I have a collection of web applications, with each running inside its own Docker Containers. I can access them locally via http://localhost:9001, for example. I want to access them remotely via https://site.example.com, instead. I have a wildcard Let's Encrypt certificate for example.com.
I understand I need Apache to do direct traffic from FQDN to Port. So I have setup a VirtualHost (below). Normal web activity seems to work fine. I can navigate the website normally.
However, when I try to login using OAuth (e.g. BitBucket), I get a URI redirect mismatch error. This does not happen when I run this outside of a container. I think there is something wrong with my Proxy setup. Is anyone able to advise how to rectify?
<VirtualHost *:443>
ServerAdmin admin#example.com
ServerName site.example.com
ServerSignature Off
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:9001/
ProxyPassReverse / http://127.0.0.1:9001/
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
</IfModule>
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/fullchain.pem
AllowEncodedSlashes NoDecode
</VirtualHost>
For such use case, Traefik is a very adapted tool. Coupled with docker-compose, you can setup multiple docker containers on the same host, each one having its own endpoint. To access them remotely, you just have then to bind remote host's IP address to all your endpoints (or use a public DNS that does it for you).
Here is a docker-compose.yml example using Traefik.
version: "3"
services:
traefik:
image: traefik:latest
command: --api --docker --logLevel=DEBUG
ports:
- "80:80"
- "443:443"
- "8082:8080"
volumes:
# So that Traefik can listen to the Docker events
- /var/run/docker.sock:/var/run/docker.sock
labels:
- "traefik.enable=false"
your_first_container:
image: <YOUR_IMAGE>
labels:
- "traefik.frontend.rule=Host:site.example.com"
- "traefik.port=9001"
Related
I'm trying to setup BaGet in Docker with Docker Compose behind an Apache2 reverse proxy, where Apache2 is also running in Docker from Docker Compose.
I've done this successful with Jenkins and Sonar, but with BaGet (http://localhost:8000/baget) I get "Service Unavailable" even though it's available directly on its own port, e.g.: http://localhost:5555/.
My Docker Compose file looks like this:
version: "3"
services:
smtp:
container_name: smtp
image: namshi/smtp
jenkins:
container_name: jenkins
build: ./jenkins/
environment:
- JENKINS_OPTS="--prefix=/jenkins"
sonar:
container_name: sonar
image: sonarqube:latest
environment:
- SONAR_WEB_CONTEXT=/sonar
baget:
container_name: baget
image: loicsharma/baget:latest
ports:
- "5555:80"
environment:
- PathBase=/baget
apache:
container_name: apache
build: ./apache/
ports:
- "8000:80"
My Apache2 Docker File looks like this:
FROM debian:stretch
RUN apt-get update
RUN apt-get install -y apache2 && apt-get clean
RUN a2enmod proxy
RUN a2enmod proxy_http
RUN a2dissite 000-default.conf
COPY devenv.conf /etc/apache2/sites-available/devenv.conf
RUN a2ensite devenv
EXPOSE 80
CMD apachectl -D FOREGROUND
And my Apache2 config file like this:
<VirtualHost *:80>
ServerAdmin ...
ServerName ...
ServerAlias devenv
ProxyRequests Off
AllowEncodedSlashes NoDecode
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPreserveHost on
ProxyPass /jenkins http://jenkins:8080/jenkins nocanon
ProxyPassReverse /jenkins http://jenkins:8080/jenkins nocanon
ProxyPass /sonar http://sonar:9000/sonar nocanon
ProxyPassReverse /sonar http://sonar:9000/sonar nocanon
ProxyPass /baget http://baget:5555/baget nocanon
ProxyPassReverse /baget http://baget:5555/baget nocanon
</VirtualHost>
I've tried various different compinations of ProxyPass URLs, I've tried using localhost instead of the internal Docker Compose serivces names, I've tried different ports and I've tried running BaGet without the PathBase environment variable and nothing works!
I'm hoping it's something obvious with my configuration and not something odd goign on with BaGet.
So, I was using the wrong port:
ProxyPass /baget http://baget:5555/baget nocanon
ProxyPassReverse /baget http://baget:5555/baget nocanon
should have been:
ProxyPass /baget http://baget/baget nocanon
ProxyPassReverse /baget http://baget/baget nocanon
Docker containers in Docker Compose speak to each other on the internally mapped port, not the external one. Which, now I know, makes perfect sense!
I have problems figuring out how to properly set up a web server with https which contains multiple Docker containers.
