Can't proxy to containers running in host network mode #1059
Comments
|
I can run my nginx in bridge mode and have proxy a container in host mode. However, I've had to alter the template as I describe here: I reported it quite a while ago, but I haven't heard anything yet on a native solution. |
|
I have the same issue. |
|
+1 for me |
|
Same issue...having trouble getting this to work with Home-Assistant (which needs network_mode host to do some UPnP discovery) |
|
This issue seems to have gotten stale, but I am running into this as well trying to get home assistant working properly. Without host networking mode, Hass can't find things like my Plex server or Google homes. |
|
+1 for me |
|
Same here. I have an OpenHAB container which has to be on the host network, but still I want to have a proxy for authentication. |
|
I'm going to chime in as yet another person trying to use Home Assistant with this container. Some services (HomeKit, in my case) don't work unless the Home Assistant container is running in host networking mode -- but doing that completely breaks the reverse proxy. |
|
I also got stuck here. I think it is a serious problem for a lot of security, proxying, authentication, statistics services. |
|
+1 |
|
Not sure if this helps but this: docker network connect my-other-network my-nginx-proxy Did it for me. Although I'm not doing anything fancy but ran into the same issue. |
|
I also am having the same issue. @rickw2001 would you mind giving a little more insight into what you did? I'm using a docker-compose file and tried to connect to the bridge and host but unsuccessful. |
|
Hey @SimplySynced. I create my nginx proxy container manually with docker run. I have a compose file which starts my app containers and creates another network for my app. When I have created / started the nginx-proxy container and my app I run the above command on the CLI (I'm on OS X). Really was that simple for my configuration. Not sure how it would translate to docker compose. Basically:
did it for me. |
|
Yep same problem here with Home Assistant. Broke my brain to fix it all morning :) |
@neographikal |
|
Nope...sorry. |
Inside of a container, you can able to reach your local network by host.docker.internal:someport domain. I don't know how the things are going in the Home Assistant but use this tip |
|
On the host (running docker - not the containers themselves) it should just
be a case of connecting the two networks with 'docker-network connect net1
net2' ... As I mentioned initially my usecase is (was) totally different
but it's the same issue.
…On Tue, 17 Dec 2019 at 20:46, Dağhan Günay ***@***.***> wrote:
Yep same problem here with Home Assistant. Broke my brain to fix it all
morning :)
@neographikal <https://github.com/neographikal>
Where you able to find a solution for the Home Assistant?
Inside of a container, you can able to reach your local network by
host.docker.internal:someport domain. I don't know how the things are going
in the Home Assistant but use this tip
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1059>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAOVFENGXEW5B73MLE26VKDQZE3CTANCNFSM4EPI6H5A>
.
|
|
I had a similar issue and fixed it using this configuration: nginx-proxy/docker-compose.yml: wp1.local/docker-compose.yml Note the network name. I didn't create it manually, it is based on the nginx-proxy default network. |
|
OP was asking about running the container in host networking, this is different from creating a isolated network inside Docker. AFAIK |
|
Had the same issue with Home Assistant running on network_mode host and getting the upstream variable to the correct IP and port. I ended up creating a configuration file in /etc/nginx/conf.d/your.domain.com.conf specific to the host (your.domain.com:8123). Inside my docker-compose file, I did not include Virtual_Host. Mounted the /conf.d volume outside the container as well. version: '3' /etc/nginx/conf.d/your.domain.com.conf your.domain.comupstream your.domain.com { |
|
@YouDontGitMe I don't think this will work correctly due to how included config files are handled in nginx (I also tested similar approach / workaround first). This will only work if you have a single vhost served by nginx (aka If you have multiple vhosts, nginx will serve certificate for By default, upstream sub.domain.com {
# Cannot connect to network of this container
server 127.0.0.1 down;
}But we want something like this: upstream sub.domain.com {
# home_assistant
# Keep in mind that this needs to be internal server IP of your server where
# container containers are running
server <internal server ip>:8123;
# Cannot connect to network of this container
server 127.0.0.1 down;
}Right now, my work around includes a custom This approach is definitely on the hacky side and there are nicer workarounds possible (e.g. just add some if statements to the template file itself or just add support for environment variables for managing more complex setups), but it works. Here is my FROM jwilder/nginx-proxy:alpine
# Copy over custom config
COPY nginx.conf /etc/nginx/nginx.conf
COPY uploadsize.conf /etc/nginx/conf.d/uploadsize.conf
COPY fix-ha-vhost.sh /app/fix-ha-vhost.sh
COPY Procfile /app/Procfile
RUN chmod +x /app/fix-ha-vhost.sh
dockergen: docker-gen -watch -notify "/app/fix-ha-vhost.sh ; nginx -s reload" /app/nginx.tmpl /etc/nginx/conf.d/default.conf
nginx: nginx
#!/usr/bin/env bash
# Errors should not be fatal
set +e
