Bad Gateway --net=host

[Hamsterman]

I am trying to use the reverseproxy in "-net host" mode but it seems like I keep getting a "Bad gateway".
Is this a bug, or what am I doing wrong?

I first reported it at homebridge, but they suggested it was a ReverseProxy issue.
homebridge/homebridge#2731

[Hamsterman]

I have now tried this with another container - the exact same issue.

docker run -d --name ReverseProxy -p 80:80 -p 443:443 --net=host -v //etc/DockerStorage/ReverseProxy:/etc/nginx/certs -v /var/run/docker.sock:/tmp/docker.sock:ro --restart=unless-stopped jwilder/nginx-proxy

docker run -d --name HomeAssistant -e VIRTUAL_HOST=DOMAIN.COM -e VIRTUAL_PORT=8123 --net=host --expose=8123 -v "//etc/DockerStorage/HomeAssistant:/config" -v /etc/localtime:/etc/localtime:ro --restart=unless-stopped homeassistant/home-assistant:stable

[Hamsterman]

Anyone ?

[pmow]

Same. Hosts are marked as being offline unless in bridge mode.

[DatAres37]

docker run -d --name HomeAssistant -e VIRTUAL_HOST=DOMAIN.COM -e VIRTUAL_PORT=8123 --net=host --expose=8123 -v "//etc/DockerStorage/HomeAssistant:/config" -v /etc/localtime:/etc/localtime:ro --restart=unless-stopped homeassistant/home-assistant:stable

I'm not a docker expert, but I don't think putting both containers on the host network works, since the expose option probably doesn't work on the host (same as publishing ports).

[Typepluto]

docker run -d --name HomeAssistant -e VIRTUAL_HOST=DOMAIN.COM -e VIRTUAL_PORT=8123 --net=host --expose=8123 -v "//etc/DockerStorage/HomeAssistant:/config" -v /etc/localtime:/etc/localtime:ro --restart=unless-stopped homeassistant/home-assistant:stable

In this case, maybe you should try port forwarding.
Remove "--net=host --expose=8123" and add "-p 8123:8123".
For example:
docker run -d --name HomeAssistant -p 8123:8123 -e VIRTUAL_HOST=DOMAIN.COM -e VIRTUAL_PORT=8123 -v "//etc/DockerStorage/HomeAssistant:/config" -v /etc/localtime:/etc/localtime:ro --restart=unless-stopped homeassistant/home-assistant:stable

[spitfire]

I believe home assistant may need --net host to function properly and be able to contact/detect all accessories

[buchdag]

To anyone affected by this, could you:

• pull and use a recent version of the container, let's say nginxproxy/nginx-proxy:0.9.3
• run it with in --net=host mode with the environment variable DEBUG set to true
• run your other --net=host proxied containers
• give the result of docker exec run nginxproxy nginx -T (replace nginxproxy with the name of your nginx-proxy container)

[PeterNerlich]

Have the same problem, trying to run Pi-hole together with other services. Found the tip to look at the config before stumbling over this issue.

It looks to my uninformed eyes as if nginx-proxy gets confused because it expects to be able to ask docker for an internal IP, but running the containers in host net mode there is none and nginx is unable to create an entry. So nginx-proxy should probably be changed to detect running with --net=host and use the system IP (or 0.0.0.0, idk) for that.

$ docker exec run nginx-proxy nginx -T
Error: No such container: run
$ docker exec nginx-proxy nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:

user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;


events {
    worker_connections  10240;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}
daemon off;

# configuration file /etc/nginx/mime.types:

types {
    text/html                                        html htm shtml;
    text/css                                         css;
    text/xml                                         xml;
    image/gif                                        gif;
    image/jpeg                                       jpeg jpg;
    application/javascript                           js;
    application/atom+xml                             atom;
    application/rss+xml                              rss;

    text/mathml                                      mml;
    text/plain                                       txt;
    text/vnd.sun.j2me.app-descriptor                 jad;
    text/vnd.wap.wml                                 wml;
    text/x-component                                 htc;

    image/avif                                       avif;
    image/png                                        png;
    image/svg+xml                                    svg svgz;
    image/tiff                                       tif tiff;
    image/vnd.wap.wbmp                               wbmp;
    image/webp                                       webp;
    image/x-icon                                     ico;
    image/x-jng                                      jng;
    image/x-ms-bmp                                   bmp;

    font/woff                                        woff;
    font/woff2                                       woff2;

