nginx-proxy / nginx-proxy Goto Github PK

Maybe this is being addressed in some of the other open issues or perhaps I missed something when trying this but would be great if a virtual host was mapped to the corresponding port in a list of virtual ports.

I.e.
-e VIRTUAL_HOST=one.dev,two.dev -e VIRTUAL_PORT=80,81

would get the proxy to send traffic for one.dev to port 80, two.dev to port 81.

Maybe better if I just hack on the template?

I created a docker 'machine' on Digital Ocean. nginx-proxy is unable to access the host docker daemon.

This is how I ran nginx-proxy:

docker run -d -p 80:80 -v /var/run/docker.sock:/tmp/docker.sock jwilder/nginx-proxy

This is what I see in the logs (after running a site container with the usual VIRTUAL_HOST set):

dockergen.1 | 2015/01/16 01:57:17 Unable to ping docker daemaon: dial unix /tmp/docker.sock: connection refused
dockergen.1 | 2015/01/16 01:57:27 Unable to ping docker daemaon: dial unix /tmp/docker.sock: connection refused
dockergen.1 | 2015/01/16 01:57:37 Unable to ping docker daemaon: dial unix /tmp/docker.sock: connection refused

To simplify the Dockerfile and make the a image a bit lighter. ADD could be used instead of wget to download forego & docker-gen

I'll make a PR soon if you think it would be an improvement

I'm trying to make ownCloud working and everything work great until I try to upload a file of more than 3 Mb.

It seems that the instruction client_max_body_size is missing.

It would be nice to add another variable to manipulate the client_max_body_size value.

I tried this with a generic Lamp container

d6aede2b0268 stdlamp:latest /run.sh About a minute ago Up About a minute 0.0.0.0:49191->3306/tcp, 0.0.0.0:49192->80/tcp

When we have the 2 exposed ports.. the Nginx always routes to the Mysql instead of the 80.

Im trying to fix this however have NO expertise on GO / templates :)

Hi,

great idea and works like a charm. Thanks a lot!

But one thing: would it be possible to have a list of host names in the env-variable? For example www.test.com and test.com should be proxied to the same container, so I would like to use
VIRTUAL_HOSTS=www.test.com,test.com
or something alike.

Would be a handy feature imho.

Greetings
Joachim

What about offering other templates for different needs?

I am using the template below to generate several "location" entries for each server. This results on a single domain with a context root for each container (more like port redirection). Serves me well for my single-server Digital Ocean droplet.

You can have several templates available in this project, it is just a matter of mounting the chosen template into "/app/nginx.tmpl" when running the proxy.

server {
    listen 80 default_server;
    server_name _; # This is just an invalid value which will never trigger on a real hostname.
    error_log /proc/self/fd/2;
    access_log /proc/self/fd/1;
    return 503;
}

{{ range $host, $containers := groupByMulti $ "Env.VIRTUAL_HOST" "," }}

server {
    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

    server_name {{ $host }};
    proxy_buffering off;
    error_log /proc/self/fd/2;
    access_log /proc/self/fd/1;

{{ range $index, $value := $containers }}
{{ $location := $value.Env.VIRTUAL_PATH }}
{{ $address := index $value.Addresses 0 }}
# {{$location}}

    location /{{$location}} {
            proxy_pass http://{{ $address.IP }}:{{ $address.Port }};
            include /etc/nginx/proxy_params;

            # HTTP 1.1 support
            proxy_http_version 1.1;
            proxy_set_header Connection "";
    }
{{ end }}

}

{{ end }}

Hi! Is it possible to do not make a rewrite for 443 when SSL is available? I would like to make it available on certain pages or when I use https on a link... How could I change this behavior?

Thanks in advance!

