Docker-compose conflict with nginx in :80 and :443 port

[soverxxx]

When i install new version from docker, with Kradyz guide - i have this problem with compose.

nutomic told me create this isssues :)

nutomic
there was an nginx service added to the docker-compose, i missed that at the time. should either be reverted or needs to be included in upgrade notes.

[dessalines]

Ever since @sam365724 correctly created a sandboxed version of our dev and prod dockerfiles, we have yet to add a simple nginx reverse proxy that works with it. Its really as simple as:

server_name your_domain;
        
    location / {
        proxy_pass http://localhost:LEMMY_PORT;
        include proxy_params;
    }

[ahribellah]

@dessalines I'm having this same issue. Can I get a bit more clear of an answer about how to fix it? I'm using this config and cannot seem to get it to work. Turning off nginx during docker-compose doesn't fix it either, as I just end up with a 502 gateway error.

[dessalines]

@ahribellah How did you install lemmy? Post the rest of your config files.

[ahribellah]

@dessalines

@ahribellah How did you install lemmy? Post the rest of your config files.

I installed through Docker. I'm having issues now because Docker is doing this (apparently common) thing where it's binding nginx.conf as a folder and erroring out when building the container. My attempts to fix that are resulting in empty files and I don't have a lot of experience with Docker, so I'm not 100% sure whether it will actually work afterwards. It's probably my fault, as I tried stripping out the proxy manually and then rebuilt normally afterwards, but clearing the cache hasn't helped. Either way, I got around it by using the command touch nginx.conf.

I deliberately used my.domain.com because it's being hosted on a subdomain.

Anyways, here are my actual configs with sensitive info stripped out.

docker-compose.yml:

version: "3.3"

networks:
  # communication to web and clients
  lemmyexternalproxy:
  # communication between lemmy services
  lemmyinternal:
    driver: bridge
    internal: true

services:
  proxy:
    image: nginx:1-alpine
    networks:
      - lemmyinternal
      - lemmyexternalproxy
    ports:
      # only ports facing any connection from outside
      - 80:80 
      - 443:443
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf:ro
      # setup your certbot and letsencrypt config 
      - ./certbot:/var/www/certbot
      - ./letsencrypt:/etc/letsencrypt/live
    restart: always
    depends_on:
      - pictrs
      - lemmy-ui

  lemmy:
    image: dessalines/lemmy:0.17.2
    hostname: lemmy
    networks:
      - lemmyinternal
    restart: always
    environment:
      - RUST_LOG="warn,lemmy_server=info,lemmy_api=info,lemmy_api_common=info,lemmy_api_crud=info,lemmy_apub=info,lemmy_db_schema=info,lemmy_db_views=info,lemmy_db_views_actor=info,lemmy_db_views_moderator=info,lemmy_routes=info,lemmy_utils=info,lemmy_websocket=info"
    volumes:
      - ./lemmy.hjson:/config/config.hjson
    depends_on:
      - postgres
      - pictrs

  lemmy-ui:
    image: dessalines/lemmy-ui:0.17.2
    networks:
      - lemmyinternal
    environment:
      # this needs to match the hostname defined in the lemmy service
      - LEMMY_UI_LEMMY_INTERNAL_HOST=lemmy:8536
      # set the outside hostname here
      - LEMMY_UI_LEMMY_EXTERNAL_HOST=my.domain.com
      - LEMMY_UI_HTTPS=true
      - LEMMY_HTTPS=true
    depends_on:
      - lemmy
    restart: always

  pictrs:
    image: asonix/pictrs:0.3.1
    # this needs to match the pictrs url in lemmy.hjson
    hostname: pictrs
    # we can set options to pictrs like this, here we set max. image size and forced format for conversion
    # entrypoint: /sbin/tini -- /usr/local/bin/pict-rs -p /mnt -m 4 --image-format webp
    networks:
      - lemmyinternal
    environment:
      - PICTRS__API_KEY=API_KEY
    user: 991:991
    volumes:
      - ./volumes/pictrs:/mnt
    restart: always

  postgres:
    image: postgres:15-alpine
    # this needs to match the database host in lemmy.hson
    hostname: postgres
    networks:
      - lemmyinternal
    environment:
      - POSTGRES_USER=lemmy
      - POSTGRES_PASSWORD=password
      - POSTGRES_DB=lemmy
    volumes:
      - ./volumes/postgres:/var/lib/postgresql/data
    restart: always

lemmy.hjson (I don't remember where I saw to add :1235 to hostname, but I've tried without the port explicitly added, as well, and had no luck - still a 502 bad gateway error):

{
  # for more info about the config, check out the documentation
  # https://join-lemmy.org/docs/en/administration/configuration.html

  # This is a minimal lemmy config for the dev / main branch. Do not use for a 
  # release / stable version.

  setup: {
    admin_username: "admin"
    admin_password: "password"
    site_name: "Lemmy"
    admin_email: "myemail@domain.com"
  }
  database: {
    user: "lemmy"
    password: "password"
    host: postgres
    port: 5432
    database: "lemmy"
    pool_size: 5
  }

  hostname: "my.domain.com:1235"
  bind: "0.0.0.0"
  port: 8536
  tls_enabled: true

  federation: {
    enabled: true
  }

  pictrs: {
    url: "http://localhost:8080/"
    api_key: "api_key"
  }

  #opentelemetry_url: "http://otel:4137"
}

lemmy.conf (under /etc/nginx/sites-enabled):

limit_req_zone $binary_remote_addr zone=my.domain.com_ratelimit:10m rate=1r/s;

server {
    if ($host = my.domain.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    listen [::]:80;
    server_name my.domain.com;
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }
    return 301 https://$host$request_uri;


}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name my.domain.com;
    ssl_certificate /etc/letsencrypt/live/my.domain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/my.domain.com/privkey.pem; # managed by Certbot

    # Various TLS hardening settings
    # https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_session_timeout  10m;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets on;
    ssl_stapling on;
    ssl_stapling_verify on;

    # Hide nginx version
    server_tokens off;

    # Enable compression for JS/CSS/HTML bundle, for improved client load times.
    # It might be nice to compress JSON, but leaving that out to protect against potential
    # compression+encryption information leak attacks like BREACH.
    gzip on;
    gzip_types text/css application/javascript image/svg+xml;
    gzip_vary on;

    # Only connect to this site via HTTPS for the two years
    add_header Strict-Transport-Security "max-age=63072000";

    # Various content security headers
    add_header Referrer-Policy "same-origin";
    add_header X-Content-Type-Options "nosniff";
    add_header X-Frame-Options "DENY";
    add_header X-XSS-Protection "1; mode=block";

    # Upload limit for pictrs
    client_max_body_size 20M;

    # frontend
    location / {
      # The default ports:
      # lemmy_ui_port: 1235
      # lemmy_port: 8536

      set $proxpass "http://0.0.0.0:1235";
      if ($http_accept ~ "^application/.*$") {
        set $proxpass "http://0.0.0.0:8536";
      }
      if ($request_method = POST) {
        set $proxpass "http://0.0.0.0:8536";
      }
      proxy_pass $proxpass;
      include proxy_params;

      rewrite ^(.+)/+$ $1 permanent;

      # Send actual client IP upstream
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    # backend
    location ~ ^/(api|pictrs|feeds|nodeinfo|.well-known) {
      proxy_pass http://0.0.0.0:8536;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";

      # Rate limit
      limit_req zone=my.domain.com_ratelimit burst=30 nodelay;

      # Add IP forwarding headers
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }


    # Redirect pictshare images to pictrs
    location ~ /pictshare/(.*)$ {
      return 301 /pictrs/image/$1;
    }


}

# Anonymize IP addresses
# https://www.supertechcrew.com/anonymizing-logs-nginx-apache/
map $remote_addr $remote_addr_anon {
  ~(?P<ip>\d+\.\d+\.\d+)\.    $ip.0;
  ~(?P<ip>[^:]+:[^:]+):       $ip::;
  127.0.0.1                   $remote_addr;
  ::1                         $remote_addr;
  default                     0.0.0.0;
}
access_log /var/log/nginx/access.log combined;

EDIT: Ah, right, this one error shows when I run docker-compose logs:

lemmy_1     | thread 'main' panicked at 'Error connecting to postgres://lemmy:password@postgres:5432/lemmy', crates/db_schema/src/utils.rs:157:56
lemmy_1     | note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
lemmy_1     | thread 'main' panicked at 'Error connecting to postgres://lemmy:password@postgres:5432/lemmy', crates/db_schema/src/utils.rs:157:56
lemmy_1     | note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
lemmy_1     | thread 'main' panicked at 'Error connecting to postgres://lemmy:password@postgres:5432/lemmy', crates/db_schema/src/utils.rs:157:56
lemmy_1     | note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

However, it's then followed by successful PostgreSQL init and startup, so I've attributed that to the database not being initialized and online when it attempts to connect, as it ends with the following loine:

postgres_1  | 2023-04-05 22:32:02.924 UTC [1] LOG:  database system is ready to accept connections

[dessalines]

Your server nginx only needs to be the one referenced in this comment

I apologize our docs aren't updated to account for this.