1

I'm trying to run SSL for Docker using domain. I'm using the following docker-compose.yml for my project:

web:
  build: /Users/marcin/docker/definitions/php-nginx/php-7.1-ubuntu
  volumes:
    - /c/Users/marcin/docker/projects/newdocker.app/html/:/usr/share/nginx/html/
    - /c/Users/marcin/docker/projects/newdocker.app/nginx/conf.d/:/etc/nginx/conf.d/
    - /c/Users/marcin/docker/projects/newdocker.app/nginx/log/:/var/log/nginx/    
    - /c/Users/marcin/docker/projects/newdocker.app/php/config/:/usr/local/etc/php/
    - /c/Users/marcin/docker/projects/newdocker.app/supervisor/conf.d/:/etc/supervisor/conf.d/
    - /c/Users/marcin/docker/projects/newdocker.app/supervisor/log/:/var/log/supervisor/
    - /c/Users/marcin/docker/local_share/:/root/.local_share/
  working_dir: /usr/share/nginx/html/
  links:
    - db
  container_name: newdocker.php
  hostname: newdocker.app
  ports:
    - "280:22"
    - "8300:80"
    - "18300:443"
  environment:
    - VIRTUAL_HOST=newdocker.app   
    - VIRTUAL_PORT=443    
    - VIRTUAL_PROTO=https
db:
  build: /Users/marcin/docker/definitions/mysql/5.7
  environment:
     - MYSQL_ROOT_PASSWORD=pass
     - MYSQL_DATABASE=
     - MYSQL_USER=
     - MYSQL_PASSWORD=
  expose:
     - 3306
  volumes:
    - /c/Users/marcin/docker/projects/newdocker.app/mysql/data/:/var/lib/mysql/
    - /c/Users/marcin/docker/projects/newdocker.app/mysql/conf.d/:/etc/mysql/conf.d/source
    - /c/Users/marcin/docker/projects/newdocker.app/mysql/log/:/var/log/mysql/
  ports:
    - "33200:3306"
  container_name: newdocker.db
  hostname: newdocker.app

and I'm using also jwilder/nginx-proxy with the following docker-compose.yml file:

proxy:
   image: jwilder/nginx-proxy
   restart: always
   volumes:
     - /var/run/docker.sock:/tmp/docker.sock:ro
     - ./nginx/conf.d/proxy.conf:/etc/nginx/conf.d/proxy.conf:ro     
     - ./certs/default.crt:/etc/nginx/certs/default.crt:ro
     - ./certs/default.key:/etc/nginx/certs/default.key:ro     
   ports:
     - "80:80"    
     - "443:443"      
   container_name: proxy

And the problem is like this:

http://192.168.99.100:8300/ - is working fine
https://192.168.99.100:18300/ - is working fine
https://192.168.99.100/ - I'm getting 503 (this is probably fine - this port is not used for this container)
http://newdocker.app/ - is working fine
https://newdocker.app:18300/ - is working fine
https://newdocker.app/ - I'm getting 500

my nginx config file looks like this:

server {
    listen       80;
    listen       443  default ssl;
    server_name  localhost;

    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
    ssl_certificate     /etc/ssl/certs/ssl-cert-snakeoil.pem;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;

    # set maximum request size to 20M
    client_max_body_size 20M;

    root /usr/share/nginx/html/public/;

    location / {
        root   /usr/share/nginx/html/public/;
        index  index.php index.html index.htm;
        try_files $uri $uri/ /index.php?$args;
    }

    sendfile off;

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html/public/;
    }


    location ~ \.php$ {
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        include        fastcgi_params;
        fastcgi_param  SERVER_NAME $host;
    }
}

How can I set this to make it working with https://newdocker.app/ so without port?