Tito

base on: http://stackoverflow.com/questions/10454850/413-request-entity-too-large-error-rails-3-2-passenger-phusion?rq=1

you should add:

client_max_body_size 4g;
in http section in nginx.conf file.

docker run -d -p 80:80 -v /var/run/docker.sock:/tmp/docker.sock jwilder/nginx-proxy

yields the following error (from docker logs)

forego     | starting nginx.1 on port 5000
forego     | starting dockergen.1 on port 5100
dockergen.1 | 2014/10/03 20:34:10 Bad endpoint: stat /tmp/docker.sock: permission denied
forego     | starting dockergen.1 on port 5100
forego     | sending SIGTERM to dockerge

Following the readme instructions, I did this:

docker run -d -p 80:80 -v /var/run/docker.sock:/tmp/docker.sock --name proxy jwilder/nginx-proxy
docker run -d -e VIRTUAL_HOST=rss.mydomain.com -p 8082:8082 -v /mnt/main/docker/container-data/commafeed:/home/commafeed/data --name rss kstenerud/commafeed

But when it detects the change, nginx fails with an error:

# docker logs proxy
forego     | starting nginx.1 on port 5000
forego     | starting dockergen.1 on port 5100
dockergen.1 | 2014/12/09 22:27:37 Generated '/etc/nginx/conf.d/default.conf' from 6 containers
dockergen.1 | 2014/12/09 22:27:37 Running 'nginx -s reload'
dockergen.1 | 2014/12/09 22:27:37 Watching docker events
dockergen.1 | 2014/12/09 22:27:43 Received event start for container b94646429342
dockergen.1 | 2014/12/09 22:27:43 Generated '/etc/nginx/conf.d/default.conf' from 7 containers
dockergen.1 | 2014/12/09 22:27:43 Running 'nginx -s reload'
dockergen.1 | 2014/12/09 22:27:43 Error running notify command: nginx -s reload, exit status 1
dockergen.1 | 2014/12/09 22:27:43 2014/12/09 22:27:43 [emerg] 34#0: no servers are inside upstream in /etc/nginx/conf.d/default.conf:54
dockergen.1 | nginx: [emerg] no servers are inside upstream in /etc/nginx/conf.d/default.conf:54

I'm having an issue where nginx-proxy is rejecting file uploads to my app container:

Using docker-bash, I found the following in /var/log/nginx/error.log:

2014/11/26 23:44:16 [crit] 42#0: *1740 open() "/var/lib/nginx/body/0000000014" failed (13: Permission denied), client: X.X.X.X, server: app.container.dev, request: "POST /people/1 HTTP/1.1", host: "app.container.dev", referrer: "http://app.container.dev/people/1/edit"

I've tried doing chmod 777 all the way up the /var/lib/nginx/body/ path, with no success. Any suggestions here?

How hard would it be to add support for a custom include file per host? Much like the htpasswd where if the file exists for a virthost it gets included in the config?

I'm thinking along the lines of custom rewrite rules per container as well as other custom includes.

I'm playing with the configs now, but am not savvy with nginx or the template language. Any pointers would be appreciated!

Hi, I've forked you and I'm working on add Basic Authentication support.
My idea is to use /etc/nginx/htpasswd/ dir as a place to put files with VIRTUAL_HOST name. If it's present, enable auth_basic on the virtual host.

It's easy, and I'm nearly done, but I'm having problems with build process.

$ docker build .
Sending build context to Docker daemon 107.5 kB
Sending build context to Docker daemon
Step 0 : FROM nginx:1.7.8
---> e46b3488b010
Step 1 : MAINTAINER Jason Wilder [email protected]
---> Using cache
---> 6f27863813de
Step 2 : RUN apt-get update && apt-get install -y -q --no-install-recommends ca-certificates wget && apt-get clean && rm -r /var/lib/apt/lists/*
---> Running in 8a9d7ed77827
Err http://security.debian.org wheezy/updates Release.gpg
Could not resolve 'security.debian.org'
Err http://http.debian.net wheezy Release.gpg
Could not resolve 'http.debian.net'
Err http://nginx.org wheezy Release.gpg
Could not resolve 'nginx.org'
Err http://http.debian.net wheezy-updates Release.gpg
Could not resolve 'http.debian.net'
Reading package lists...
W: Failed to fetch http://http.debian.net/debian/dists/wheezy/Release.gpg Could not resolve 'http.debian.net'

