Another 502 Bad Gateway #1357
Description
(tried to use the google groups link in the readme, doesn't work. says group doesn't exist)
Struggling with this. New to docker, nginx, etc. Read all the comments here and on the other PRs, but still confused.
I initially put this as a comment in a related open issue, but none of the solutions I could find seem to work, and I think my setup might be sufficiently unique to warrant a new issue maybe?
I followed the tutorial here exactly: https://medium.com/@francoisromain/set-a-local-web-development-environment-with-custom-urls-and-https-3fbe91d2eaf0
The app works fine when I use the port directly (if I export it via ports in my docker-compose, although this just means the nginx container isn't working i'm guessing), but gives the nginx 502 error page when I try to just use the alias defined in VIRTUAL_HOST
I tried looking at the access log, and the error log, in the var/log/nginx folder and both were empty
I am using docker for mac locally
I don't know much about nginx, but a few things stand out to me?
- the ssl key and crt files are correct
- i don't know where this
172.28.0.4ip comes from in the upstream consensus.local block - resolver being
127.0.0.11seems weird to me but when i changed it to 127.0.0.1 it didn't help - when i try to access
172.28.0.4or172.28.0.4:3001my connection just times out - when i try to access consensus.local I DO get redirected to https, and then I get the 502
- i am not running apache and my local nginx file is the default
My hosts file:
127.0.0.1 consensus.local
Nginx error message when I run nginx-proxy not in detached mode:
nginx-proxy_1 | nginx.1 | 2019/11/09 00:27:17 [error] 51#51: *1 upstream prematurely closed connection while reading response header from upstream, client: 172.30.0.1, server: consensus.local, request: "GET / HTTP/2.0", upstream: "http://172.30.0.5:3001/", host: "consensus.local"
nginx-proxy_1 | nginx.1 | consensus.local 172.30.0.1 - - [09/Nov/2019:00:27:17 +0000] "GET / HTTP/2.0" 502 157 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:70.0) Gecko/20100101 Firefox/70.0"
My nginx compose file:
version: "3.1"
services:
nginx-proxy:
image: jwilder/nginx-proxy:alpine
ports:
- "80:80"
- "443:443"
volumes:
- ./certs:/etc/nginx/certs
- /var/run/docker.sock:/tmp/docker.sock:ro
restart: unless-stopped
networks:
default:
external:
name: nginx-proxy
my main compose file:
# local development
version: '3'
services:
dev:
container_name: dev
command: "npx concurrently \"webpack --watch --config webpack/\" \"npx pm2-dev pm2.config.js --no-daemon\""
depends_on:
- db
env_file:
- .env
environment:
- DB=development
- DEBUG=false
- NODE_ENV=development
- VIRTUAL_HOST=consensus.local
- VIRTUAL_PORT=3001
expose:
- 3001
- 9229
image: node:12.3.0-alpine
# ports:
# - "3001:3001"
# - "9229:9229"
working_dir: /app
volumes:
- nodemodules:/app/node_modules
- .:/app
db:
container_name: db
image: postgres:11.2-alpine
ports:
- "54320:5432"
volumes:
- "db_data:/var/lib/postgresql/data"
redis:
container_name: redis
image: redis:alpine
sysctls:
# fixes warning when using redis with the barebones alpine image
net.core.somaxconn: '511'
# connect our localhost to the nginx reverse proxy
networks:
default:
external:
name: nginx-proxy
# ties our local directory and db to the running docker container
volumes:
db_data:
external: true
nodemodules:
external: true
Docker ps showing all the containers running:
nginx default.conf in the running container:
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
default $http_x_forwarded_proto;
'' $scheme;
}
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
# server port the client connected to
map $http_x_forwarded_port $proxy_x_forwarded_port {
default $http_x_forwarded_port;
'' $server_port;
}
# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
# Connection header that may have been passed to this server
map $http_upgrade $proxy_connection {
default upgrade;
'' close;
}
# Apply fix for very long server names
server_names_hash_bucket_size 128;
# Default dhparam
ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
# Set appropriate X-Forwarded-Ssl header
map $scheme $proxy_x_forwarded_ssl {
default off;
https on;
}
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost '$host $remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA->
ssl_prefer_server_ciphers off;
resolver 127.0.0.11;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";
server {
server_name _; # This is just an invalid value which will never trigger on a real hostname.
listen 80;
access_log /var/log/nginx/access.log vhost;
return 503;
}
# consensus.local
upstream consensus.local {
## Can be connected with "nginx-proxy" network
# dev
server 3001;
}
server {
server_name consensus.local;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
return 301 https://$host$request_uri;
}
server {
server_name consensus.local;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/consensus.local.crt;
ssl_certificate_key /etc/nginx/certs/consensus.local.key;
add_header Strict-Transport-Security "max-age=31536000" always;
location / {
proxy_pass http://consensus.local;
}
}