0

I'm trying to run and use docker behind nginx as a reverse proxy. Everything works fine except when docker responds with a raw stream "application/vnd.docker.raw-stream" instead of normal HTTP response. This is happening with endpoints /start, /attach, etc. documented here: https://docs.docker.com/engine/api/v1.21/#operation/ExecStart

This is when my nginx configuration doesn't forward the docker response to the client. I tried searching it up and there's just one blog article suggesting a patch to actual nginx C file: https://blog.yadutaf.fr/2014/12/12/how-to-run-docker-behind-an-nginx-reverse-proxy/

I followed the blog above completely, however, setting r->upstream->upgrade = 1; seems to have no effect on the /start HTTP endpoint in docker. Nginx simply doesn't respond. Is there any way around this? This is my nginx.conf file at the moment:

daemon off;
error_log /dev/stdout info;
# error_log logs/error.log debug;

events {
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                               '$status $body_bytes_sent "$http_referer" '
                               '"$http_user_agent" "$http_x_forwarded_for"';
    access_log /dev/stdout main;
    # include       mime.types;
    # default_type  application/octet-stream;
    # sendfile        on;
    # keepalive_timeout  65;

    upstream dockerpool {
        # session_sticky cookie=sessionid fallback=off mode=insert option=indirect;
        # backup server
        # server nginx_dev_test:80;
        server socat:2376;
    }

    server {
        listen 80;

        location / {
            # The upstream here must be a nginx variable
            set $ups dockerpool;
            proxy_buffering off;
            proxy_pass http://$ups;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "Upgrade";
        }
    }

}
mehulmpt
  • 15,861
  • 12
  • 48
  • 88
  • Anyone who can reach the Docker API can pretty much trivially root the system. Why do you want to publish it out through an nginx instance? – David Maze Feb 13 '20 at 01:40
  • I have a custom need for the software, don't worry about the security part, everything is happening in a controlled environment. Help me with the technical part if possible @DavidMaze – mehulmpt Feb 13 '20 at 01:48

1 Answers1

0

For anyone struggling with the same problem, I did extensive research on internet and there's no sane method to get what I wanted to work with Nginx, and even if you solve this, you'll blow your heads off autoscaling/load-balancing this architecture.

Today, I moved to HAProxy using stick tables, works like a charm. Nginx is not suitable for this use case.

Update: STUPID ME. This COULD work with nginx and/or HAProxy, just make sure you upgrade (downgrade?) your HTTP connection to TCP connection when running docker commands, etc.

mehulmpt
  • 15,861
  • 12
  • 48
  • 88