W: Failed to fetch http://http.debian.net/debian/dists/wheezy-updates/Release.gpg Could not resolve 'http.debian.net'

W: Failed to fetch http://security.debian.org/dists/wheezy/updates/Release.gpg Could not resolve 'security.debian.org'

W: Failed to fetch http://nginx.org/packages/mainline/debian/dists/wheezy/Release.gpg Could not resolve 'nginx.org'

W: Some index files failed to download. They have been ignored, or old ones used instead.
Reading package lists...
Building dependency tree...
Reading state information...
E: Unable to locate package ca-certificates
E: Unable to locate package wget
2014/12/16 20:52:36 The command [/bin/sh -c apt-get update && apt-get install -y -q --no-install-recommends ca-certificates wget && apt-get clean && rm -r /var/lib/apt/lists/*] returned a non-zero code: 100

For sure I'm doing something wrong, but unable to find it.

Sorry for my unknowledge.

Saw some weird behavior - proxy responses > 32k are truncated.

From googling, I suspect "proxy_max_temp_file_size 0;" will help, but trying it locally makes nginx just die. I am guessing it needs to be within the proxy context in the config
and not globally, which suggests a change in docker-gen, not an easy fix in this Dockerfile.

But that's all speculation - my nginx-fu is weak. Anyway - thought I'd pass this along. Good on you for sharing a trusted index - thank you.

I know SSL for multiple domains over same IP is a headache.

It would be great if we can allow SSL for 1 domain / host or you have any other ideas?

Because ELB passes this header through when it's handling the SSL termination.

Hello, I am trying to run a coreos cluster using fleet to deploy several wordpress lamp stacks across a number of servers. Each wordpress stack has a different domain name.

does your script support this? As far as I can tell it only works if nginx-proxy is on the same host as the wordpress containers.

@jwilder Hi! just ran across this, and it looks like a very elegant and simple solution to proxy ports. I'm liking it. Do you have a license picked yet. Would be great to see apache 2 or mit license on this work.

Thanks for the reverse proxy, works great.

Wondering if anyone has tried using this with shipyard. Shipyard is a little different because it uses a deploy image which boots up several other containers.

Hi i got an issue when using your reverse proxy with gitlab, is there a way to change the upload limit in nginx without having to docker exec everytime i relaunch?
Basically i cannot push big repository, this works fine if i bypass the reverse proxy

This issue is for tracking purposes only. Ran into issue uploading through the default settings as nginx cuts off at 1MB by default.

client_max_body_size 1024M;

Here's a diff in pastebin for reference: http://pastebin.com/eUVprahB

when you start nginx proxy with docker, you can use -e VIRTUAL_HOST=foo.bar.tz

I would like to use something similar (e.g for the location of a public folder) so, I tried to add

-e PUBLIC_FOLDER=foo

can I reference this using $container.Env.PUBLIC_FOLDER ? all my attempts come to naught :( I don't know if this is a bug or a problem with my understanding

If, I may be cheeky, this option isn't passed, can I default a variable to a value ?

something along the lines of set $pubDir = ($container.Env.PUBLIC_FOLDER) ? $container.Env.PUBLIC_FOLDER : "mypubDir"

nginx config is .. so .. confusing .. ;)

thanks

• my VIRTUAL_HOST is mysite.dev.
  -> So my files are mysite.dev.crt and mysite.dev.key.

But the nginx response in the log is:

no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking

What means he found something. \o/ ;-)

When I rename the files to default(.crt/.key) then it works.

What is here wrong?

We're using xip.io to name and access our vHosts, which works very nice so far.

The only downside is, that we have to add several possible options to our VIRTUAL_HOST env variable, if we'd like to access it on different environments or from other clients on the network.

So our config looks like this:

VIRTUAL_HOST: kitchen-sink.127.0.0.1.xip.io,kitchen-sink.192.168.59.103.xip.io,kitchen-sink.192.168.77.10.xip.io

but it would be much nice, if we could use:

VIRTUAL_HOST: kitchen-sink.(.*).xip.io

Is this even possible with nginx?