grep '<internal ip>:8123' /etc/nginx/conf.d/default.conf || sed -i 's#upstream sub.domain.com {#upstream sub.domain.com {\n\t\t\t\tserver <internal ip>:8123;#g' /etc/nginx/conf.d/default.confEDIT: For completeness sake, here is also a slightly nicer hack which only relies on small change to upstream diff --git a/nginx.tmpl b/nginx.tmpl
index 07e2b50..5284aa9 100644
--- a/nginx.tmpl
+++ b/nginx.tmpl
@@ -196,6 +196,10 @@ upstream {{ $upstream_name }} {
{{ template "upstream" (dict "Container" $container "Address" $address "Network" $containerNetwork) }}
{{ end }}
{{ else }}
+ {{ if eq $host "sub.domain.com" }}
+ # Hack
+ server 10.0.0.1:8123;
+ {{ end }}
# Cannot connect to network of this container
server 127.0.0.1 down;
{{ end }} |
|
Thanks @Kami, your suggested solution was excellent. I had the same use-case as others; wanting to run Home Assistant with I found diff --git a/nginx.tmpl b/nginx.tmpl
index 07e2b50..4c9c851 100644
--- a/nginx.tmpl
+++ b/nginx.tmpl
@@ -196,8 +196,12 @@ upstream {{ $upstream_name }} {
{{ template "upstream" (dict "Container" $container "Address" $address "Network" $containerNetwork) }}
{{ end }}
{{ else }}
- # Cannot connect to network of this container
- server 127.0.0.1 down;
+ {{ if eq $host "sub.domain.com" }}
+ server <docker internal ip>:8123;
+ {{ else }}
+ # Cannot connect to network of this container
+ server 127.0.0.1 down;
+ {{ end }}
{{ end }}
{{ end }}
{{ end }}The I had difficulty rebuilding the reverse proxy image from source as well as using the FROM jwilder/nginx-proxy:alpine
# COPY nginx.tmpl nginx.tmpl # Alternative if you don't want to mess with patches
RUN apk --update add git
COPY hass_fix.patch hass_fix.patch
RUN git apply hass_fix.patchwhere The process was then:
|
|
@Lif3line You are welcome. Glad to hear you got it working and thanks for the additional details :) |
|
Thanks @Lif3line and @Kami for the first revision. This works like a charm for OpenHAB also. I've modified nginx.tmpl as you commented In my case:
The docker-compose.yml for openhab is: That's all. Maybe this can help other Openhab users. |
|
I'm currently skirting around this "bug"/"limitation" by using socat, since I was previously using socat to handle redirection to a raspberry pi with homeassistant on it, but since I have been consolidating a few things I decided to move hass to a container. Similar to the above openhab cases, its beneficial to use host mode networking. Anyway, the short version of my solution is to use the following in one of my hass-socat:
image: alpine/socat:latest
container_name: hass-socat
entrypoint: "socat tcp-listen:8122,fork,reuseaddr tcp-connect:192.168.1.110:8123"
depends_on:
- nginx-proxy
environment:
- LETSENCRYPT_HOST=home.example.com
- LETSENCRYPT_EMAIL=email@example.com
- VIRTUAL_PORT=8122
- VIRTUAL_HOST=home.example.com
network_mode: bridge
ports:
- 8122:8122
restart: alwaysWhere homeassistant is listening on the host in another stack on 8123. The socat container here handles the nginx/letsencrypt binding with this project (more or less how I had it working when it was external; however, now it points the host IP of the docker instance and just uses a different port for its nginx virtual host. Works like a charm. |
|
@kariudo, that sounds like an excellent drop-in solution. Definitely easier to maintain/manage than the |
|
@kariudo This is exactly what I was looking for thank you. nginx docker-compose.yml: socat and ha docker-compose.yml: |
@anLizard Try using |
@Lif3line It would end up writing the traffic from one socket to another, and be a little redundant, yes. I haven't done any testing to see if theres some miniscule load impact to that; however, even with the countless things I have running through HomeAssistant it doesn't seem to produce any noticeable impact, even with everything just running on my qnap NAS. Socat is incredibly efficient in what it does in my experience with this and other applications. |
Tried this as well. I can't connect to nginx anymore at all in bridged mode.
|
|
@anLizard, Rather than clogging up this issue, here is a more complete example of a https://gist.github.com/kariudo/0e2531ef8165a6f8650cc81df56083a7 I can't attest to other environments, but I can confirm this works for me quite well. |
|
hi, I had to use the host mode, otherwise nc aio sub-containers (such as the video conferencing service) wouldn't work. I've restarted .. I've tried the bridge mode, but that won't fit my situation .. Could one say why nmp doesn't get an IP anymore ? |
|
Thanks @kariudo for the example. |
|
To add to the other's answers, since I had to adapt them a bit, here's how I managed to get my nginx proxy working with netdata (which uses
|
and others
When using nginx-proxy to try to proxy to a container running in host networking mode, I assume I also have to run nginx-proxy in host network mode as well (although I've tried both ways without success) but I can't get it to work. Here's a sample compose file using the "web" image used in the test suite:
after running this with
docker-compose -f test_network_mode_host.yml up -dI try to curl each:I can, however get to web2 using localhost
The problem seems to be in the upstream section for web2, which just has
server 127.0.0.1 down;Here's the full /etc/nginx/conf.d/default.conf:
Am I missing something in setting this up or is it just not working like it's supposed to?
The text was updated successfully, but these errors were encountered: