New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSL Reverse Proxy #200

Closed
gajeevan opened this Issue Jul 20, 2015 · 8 comments

Comments

Projects
None yet
4 participants
@gajeevan

gajeevan commented Jul 20, 2015

Hi Jason,

First off I would like to thank you for this great product you have created. This has made my life very easy. I have a little issue getting the SSL working and was wondering if you can give me some hints as to where I have gone wrong.

My Setup

  1. jwilder/nginx-proxy => 80:80 & 443:443 traffic
  2. container 1 w/ 3 sites => :80 & :443 traffic, mysqld, httpd, postfix
  3. container 2 w/ 4 sites => :80 traffic, mysqld, httpd postfix
  4. postfix => 25:25 traffic

NGINX SCRIPT
docker run -d -it
--name nginx
-h nginx
-p 80:80
-p 443:443
-v $HOME/nginx/certs:/etc/nginx/certs:ro
-v $HOME/nginx/vhost.d:/etc/nginx/vhost.d:ro
-v $HOME/nginx/passwords:/etc/nginx/passwords:ro
-v $HOME/nginx/log:/var/log/nginx
-v /var/run/docker.sock:/tmp/docker.sock:ro
jwilder/nginx-proxy \

I am able to get traffic on 80 working perfectly. I expose the env $VIRTUAL_HOST and everything works as expected. The trouble I am faced with is making my https:// sites working within container 1.

Questions

  1. Is there an env variable I have to expose for ssl to work?
  2. My certificates are in the form of .cer but nginx requires .crt to work. I have googled and found how to convert to .pem but not to .crt. Can you kindly advise?
  3. Do I need to specify a vhost.d value?
@jwilder

This comment has been minimized.

Owner

jwilder commented Jul 20, 2015

.crt is usually PEM encoded and just named w/ .crt.

I'd suggest running docker logs nginx and see what errors you get as well as examining the client errors you get from connecting to nginx-proxy via SSL. It's hard to say if your nginx-proxy can't find certs, if they are in the wrong format, or some other issues without an actual error messages indicating what the problem might be.

@gajeevan

This comment has been minimized.

gajeevan commented Jul 20, 2015

I was unable to get SSL working. I was playing around and renamed my .cer file to .crt and touched a file in $HOME/nginx/vhost.d. The file created was . This is how I got the SSL working. I feel this is just by lucky everything worked. I read something that .cer and .crt are one in the same DER certs?

The problem I have with troubleshooting within the nginx container is all the logs and request are live. What I mean is the minute I "docker attach nginx" the screen will show live log consistently. Is there a way to suppress it? I apologize for my novice request as I am only 2 month into docker and really excited.

@gajeevan

This comment has been minimized.

gajeevan commented Jul 23, 2015

Hi Jason,

I managed to get the SSL working but now I have a different issue. Initially I tested it on port 80 to make sure everything is working (it did). Then after moving everything over to 443 I have a redirect loop error message. My settings are as follows:

VirtualHost *:80
<VirtualHost *:80>
ServerName domain name
Redirect permanent / https://domain name/

VirtualHost *:443
<VirtualHost *:443>
ServerName domain name:443
ServerAlias www.domain name
ErrorLog /var/log/httpd/domain name-error-log
DocumentRoot /home/domain name/public_html/
SSLEngine on

SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/httpd/conf/certificates/domain name.cer
SSLCertificateKeyFile /etc/httpd/conf/certificates/domain name.key
SSLCACertificateFile /etc/httpd/conf/certificates/domain nameIntermediate.cer
<Files ~ ".(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars

SetEnvIf User-Agent ".MSIE."
nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b"

I read that if there is a reverse proxy in front of the containers then there is a possibility that it might go into an inifinite loop. I would like to do something with the headers. Can you kindly provide some expertise.

@gajeevan

This comment has been minimized.

gajeevan commented Jul 24, 2015

Error Message;

This web page has a redirect loop

ERR_TOO_MANY_REDIRECTS

@gajeevan gajeevan closed this Jul 25, 2015

@pavelsr

This comment has been minimized.

pavelsr commented May 31, 2017

@gajeevan , how did you solve the problem of ERR_TOO_MANY_REDIRECTS? I have similar problem now

@juanluisbaptiste

This comment has been minimized.

juanluisbaptiste commented Jun 2, 2017

Me too !

@pavelsr

This comment has been minimized.

pavelsr commented Oct 17, 2017

@juanluisbaptiste, seems like now I understood what was the problem.

I disabled HTTP proxy in DNS server settings on my CloudFlare account and now nginx-proxy is working fine!

Image of Cloudflare DNS settings

@jwilder and anyone who participate in this issue, please confirm that enabling Cloudflare CDN affects on normal work of nginx-proxy

More details: https://support.cloudflare.com/hc/en-us/articles/115000219871-Why-does-Flexible-SSL-cause-a-redirect-loop-

@juanluisbaptiste

This comment has been minimized.

juanluisbaptiste commented Oct 17, 2017

@pavelsr thanks, I also fixed it with answer found here. Basically it says to add the following options to the nginx config:

on your main config (ie: my_proxy.conf):
fastcgi_param HTTPS on; -> to prevent errors while you would loading assets via HTTP while you establish an HTTPS connection

On the virtual host config file on vhost.d:
proxy_set_header X-Forwarded-Proto https; -> for SSL endpoint termination

This options fixed the redirect for me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment