-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[bug] Using certificates missing apps redirect to wrong apps #268
Comments
Any ideas on how to solve this? |
This issue is very problematic for our use case as it's serving the wrong app. Imagine getting Facebook when you browse to Google... Do you have any tips on where to look, maybe I can help solve this issue. |
That's odd. When you access the app, are you doing it over HTTP and then getting redirected to HTTPS? Also, how are your certs named on disk? Are they named after each virtual host or are they sharing a single wildcard |
Accessing all the apps through HTTPS. The certs are named the same as the domains, so |
I wonder whether a lack of SNI support in the browser could be to blame. What browser/OS combo are you seeing these problems with @davidsyoung and @rokcarl? |
@md5 thanks for getting back to me so soon. I was using Chrome on OS X. I have two docker containers with two different VIRTUAL_HOST's set. One is a staging server on a sub domain and one is the production on the root domain. VIRTUAL_HOST settings are like following: staging: VIRTUAL_HOST: staging.example.io I have a SSL wildcard domain under example.io.crt and example.io.key. Everything works perfectly when both docker containers are running between the subdomain and root domain (staging.example.io & example.io/www.example.io). I also have a DNS A record on blog.example.io which is currently down. This routes to the staging.example.io container (url stays blog.example.io). If I then stop the production container (example.io/www.example.io) it will route to the staging.example.io container (url stays example.io/www.example.io). If I start it back up, no issues again. I just tried in Safari because you suggested that it was a browser issue. I can confirm that the issues do not happen in Safari. |
@md5 upon restarting chrome and clearing settings blog.example.io still redirects to staging.example.io but www.example.io does not and shows a 503. |
@davidsyoung The last time I remember anything being done that would affect the hostname used in redirects was in #108, which was merged in February 2015. The redirect should always use the What you're describing with |
Looking closer, it seems like if there isn't a match for the |
@davidsyoung When you say "redirects", do you mean an actual HTTP redirect or do you mean that the wrong backend container serves the request? |
I'm hosting the app on Amazon with an Ubuntu image, accessing the app through Chrome on a Mac. I tried it with Safari as well and it's even worse: no warning, I get served the wrong app. |
@md5 that makes sense actually. When I say redirects, I mean the wrong backend container servers the request. How would I go about fixing this with an ssl config? It doesn't happen on http with no ssl configuration. |
Ok, I found the problem. The basic problem is that if the upstream server is down the nginx does not return the 503. Instead the default route is called. Currently the default route is not configured for SSL, so another server section is picked. If you want to configure a server section with SSL on, you need cetificates. So the browser can do the SSL handshake, after that you can drop the connection (or return 503). The problem is that you don't know which certificate and key pair to offer. So this workaround can only work if you have a wildcard certificate and only one domain.
|
Nice work @brodul! That definitely seems like the issue. A fallback certificate can be provided with the current template by naming it I'm not sure what the best way to handle this would be in the absence of |
I wonder why does't the |
Hi, very sorry to bump such an old issue, but I believe I am experiencing this same problem and lack the knowledge to fix it. I'd very much appreciate a nudge in the right direction. |
I'm also facing the same problem. When the server container is stopped and request from browser using HTTP is not a problem (it correctly shows temporarily unavailable), but when using HTTPS it opens some other container which also uses HTTPS.
|
Same problem overhere |
Same here, please bump this. @md5 @jwilder We have 5 containers with different domains pointing to them. Lets say the non https container has the domain test.com and when you try to access the https://test.com it redirect the traffic first container in the list that have HTTPS. And to be clear, Its not a redirect in the browser more a redirect of traffic with in the proxy, so the domain stays "intact" in the browser but showing content of the first container in the list that have HTTPS.
|
The solution is to implement a self-signed certificate in the proxy cert folder Etc: Then you get a 500 server error instead of another site. |
@dempa266 solution works perfectly. Just to be clarify: after creating the dummy cert&key and putting them in certs directory, during startup the letsencrypt-nginx-proxy-companion (i think so) reads them and creates a 'server' entry in nginx config configured with those certs. After that, requesting a site whose backend is down, causes ' The certificate is not trusted because it is self-signed.' error instead of redirecting to wrong vhost with another cert. |
I believe I'm getting the same thing with wildcard certificates.... |
Also happening here, no workarounds?? |
For wildcard certificates, see #176 (comment). |
This was fixed in #2186 |
All seems to work as intended until I start using certificates.
Short description
I do:
Long description
This is how I run nginx-proxy and both apps (app1 and app2).
I kill app2 with
docker kill app2.app.com
.Visit app2.app.com, but the certificate I get is from app1 and the contents as well. If I also kill app1, then I get the server not found, which is of course correct. If I then run app1 again, app2 again redirects to the wrong app.
The text was updated successfully, but these errors were encountered: