I'm trying to setup BaGet in Docker with Docker Compose behind an Apache2 reverse proxy, where Apache2 is also running in Docker from Docker Compose.
I've done this successful with Jenkins and Sonar, but with BaGet (http://localhost:8000/baget) I get "Service Unavailable" even though it's available directly on its own port, e.g.: http://localhost:5555/.
My Docker Compose file looks like this:
version: "3"
services:
smtp:
container_name: smtp
image: namshi/smtp
jenkins:
container_name: jenkins
build: ./jenkins/
environment:
- JENKINS_OPTS="--prefix=/jenkins"
sonar:
container_name: sonar
image: sonarqube:latest
environment:
- SONAR_WEB_CONTEXT=/sonar
baget:
container_name: baget
image: loicsharma/baget:latest
ports:
- "5555:80"
environment:
- PathBase=/baget
apache:
container_name: apache
build: ./apache/
ports:
- "8000:80"
My Apache2 Docker File looks like this:
FROM debian:stretch
RUN apt-get update
RUN apt-get install -y apache2 && apt-get clean
RUN a2enmod proxy
RUN a2enmod proxy_http
RUN a2dissite 000-default.conf
COPY devenv.conf /etc/apache2/sites-available/devenv.conf
RUN a2ensite devenv
EXPOSE 80
CMD apachectl -D FOREGROUND
And my Apache2 config file like this:
<VirtualHost *:80>
ServerAdmin ...
ServerName ...
ServerAlias devenv
ProxyRequests Off
AllowEncodedSlashes NoDecode
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPreserveHost on
ProxyPass /jenkins http://jenkins:8080/jenkins nocanon
ProxyPassReverse /jenkins http://jenkins:8080/jenkins nocanon
ProxyPass /sonar http://sonar:9000/sonar nocanon
ProxyPassReverse /sonar http://sonar:9000/sonar nocanon
ProxyPass /baget http://baget:5555/baget nocanon
ProxyPassReverse /baget http://baget:5555/baget nocanon
</VirtualHost>
I've tried various different compinations of ProxyPass URLs, I've tried using localhost instead of the internal Docker Compose serivces names, I've tried different ports and I've tried running BaGet without the PathBase environment variable and nothing works!
I'm hoping it's something obvious with my configuration and not something odd goign on with BaGet.
So, I was using the wrong port:
ProxyPass /baget http://baget:5555/baget nocanon
ProxyPassReverse /baget http://baget:5555/baget nocanon
should have been:
ProxyPass /baget http://baget/baget nocanon
ProxyPassReverse /baget http://baget/baget nocanon
Docker containers in Docker Compose speak to each other on the internally mapped port, not the external one. Which, now I know, makes perfect sense!
Related
I have a collection of web applications, with each running inside its own Docker Containers. I can access them locally via http://localhost:9001, for example. I want to access them remotely via https://site.example.com, instead. I have a wildcard Let's Encrypt certificate for example.com.
I understand I need Apache to do direct traffic from FQDN to Port. So I have setup a VirtualHost (below). Normal web activity seems to work fine. I can navigate the website normally.
However, when I try to login using OAuth (e.g. BitBucket), I get a URI redirect mismatch error. This does not happen when I run this outside of a container. I think there is something wrong with my Proxy setup. Is anyone able to advise how to rectify?
<VirtualHost *:443>
ServerAdmin admin#example.com
ServerName site.example.com
ServerSignature Off
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:9001/
ProxyPassReverse / http://127.0.0.1:9001/
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
</IfModule>
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/fullchain.pem
AllowEncodedSlashes NoDecode
</VirtualHost>
For such use case, Traefik is a very adapted tool. Coupled with docker-compose, you can setup multiple docker containers on the same host, each one having its own endpoint. To access them remotely, you just have then to bind remote host's IP address to all your endpoints (or use a public DNS that does it for you).
Here is a docker-compose.yml example using Traefik.
version: "3"
services:
traefik:
image: traefik:latest
command: --api --docker --logLevel=DEBUG
ports:
- "80:80"
- "443:443"
- "8082:8080"
volumes:
# So that Traefik can listen to the Docker events
- /var/run/docker.sock:/var/run/docker.sock
labels:
- "traefik.enable=false"
your_first_container:
image: <YOUR_IMAGE>
labels:
- "traefik.frontend.rule=Host:site.example.com"
- "traefik.port=9001"
I'm currently running a ubuntu webserver with apache2, hosting multiple sites and subdomains. I would like to host bitwarden on my own webserver, which is only shipped in a docker container with nginx.
I would like to use a subdomain e.g. bitwarden.domain.com to access bitwarden. But I have no idea how to configure apache2 / host to pass through traffic going to bitwarden.domain.com to the docker container running bitwarden (without affecting the other domains).
My question: How to configure apache2/docker to achieve this? Is there any documentation/tutorial for this?
After starting the docker container, grab the container ip, port:
local_docker_ip, local_docker_port
And you have a couple of options:
Use apache2 Virtual host with a redirect:
<VirtualHost *:80>
ServerName bitwarden.domain.com
Redirect permanent / http://{local_docker_ip}:{local_docker_port}/
</VirtualHost>
Or use the apache2 proxy module. First, enable proxy modules by running the commands:
a2enmod proxy
a2enmod proxy_http
Then, add the following virtual host:
<VirtualHost *:80>
ProxyPreserveHost On
ProxyRequests Off
ServerName bitwarden.domain.com
ProxyPass / http://{local_docker_ip}:{local_docker_port}/
ProxyPassReverse / http://{local_docker_ip}:{local_docker_port}/
</VirtualHost>
I hope it helps
I just installed Jenkins on an Ubuntu 16.04-server via:
wget -q -O - https://pkg.jenkins.io/debian-stable/jenkins.io.key | sudo apt-key add -
echo "deb https://pkg.jenkins.io/debian-stable binary/" >> /etc/apt/sources.list
apt update
apt install jenkins
Afterwards I changed the port in /etc/default/jenkins to HTTP_PORT=8000 and added --httpPort=$HTTP_PORT --prefix=$PREFIX to the /etc/default/jenkins file and finally since I am running lots of stuff via apache already anyway I added a proxy there with:
ProxyErrorOverride On
ProxyPass "/jenkins" "http://127.0.0.1:8000/jenkins/"
ProxyPassReverse "/jenkins" "http://127.0.0.1/jenkins/"
But when I try to access https://MY_URL/jenkins I get an
Forbidden
You don't have permission to access /jenkins on this server.
But when I do curl localhost:8000 on the server I do seem to get the page. So it seems to be running on that port at least, I just cannot access it via the apache (Other Proxies like /gitlab do work though the same way).
Does anyone have an idea what might be the problem here?
Edit: When I disable ProxyErrorOverride On I finally see the page where I can enter the admin password but doing so redirects me to the same page again:
https://my_url/jenkins/login?from=%2Fjenkins%2F -> https://my_url/jenkins/login?from=%2Fjenkins%2F%2Fj_acegi_security_check.
So the current config for apache looks like this:
## Proxy Settings
ProxyRequests Off
ProxyPreserveHost On
AllowEncodedSlashes NoDecode
SetEnv proxy-nokeepalive 1
ProxyPass "/gitlab" "http://127.0.0.1:8001/gitlab/"
ProxyPassReverse "/gitlab" "http://127.0.0.1:8001/gitlab/"
ProxyPass "/jenkins" "http://127.0.0.1:8000/jenkins/" nocanon
ProxyPassReverse "/jenkins" "http://127.0.0.1:8000/jenkins/"
ProxyPassReverse "/jenkins" "http://my_url/jenkins/"
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
Alright I finally found the error:
First ProxyErrorOverride On had to be removed and second I had to remove the trailing slash in the ProxyPass like this:
ProxyPass "/jenkins" "http://127.0.0.1:8000/jenkins" nocanon
ProxyPassReverse "/jenkins" "http://127.0.0.1:8000/jenkins"
ProxyPassReverse "/jenkins" "http://my_url/jenkins"
Interestingly gitlab did require it to work properly and jenkins does not work if the "/" are there.