    application/java-archive                         jar war ear;
    application/json                                 json;
    application/mac-binhex40                         hqx;
    application/msword                               doc;
    application/pdf                                  pdf;
    application/postscript                           ps eps ai;
    application/rtf                                  rtf;
    application/vnd.apple.mpegurl                    m3u8;
    application/vnd.google-earth.kml+xml             kml;
    application/vnd.google-earth.kmz                 kmz;
    application/vnd.ms-excel                         xls;
    application/vnd.ms-fontobject                    eot;
    application/vnd.ms-powerpoint                    ppt;
    application/vnd.oasis.opendocument.graphics      odg;
    application/vnd.oasis.opendocument.presentation  odp;
    application/vnd.oasis.opendocument.spreadsheet   ods;
    application/vnd.oasis.opendocument.text          odt;
    application/vnd.openxmlformats-officedocument.presentationml.presentation
                                                     pptx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
                                                     xlsx;
    application/vnd.openxmlformats-officedocument.wordprocessingml.document
                                                     docx;
    application/vnd.wap.wmlc                         wmlc;
    application/wasm                                 wasm;
    application/x-7z-compressed                      7z;
    application/x-cocoa                              cco;
    application/x-java-archive-diff                  jardiff;
    application/x-java-jnlp-file                     jnlp;
    application/x-makeself                           run;
    application/x-perl                               pl pm;
    application/x-pilot                              prc pdb;
    application/x-rar-compressed                     rar;
    application/x-redhat-package-manager             rpm;
    application/x-sea                                sea;
    application/x-shockwave-flash                    swf;
    application/x-stuffit                            sit;
    application/x-tcl                                tcl tk;
    application/x-x509-ca-cert                       der pem crt;
    application/x-xpinstall                          xpi;
    application/xhtml+xml                            xhtml;
    application/xspf+xml                             xspf;
    application/zip                                  zip;

    application/octet-stream                         bin exe dll;
    application/octet-stream                         deb;
    application/octet-stream                         dmg;
    application/octet-stream                         iso img;
    application/octet-stream                         msi msp msm;

    audio/midi                                       mid midi kar;
    audio/mpeg                                       mp3;
    audio/ogg                                        ogg;
    audio/x-m4a                                      m4a;
    audio/x-realaudio                                ra;

    video/3gpp                                       3gpp 3gp;
    video/mp2t                                       ts;
    video/mp4                                        mp4;
    video/mpeg                                       mpeg mpg;
    video/quicktime                                  mov;
    video/webm                                       webm;
    video/x-flv                                      flv;
    video/x-m4v                                      m4v;
    video/x-mng                                      mng;
    video/x-ms-asf                                   asx asf;
    video/x-ms-wmv                                   wmv;
    video/x-msvideo                                  avi;
}

# configuration file /etc/nginx/conf.d/default.conf:
# nginx-proxy version : 1.0.1-6-gc4ad18f
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
  default $http_x_forwarded_proto;
  ''      $scheme;
}
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
# server port the client connected to
map $http_x_forwarded_port $proxy_x_forwarded_port {
  default $http_x_forwarded_port;
  ''      $server_port;
}
# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
# Connection header that may have been passed to this server
map $http_upgrade $proxy_connection {
  default upgrade;
  '' close;
}
# Apply fix for very long server names
server_names_hash_bucket_size 128;
# Default dhparam
ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
# Set appropriate X-Forwarded-Ssl header based on $proxy_x_forwarded_proto
map $proxy_x_forwarded_proto $proxy_x_forwarded_ssl {
  default off;
  https on;
}
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost '$host $remote_addr - $remote_user [$time_local] '
                 '"$request" $status $body_bytes_sent '
                 '"$http_referer" "$http_user_agent" '
                 '"$upstream_addr"';
access_log off;
		ssl_protocols TLSv1.2 TLSv1.3;
		ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
		ssl_prefer_server_ciphers off;
error_log /dev/stderr;
resolver 1.1.1.1 [fd00::e228:6dff:fef4:5a37];
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
proxy_set_header X-Original-URI $request_uri;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";
server {
	server_name _; # This is just an invalid value which will never trigger on a real hostname.
	server_tokens off;
	listen 80;
	listen [::]:80;
	access_log /var/log/nginx/access.log vhost;
	return 503;
}
	# pi.hole
upstream pi.hole {
        # Exposed ports: []
        # Default virtual port: 80
        # VIRTUAL_PORT: 8080
        # /!\ Virtual port not exposed
        ## Can be connected with "host" network
        # pihole
        # /!\ No IP for this network!
        # Fallback entry
        server 127.0.0.1 down;
}
server {
	server_name pi.hole;
	listen 80 default_server;
	listen [::]:80 default_server;
	access_log /var/log/nginx/access.log vhost;
	location / {
		proxy_pass http://pi.hole;
}
}

[PeterNerlich]

Found the relevant lines in the template:

nginx-proxy/nginx.tmpl

Lines 125 to 130 in c4ad18f

	{{ if $containerNetwork.IP }}
	{{ $server_found = "true" }}
	server {{ $containerNetwork.IP }}:{{ $port }};
	{{ else }}
	# /!\ No IP for this network!
	{{ end }}

[buchdag]

Your issue might be similar to #2144

[rot169]

It looks to my uninformed eyes as if nginx-proxy gets confused because it expects to be able to ask docker for an internal IP, but running the containers in host net mode there is none and nginx is unable to create an entry. So nginx-proxy should probably be changed to detect running with --net=host and use the system IP (or 0.0.0.0, idk) for that.

Just submitted a PR that implements this. It detects containers running host networking and uses the gateway of the proxy bridge network as the upstream IP. This means it'll work for any target containers that listen on either this specific host interface, or more commonly listening on all host interfaces.