Marcin Nabiałek
  • 109,655
  • 42
  • 258
  • 291
  • 1
    typically in nginx config server block you separate out port 80 from port 443 if you wish to have it send incoming http over to your https seamlessly ... if you want this behaviour create the server block for 80 to simply send the connection to 443 ... then the bulk of your logic resides in server block for port 443 ... or not ? let use know ... I can post a concrete example ... further to your question yes the url never contains any port numbers yet the config does which routes traffic to your underlying server and its port based on url path given – Scott Stensland Sep 29 '17 at 15:15
  • @ScottStensland Thank you for your comment. I would like to use same scheme for all types of sites, so I would like to have working http and https without any redirections. – Marcin Nabiałek Sep 29 '17 at 15:16
  • In your nginx config have you tried redirecting everything to https/443? – Sergiu Sep 29 '17 at 15:16
  • @Sergiu No, but I would like to have working both http and https and not only https – Marcin Nabiałek Sep 29 '17 at 15:17
  • so if you want both 80 and 443 then give each its own server block with same basic logic in each (those lines can go into one file referenced by each block) except no mention of ssl in your 80 server block – Scott Stensland Sep 29 '17 at 15:18
  • cut yourself free TLS certs using letsencrypt however requires refreshes every 90 days which can get automated – Scott Stensland Sep 29 '17 at 15:38
  • @ScottStensland I believe there's no problem with certs because they are working well if I use ip or domain with port. But the thing is I would like to get rid of this 18300 port after domain – Marcin Nabiałek Sep 29 '17 at 19:46
  • You need to have separate `server` blocks for :80 and :443 like @ScottStensland mentioned. You could also try the `docker-letsencrypt-nginx-proxy-companion` linked in the docs for `nginx-proxy`, the template in that image generates a correct config file for you. – wmorrell Sep 29 '17 at 21:15

1 Answers1

0

After investigation my nginx config file was fine but I had to update my docker-composer.yaml like this:

web:
  build: /Users/marcin/docker/definitions/php-nginx/php-7.1-ubuntu
  volumes:
    - /c/Users/marcin/docker/projects/newdocker.app/html/:/usr/share/nginx/html/
    - /c/Users/marcin/docker/projects/newdocker.app/nginx/conf.d/:/etc/nginx/conf.d/
    - /c/Users/marcin/docker/projects/newdocker.app/nginx/log/:/var/log/nginx/    
    - /c/Users/marcin/docker/projects/newdocker.app/php/config/:/usr/local/etc/php/
    - /c/Users/marcin/docker/projects/newdocker.app/supervisor/conf.d/:/etc/supervisor/conf.d/
    - /c/Users/marcin/docker/projects/newdocker.app/supervisor/log/:/var/log/supervisor/
    - /c/Users/marcin/docker/local_share/:/root/.local_share/
  working_dir: /usr/share/nginx/html/
  links:
    - db
  container_name: newdocker.php
  hostname: newdocker.app
  ports:
    - "280:22"
    - "8300:80"
    - "18300:443"
  environment:
    - VIRTUAL_HOST=newdocker.app
    - CERT_NAME=default
    - HTTPS_METHOD=noredirect

db:
  build: /Users/marcin/docker/definitions/mysql/5.7
  environment:
     - MYSQL_ROOT_PASSWORD=pass
     - MYSQL_DATABASE=
     - MYSQL_USER=
     - MYSQL_PASSWORD=
  expose:
     - 3306
  volumes:
    - /c/Users/marcin/docker/projects/newdocker.app/mysql/data/:/var/lib/mysql/
    - /c/Users/marcin/docker/projects/newdocker.app/mysql/conf.d/:/etc/mysql/conf.d/source
    - /c/Users/marcin/docker/projects/newdocker.app/mysql/log/:/var/log/mysql/
  ports:
    - "33200:3306"
  container_name: newdocker.db
  hostname: newdocker.app

The most important thing was adding here - CERT_NAME=default to make it work (my certificates shared in jwilder/nginx-proxy has names default.crt and default.key as you can see in 2nd docker-compose.yaml put into question) and because I wanted to have both http and https working i had to add - HTTPS_METHOD=noredirect too.

After restarting nginx now I can use https://newdocker.app without any port added and http://newdocker.app is working too.

Marcin Nabiałek
  • 109,655
  • 42
  • 258
  • 291