PS: Thanks for this wonderful code, it saves so much time and makes things really easy to setup.

Looking through my server logs, there appears to be attempts by unknown ip's of using my nginx reverse proxy to hack things? Gibberish like:

(IP & date) "POST /cgi-bin/php-cgi.bin?..... (followed by some hacky unreadable thing I don't want to repeat) .... HTTP/1.1" 503 212 "-" "Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0"

It's being hosted in the though a cloud provider and not used in a production site, so there shouldn't be much exposure to the outside world (unless they're taking generic ip's from my cloud provider). I assume these are 'bot' attempts at a hack (most logs don't even come from browsers). Is it a known risk than by running a reverse-proxy you'll be targeted / people will attempt to proxy themselves around the net? Can reverse-proxies be used by malicious 3rd parties to mask their behavior? Is this something that happens to all servers running on the net, and can it be prevented?

It would be really useful if I didn't have to set a virtual host. On EC2 I have to set the virtual host to a whole load of values because:

1. On ELB health checks the Host header is the instance private IP address
2. On normal requests the Host header is the domain

http://serverfault.com/questions/527156/setting-nginx-to-catch-all-unhandled-vhosts

Can nginx-proxy run on multiple nodes over something like docker swarm? The default setup was using the unix socket to listen for events so it would not work across nodes.

What are your thoughts on adding the ability to proxy to FastCGI servers in a similar automated fashion?

At first glance there would be a need to control per-application settings as different servers use FastCGI in a wide variety of ways. I'm not sure if environment variables could work to control everything.

Hi, I have a django application composed of several containers: nginx, django+gunicorn, redis, postgres. The nginx container exposes port 80 and sets some headers, for example Cache-Control.

The reason I'm using this tool is because I want to deploy the same thing twice, one for QA and one for Production. It is working as expected, nginx-proxy correctly routes the requests based on the domain.

Though the problem I'm facing is that with nginx-proxy in front, the Cache-Control header never gets out. FYI, I do get the header if deployed only once without nginx-proxy and sending requests directly to my own nginx container.

Maybe I'm doing something wrong, but I would expect nginx-proxy to forward any headers set by the upstream. Is this not the case?

I did a change to nginx.tmpl to provide a VIRTUAL_ALLOW environment variable to limit access to containers. Adding -e VIRTUAL_ALLOW=10.1.1.0/24,10.1.3.55 will result in:

allow 10.1.1.0/24;
allow 10.1.3.55;
deny all;

Could you explain the choice of using jwilder/forego over ddollar/forego.
Was that for convenience or are there any functional changes in jwilder/forego ?

It kinda creeps me out having a docker.sock mount specially on the nginx node.

It could be a better approach to have nginx and docker-gen on different containers but sharing the "/etc/nginx/sites-enabled" mount (actually the "official" nginx image exposes this volume).

This way only the docker-gen image needs to mount docker.sock.

I prefer, at this moment, using "fig" to define multi-container deployments.

I'm probably doing something wrong, but I can't figure out a way to proxy multiple ports from the same container. At the moment, the nginx-proxy only seems to accept connections on port 80.

Example use case: a virtual host mapped to the www subdomain needs to handle external traffic on ports 80 and 443.

Is there any way the nginx.tmpl can be modified to allow the proxy to automatically hook up all the ports exposed by the virtual host containers? Maybe by creating multiple server definitions per container, one for each port?

Hi,
First thank you for nginx-proxy.

how can I do a virtualhost type:
domaine.com/test/....

instead of a subdomain:
test.domaine.com/....

when I start a new container?

ex:
docker run -e VIRTUAL_HOST=domaine.com/test ...

Hello,

I have modified your nginx template a bit so that I can use different docker containers for different paths of the same domain.

For example:
www.mysite.com with / ---> web-main container
www.mysite.com with /auth ---> web-auth container

But I am not sue how I can control order in which these values are registered in sites-emabled nginx config file.

Currently, config block for "/" gets defined before "/auth" block and so all of my requests ends up going to the "web-main" docker container.

Basically, it would need to sort the collection of the "path" in descending order before looping over it to generate the config file.

I would appreciate if anyone can point me into the right direction here.

Here is the modified nginx template:

server {
    listen 80 default_server;
    server_name _; # This is just an invalid value which will never trigger on a real hostname.
    error_log /proc/self/fd/2;
    access_log /proc/self/fd/1;
    return 503;
}

{{ range $host, $containers := groupByMulti $ "Env.VIRTUAL_HOST" "," }}
{{ range $path, $containers := groupByMulti $ "Env.VIRTUAL_PATH" "," }}
{{ range $index, $value := $containers }}

upstream {{ $value.Name }} {
    {{ $addrLen := len $value.Addresses }}
    {{/* If only 1 port exposed, use that */}}
    {{ if eq $addrLen 1 }}
        {{ with $address := index $value.Addresses 0 }}
           server {{ $address.IP }}:{{ $address.Port }};
        {{ end }}

    {{/* If more than one port exposed, use the one matching VIRTUAL_PORT env var */}}
    {{ else if $value.Env.VIRTUAL_PORT }}
        {{ range $i, $address := $value.Addresses }}
           {{ if eq $address.Port $value.Env.VIRTUAL_PORT }}
           server {{ $address.IP }}:{{ $address.Port }};
           {{ end }}
        {{ end }}

    {{/* Else default to standard web port 80 */}}
    {{ else }}
        {{ range $i, $address := $value.Addresses }}
            {{ if eq $address.Port "80" }}
            server {{ $address.IP }}:{{ $address.Port }};
            {{ end }}
        {{ end }}
    {{ end }}
}

server {
    listen 443 ssl;

    ssl_certificate /etc/nginx/certs/nginx.crt;
    ssl_certificate_key /etc/nginx/certs/nginx.key;

    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

    server_name {{ $host }};
    proxy_buffering off;
    error_log /proc/self/fd/2;
    access_log /proc/self/fd/1;

    location {{ $path }} {
        proxy_pass http://{{ $value.Name }};
        include /etc/nginx/proxy_params;

        # HTTP 1.1 support
        proxy_http_version 1.1;
        proxy_set_header Connection "";
    }
}

{{ end }}
{{ end }}
{{ end }}

I'm using docker-discover and docker-register on CoreOS (on digital ocean) with great success for my backend services, and just started to tackle having multiple front-end services. I've run into the issue where the only services that can be accessed are those that coincidentally share the same host as the nginx-proxy. I could force all frontend services to that host using fleet configs, but I feel that would be inelegant.

Based on my understanding of docker-discover/docker-register, I had an idea for how nginx-proxy could handle this, but implementing it is something I haven't started yet. I wanted to put the idea out there for others to provide feedback on in the meantime.

My thought is to have a nginx-proxy pass all VIRTUAL_HOST registrations through etcd. When a container starts, its id/port/VIRTUAL_HOST is registered. And nginx-proxy watches etcd for new registrations and sets up configs from them. In theory, this would allow all nginx-proxy containers to all have configs for all services, and if the services use discrete ports and docker-discover/docker-registry for inter-host forwarding, the request will go through an arbitrary host on port 80, to the service port, then back to that port on the host with that container.

Feedback welcome!

Hi,

I have a apache website container...
Would it be possible to forward port 443/ssl in the same way as 80, but allow the target container to terminate SSL, i.e. certificates and so would be installed in the container?

Or that a limitation in reverse https proxing?

Also it would be nice if requests on port 80 were forwarded to port 80, not automatically forwarded to 443. Otherwise one have pages with mixed htt/s which causes browsers issues.
As maybe not all pages need https (performance)

If you pass in multiple domains, it would be great to be able to 301 redirect the www subdomain to the naked domain. VIRTUAL_HOST: example.com,www.example.com

The current nginx template does not allow upgrading websocket connections.

I added a few lines and an environment variable to allow this. Details in pull request #37.

First of all I'm a big fan of this project! Thanks!

This is my first time working w/ docker-gen. I'm assuming there is some simple way to modify the template such that I can allow http and https instead of redirecting.

