-1

I have two services, both neatly dockerized, each with their own docker-compose.yml.

Each services has its own domain name.

Both services uses HTTPS and have Lets Encrypt certificates.

Both services are completely self contained and listen on 80 and 443.

.--[http]-[https]--.    .--[http]-[https]--.
|                  |    |                  |
|    Service A     |    |    Service B     |
|                  |    |                  |
'------------------'    '------------------'

How do I set up a reverse proxy so that I can launch both services on the same host?

.--------------[http]-[https]--------------.
|                                          |
|              REVERSE PROXY               |
|                                          |
'---+--------+---------------+--------+----'
    |        |               |        |
   http     https           http     https
   req.     req.            req.     req.
   domainA  domainA         domainB  domainB
     |        |              |        |
     V        V              V        V
.--[http]-[https]--.    .--[http]-[https]--.
|                  |    |                  |
|    Service A     |    |    Service B     |
|                  |    |                  |
'------------------'    '------------------'

I would like to keep the services self contained. I.e. I would like to avoid extracting the certificates from the service containers.

From my experiments, it seems like nginx can't forward HTTPS requests without the certs, although it seems like it should be possible to achieve this. Perhaps with some other reverse proxy software?

I have control over both services docker-compose.yml. I can change ports and so on if needed.

Ideally I would like to find a simple daemon that accepts a config that looks something like

[service a]
domain: domainA.tld
localPort: 8080

[service b]
domain: domainB.tld
localPort: 8081

I've searched like crazy but haven't found any such tool.

aioobe
  • 371
  • 1
  • 4
  • 16
  • "Both services are completely self contained and listen on 80 and 443." Not possible you'll need SNI – Jacob Evans Sep 03 '18 at 23:39
  • Ok. I read up on SNI. I realize why this is required. Thank you. [It seems like this should be fine](https://caniuse.com/#feat=sni). – aioobe Sep 04 '18 at 05:38
  • you aren't getting it, SNI is an application layer abstraction, you are implementing network layer abstraction (tcp ports), you cannot do SNI between two separate systems. You MUST share nginx/ssl termination if you want to share IP addresses, data will be decrypted and optionally re-encrypted (if you use backend ssl) on the nginx container. – Jacob Evans Sep 04 '18 at 15:21
  • @JacobEvans, actually, I think you're the one "not getting it" :-) Since I posted the question I've done some more research, and in the TLS protocol, the client indicates what server it wishes to communicate with in the handshaking process (i.e. before the encrypted communication begins). So in this case it's absolutely possible to do network layer proxying based on application layer data. See [this question](https://serverfault.com/q/625362/42849) for instance. – aioobe Sep 05 '18 at 12:52
  • HAProxy can do this trick where it extracts the SNI and uses that information to forward HTTPS to a certain host as a TCP Proxy. nginx does not support this feature. – Tero Kilkanen Sep 06 '18 at 06:32
  • @TeroKilkanen, are you sure? See [this](https://serverfault.com/q/778350/42849) question. – aioobe Sep 06 '18 at 08:00
  • I was wrong, I made an assumption without checking the facts. Did you try the approach in that answer? – Tero Kilkanen Sep 07 '18 at 06:42
  • Haven't had time. I will this weekend. (Might go with [sniproxy](https://github.com/dlundquist/sniproxy) though.) – aioobe Sep 07 '18 at 07:15

1 Answers1

0

You could use the jwilder/nginx-proxy, which offers automate reverse-proxy functionality and it comes with an easy docker-compose integration (you only need to specify a couple of environment variables: the ports where the service is running and the domain where the service will be available).

You can also automate the Let's Encrypt certificate generation with jrcs/letsencrypt-nginx-proxy-companion.

Polpetta
  • 101
  • 2
  • Yeah, I stumbled across that. However, as I wrote in my question "I would like to keep the services self contained. I.e. I would like to avoid extracting the certificates from the service containers." – aioobe Sep 04 '18 at 09:18