also streamlined things by specifying an upstream source. The conf file looks like this now:

upstream ombiserver {
    server 192.168.4.119:3579;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name ombi.jsmg.dev;

    location / {
        proxy_pass http://ombiserver;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_buffering off; # for a single server setup (SSL termination of Varnish), where no caching is done in NGINX itself
        proxy_buffer_size 16k; # should be enough for most PHP websites, or adjust as above
        proxy_busy_buffers_size 24k; # essentially, proxy_buffer_size + 2 small buffers of 4k
        proxy_buffers 64 4k; # should be enough for most PHP websites, adjust as above to get an accurate value
    }
    # This allows access to the actual api
    location /api {
        proxy_pass http://ombiserver;
    }
    # This allows access to the documentation for the api
    location /swagger {
        proxy_pass http://ombiserver;
    }
}
safetymonkey
  • 83
  • 6