If I set an env VIRTUAL_REDIR=false, I'm assuming there is some way to not include the redirection code? I'm not familiar w/ the go templating language at all. I gave it a shot below, but I don't think $container is in scope. Getting an error (as expected?) 2015/02/03 18:04:08 unable to parse template: template: nginx.tmpl:54: undefined variable "$container".

Any quick help would be much appreciated!

{{ if ne "false" $container.Env.VIRTUAL_REDIR }}
server {
    server_name {{ $host }};
    rewrite ^(.*) https://{{ $host }}$1 permanent;
}
{{ else }}
server {
        server_name {{ $host }};
        location / {
                proxy_pass http://{{ $host }};
                {{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }}
                auth_basic      "Restricted {{ $host }}";
                auth_basic_user_file    {{ (printf "/etc/nginx/htpasswd/%s" $host) }};
                {{ end }}
        }
}
{{ end }}

Just tried with tutum/lamp but I still dont get it work. I did everything right like in the "usage" section described. The command I used to start my sample lamp container (tested and running on the port docker ps gives me): sudo docker run -e VIRTUAL_HOST=test.foo -d -P tutum/lamp When I ping or curl for the virtual host then I get:

curl: (6) Could not resolve host: test.foo

Do I've to set up anything other too? I tried to set a wildcard tld in my /etc/hosts file with both the IP address of docker0 and/or wlan0. =)

Would it be possible to add support for using custom templates for a subdomain?

I have nginx-proxy working with http requests with the following:

docker run -d -p 80:80 -p 443:443 -v /volumes/certs/project/certs:/etc/nginx/certs -v /var/run/docker.sock:/tmp/docker.sock jwilder/nginx-proxy

However, HTTPS fails, with a "the connection was rest" error. I used nsenter to enter the container and access the error logs, which were empty.

Once the https connection has been terminated by the nginx-proxy, does it proxy the connection to the backend container as plain http?

is it possible to load balance as well with nginx-proxy ?

For example, I want to fire up 2 docker containers, and use them as a round-robin

-e VIRTUAL_HOST=foo.myapp.com:[1|2|..n]

which means that I have 2 foo.myapp.com hosts (1 & 2)

would it be possible for nginx to then create the appropriate round-robin / load balancing config files ?

Hello!
First of all, this is awesome work and I cannot wait to try this out!
I was curious if it's at all possible to add support for multiple virtual hosts for containers, for example VIRTUAL_HOST=a.com,b.com (maybe optional support for comma separated hostnames?)

Thanks, Max.

Hi,

First I'd like to say thank you for a great container. I am having one issue with it though. I have been able to get SSL to work and everything runs smoothly. I am hosting a REST API which works fine without basic authentication, however when I add basic authentication via:

docker run -d -p 80:80 -p 443:443 -v /path/to/certs:/etc/nginx/certs -v /path/to/htpasswdfile:/etc/nginx/htpasswd -v /var/run/docker.sock:/tmp/docker.sock jwilder/nginx-proxy

Everything runs fine. I'm only using basic auth on one container (the rest have built in authentication methods). So when I attempt to access my rest api via firefox (or curl) I get a 500 error. The nginx container log shows the error from the subject line:

[crit] 39#0 *11 open() "/etc/nginx/htpasswd/mydomain.com" failed (13: Permission Denied)

If no virtualhost matches the url, the first one (or last?) in the list is displayed, which is pretty random. This can be confusing. I'd prefer a default page to be returned if there are no matches.

Hi,

docker-gen is great and nginx-proxy sounds promising.
But for the latter I've some questions about the security impact of mounting docker socket into the reverse proxy containers.

AFAIU, it means that if the reverse proxy container get compromised I would give attacker whole access to docker daemon (creating, deleting containers, etc). As the reverse proxy is the most exposed part of the infrastructure, it's the most likely to be attacked.

There is maybe an alternative to have a 3rd party container that would run docker-gen and generate configuration for the reverse proxy and have only the notify & reload stuff (maybe linked together with --volumes-from). What do you think ?