Maybe, the firewall blocks Jenkins
For me, simply run this command to resolve this issue
/etc/init.d/iptables.sh stop
I have the following entry in "/etc/apache2/sites-enabled" on my Ubuntu 15.10
<VirtualHost *:80>
ServerName "jupyter.xxxxxxxxxxxx.com"
ProxyPass / http://192.168.254.23:8888/
ProxyPassReverse / http://192.168.254.23:8888/
Header edit Origin "jupyter.xxxxxxxxxxxx.com" 192.168.254.23:8888
RequestHeader edit Origin "jupyter.xxxxxxxxxxxx.com" 192.168.254.23:8888
Header edit Referer "jupyter.xxxxxxxxxxxx.com" 192.168.254.23:8888
RequestHeader edit Referer "jupyter.xxxxxxxxxxxx.com" 192.168.254.23:8888
<Location ~ "/(user/[^/]*)/(api/kernels/[^/]+/channels|terminals/websocket)/?">
ProxyPass ws://192.168.254.23:8888/
ProxyPassReverse ws://192.168.254.23:8888/
</Location>
</VirtualHost>
After making the above entry I restarted apache: "sudo service apache2 restart"
When I attempt to run my script the Kernel is unable to connect.
Console Logs:
The same works when I specify the IP Address though:
Here's more info on my setup:
Apache is running on Server A (Ubuntu 15.4, IP: 192.168.254.201)
Jupyter installed on Server B (Centos 7, IP 192.168.254.23) as a
Docker Image
(https://www.dataquest.io/blog/data-science-quickstart-with-docker/)
And, I'm testing this from inside my home network, so no need to worry about proxy or ISP. I have the following entry in /etc/hosts
192.168.254.201 jupyter.xxxxxxxxxxxx.com
Environment :
- Docker version 1.6.2, build ba1f6c3/1.6.2
- Centos 7
- apache httpd 2.4.6
I have created the docker image of apache httpd. There is simple shell script inside that start the httpd server.
My start-httpd.sh
httpd -k start
#to keep process running
tail -f /dev/null
Now the configuration i copy to docker image is similar to one I run on my main host machine.
Sample config of load balancer:
<VirtualHost localhost:8000>
ServerName localhost
ProxyRequests off
ProxyPreserveHost on
ErrorLog logs/error_domain.log
SetHandler balancer-manager
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location /balancer-manager>
SetHandler balancer-manager
Order allow,deny
Allow from all
</Location>
<Proxy balancer://idp>
BalancerMember http://punvm-core05.sigmasys.net:9091
BalancerMember http://punvm-core06.sigmasys.net:8091 status=+H
#ProxySet lbmethod=byrequests
ProxySet lbmethod=bytraffic
</Proxy>
ProxyPass /homepage balancer://idp
ProxyPassReverse /homepage balancer://idp
ProxyPass /assets balancer://idp/assets
ProxyPassReverse /assets balancer://idp/assets
ProxyPass /saml-idp balancer://idp/saml-idp
ProxyPassReverse /saml-idp balancer://idp/saml-idp
</VirtualHost>
Now this is how i run docker image,
docker run -d -p 10000:8000 auth/loadbalancer /home/start-httpd.sh
I am able to access the http://localhost:10000 but the page i expect is different
Attaching snapshot of expected and unexpected httpd server page
Expected image , this is from my host machine:
Unexpected image when accessing apache mapped to port inside docker as mentioned in above command of docker
Also when i login to container and do curl command ,in response i can see Load balancer page but from outside the container i see response of unexpected image.
Please suggest why this is happening, am i missing something .
I am able to resolve this.
i had to run command like this,
docker run -d --net=host auth/loadbalancer /home/start-httpd.sh
So i don't need any port mapping here, all the translation internal container is done automatically when using this.