Docker container cannot reach other container via reverse-proxy

Question

I'm using docker-compose.yml for a couple services behind an nginx proxy on a Ubuntu VPS.

I'm having the issue where my Docker containers cannot reach each other using their publicly available proxy URLs. They can only reach each other using their Docker service names.

The easiest way to demonstrate is as follows. I can connect to my PostgreSQL instance from anywhere with the following:

psql -Atx postgres://username:pw@postgres.mysite.com/database

But if I enter one of my running containers:

docker compose exec backend sh

Then try to connect using the same connection string, it just hangs... There aren't any logs, even on the proxy side. But, I can make it work by using the Docker service name instead:

psql -Atx postgres://username:pw@postgres:5432/database

I should be able to use postgres.mysite.com from anywhere, outside or inside the container. But for some reason, I can only use it outside the container. Here's the nginx configuration section for this:

   upstream docker-postgres {
      server postgres:5432;
   }

   server {
      listen 443 ssl;
      server_name postgres.mysite.com;

      location / {
         proxy_pass http://docker-postgres;
      }
   }

But this is not related to PostgreSQL. This appears to be happening regardless of the service. Whenever container A (the app code) tries to connect to container B (the service) by using the publicly available URL of the proxy running in container C.

For example, for my MinIO service, uploads hang when uploading to https://assets.mysite.com, but not when uploading to http://minio:9001.

Partial docker-compose.yml file:

proxy:
    image: nginx:alpine
    ports:
      - '80:80'
      - '443:443'
    networks:
      - myNetwork
backend:
    ports:
      - '3000:3000'
    volumes:
      - ./:/app
      - /app/node_modules
    networks:
      - myNetwork
postgres:
    image: postgres:10.4
    ports:
      - "5432:5432"
    networks:
      - myNetwork
minio:
    image: minio/minio
    command: server --console-address ":9090" --address ":9001" ./minio_data
    ports:
      - '9090:9090'
      - '9001:9001'
    networks:
      - myNetwork

networks:
  myNetwork:
    external: true

Additional Information

I set up a /test endpoint in the proxy under the assets.mysite.com server_name.

location /test { return 200 'success!!'; }

I can hit this endpoint from the server (outside a Docker container):

curl https://assets.mysite.com/test → Success

However, I can't hit it from inside any container:

docker compose exec backend curl https://assets.mysite.com/test → Hangs!

Despite that, I can ping assets.mysite.com successfully, even from the containers:

docker compose exec backend ping assets.mysite.com

Here's nearly my whole nginx configuration as requested (just SSL certificates omitted)

http {
   server {
      listen 80 default_server;
      listen [::]:80 default_server;
      server_name _;

      location / {
         return 301 https://$host$request_uri;
      }
   }

   upstream docker-backend {
      server backend:9000;
      keepalive 100;
   }

   upstream docker-postgres {
      server postgres:5432;
   }

   upstream docker-redis {
      server redis:6379;
   }

   upstream docker-minio-assets {
      server minio:9001;
   }

   server {
      listen 443 ssl;
      server_name mysite.com;
      root /var/www/frontend;
      index index.html;

      location /test {
         return 200 'success!!';
      }

      location /backend {
         rewrite ^/backend(/.*)$ $1 break;
         proxy_pass http://docker-backend;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
         proxy_pass_request_headers on;
         client_max_body_size 3m;
      }

      location / {
         include /etc/nginx/mime.types;
         try_files $uri $uri/ /index.html =404;
      }
   }

   server {
      listen 443 ssl;
      server_name shopadmin.mysite.com;
      root /var/www/admin;
      index index.html;

      location /a/ {
         try_files $uri /index.html;
      }

      location / {
         include /etc/nginx/mime.types;
         try_files $uri /index.html =404;
      }
   }

   server {
      listen 443 ssl;
      server_name assets.mysite.com;
      client_max_body_size 20m; # Allow bigger file uploads.

      location /test {
         return 200 'success!!';
      }

      location / {
         proxy_pass http://docker-minio-assets;
      }
   }

   server {
      listen 443 ssl;
      server_name redis.mysite.com;

      location / {
         proxy_pass http://docker-redis;
      }
   }

   server {
      listen 443 ssl;
      server_name postgres.mysite.com;

      location / {
         proxy_pass http://docker-postgres;
      }
   }
}

Answer 1

To resolve the issue of container A being redirected to the host instead of directly finding container B when resolving "b.domain.com", you can add an alias in the Docker Compose file for container B. Modify your Docker Compose file to include the following:

networks:
  my-net:
    aliases:
      - b.domain.com

By specifying the alias "b.domain.com" for container B within the "my-net" network, container A will be able to locate container B directly when resolving the hostname.

However, please note that if your containers are not part of the same network, Docker will install a UFW (Uncomplicated Firewall) rule that might block the connection between container A and container B. Therefore, ensure that both containers are within the same network or take appropriate measures to allow communication between them if they are on different networks.

Answer 2

I've had similar scenarios in the past, and there is one in particular that reminds me of your scenario, since you are having problems with subdomains, which was also the case for me. Please ignore my answer if it does not work for you, but I'll leave this here in case it helps anyone else, and avoids wasted time for them.

MY SCENARIO

I was running a Kubernetes (KIND) deployment, which uses a docker network, the same as in a docker compose setup. I needed to connect to AWS endpoints from containers and these were the external domain names:

• authsamples.com (AWS Cloudfront)
• login.authsamples.com (AWS Cognito)
• web.authsamples.com (AWS Cloudfront)
• api.authsamples.com (AWS API Gateway)

From within deployed containers I could make curl requests to the base domain of https://authsamples.com and also to general internet URLs such as https://google.com, but I received hangs when calling AWS subdomains such as https://login.authsamples.com. All URLs were resolvable from the host computer.

RESOLUTION

I tried quite a few updates to DNS and resolv.conf settings on both KIND worker nodes and containers. The strange behavior was that general internet access from containers was fine, and that the problem was specific to my subdomain based URLs.

There was nothing special about my setup, such as firewalls. The problem turned out to be at the host networking level. What worked for me was to ensure that Google's 2 main name servers were used on the host computer, against the TCP/IP connection, rather than using the automatic option.

OPERATING SYSTEMS

I have only experienced this type of issue on Windows and macOS, though I run Ubuntu as my main desktop these days. Without these DNS nameservers I have also sometimes experienced mobile development problems, eg Android WiFi network on simulators not working. To date I've not read anything that explains the behavior I was receiving.

THINGS TO TRY

When struggling with such issues, I would try quick actions like these, to see if any of this helps in your case.

• Do you get the same problem calling from the NGINX container to the subdomain, eg https://assets.example.com? If so then NGINX is not the issue.

• Can you make a curl request from services behind NGINX to the subdomain, eg https://assets.example.com (NO currently)?

• Can you make a curl request from services behind NGINX to general internet URLs?

• Can you make a curl request from services behind NGINX to the base domain, eg https://example.com?

• Does changing the host networking to explicitly use Google nameservers change the behavior?

Answer 3

Update the DNS configuration of your Docker containers to use a DNS resolver which should resolve the domain names correctly. Then specify the DNS resolver in the docker-compose.yml file for each service by adding the dns option under the service definition.