I have a main container running apache by using the "httpd" docker-image.
For simplicity lets call this website "main.com". SSL works perfectly here. I have set up the httpd.conf configuration file to redirect all calls to port 80 to port 443 and loaded SSL and proxy modules. (Port 80 and 443 are both exposed).
I have another Docker container which runs an API to serve geodata to "main.com". We can call this container for "side-container". In the Dockerfile for "side-container" I expose port 8080 from this. Then I can call "main.com:8080" to make a query to my "side-container" which runs the API.
Problem --> At least I could until I changed "main.com" to only use https.
I am stuck trying to get "side-container" to work again. When trying to connect to "main.com:8080" I get a timeout error.
My "docker ps" looks like this:
IMAGE COMMAND PORTS NAMES
main-container "httpd-foreground" 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:9010->9010/tcp main
side-container:latest "/docker-entrypoint.…" 0.0.0.0:8080->8080/tcp side-container
I use docker-compose to control the containers, so perhaps I need to set something there?
I have made an attempt to get it working by using a reverse proxy setting in apache (see http.conf below), by using port 9010 on the "main" container to point to port 8080 on the "side-container".
I can get it to reply with an "internal server error" due to a failed SSL handshake, but no more than that.
My background is in pure physics and not software and webservers so maybe I am missing something obvious. Any hint is greatly appreciated.
From httpd.conf:
<IfModule mod_ssl.c>
Listen 443
Listen 8080
Listen 0.0.0.0:9010 https
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
SSLProtocol all -SSLv3
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect file:/dev/urandom 512
SSLSessionCache shmcb:/dev/ssl_gcache_data(512000)
</IfModule>
<Virtualhost *:443>
ServerName main.com
SSLEngine on
#Primary Certificate file
SSLCertificateFile /usr/local/apache2/conf/certificate.crt
#Private Key
SSLCertificateKeyFile /usr/local/apache2/conf/private.key
#Chain bundle file
SSLCertificateChainFile /usr/local/apache2/conf/ca_bundle.crt
</VirtualHost>
<Virtualhost 0.0.0.0:9010>
ServerName main.com
SSLEngine on
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLCertificateFile /usr/local/apache2/conf/certificate.crt
SSLCertificateKeyFile /usr/local/apache2/conf/private.key
SSLCertificateChainFile /usr/local/apache2/conf/ca_bundle.crt
ProxyPass /apptest http://0.0.0.0:8080/
ProxyPassReverse /apptest https://0.0.0.0:8080/
</VirtualHost>
docker-compose.yml:
version: '3'
services:
main-container:
build:
context: .
dockerfile: Dockerfile
container_name: "main"
restart: "always"
ports:
- "80:80"
- "443:443"
- "9010:9010"
links:
- side-container
networks:
- fu
side-container:
image: side-container:latest
container_name: "side-container"
ports:
- "8080:8080"
volumes:
- ${HOME}/data:/data
restart: "always"
networks:
- fu
networks:
fu:
driver: bridge
When linking docker containers within the same network with docker compose you need to reference them by the docker service name, thus instead of 0.0.0.0 use side-container:
ProxyPass /apptest http://side-container:8080/
ProxyPassReverse /apptest https://side-container:8080/
NOTE: the server running in the side container must be listening into 0.0.0.0:8080 in its httpd configuration.
Now you can remove from the docker compose file the ports declaration altogether, because both containers are in the same docker network, therefore you don't need to expose any ports. Exposing ports are only necessary if you want to reach the side-container from localhost in the host machine or from the internet.
So from the side container remove:
ports:
- "8080:8080"
Also in the docker compose file you should replace links with the new syntax depends_on:
depends_on:
- side-container
Ports declaration
For educational purpose.
Please bear in mind that when specifying the port like 8080:8080 is the same as 0.0.0.0:8080:8080 and 0.0.0.0 listens in all requests from the internet, thus to restrict them to localhost 127.0.0.1 of the machine running docker you would do 127.0.0.1:8080:8080.
I know, I know, Apache is not the best tool to use as HTTP proxy, however I need it on my server.
Here's my virtual host configuration:
<VirtualHost *:*>
RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
</VirtualHost>
<VirtualHost *:80>
ServerName my.public.domain
Redirect / https://my.public.domain/
</VirtualHost>
<VirtualHost *:443>
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:50001/
ProxyPassReverse / http://127.0.0.1:50001/
ServerName my.public.domain
ErrorLog ${APACHE_LOG_DIR}my-app-error.log
CustomLog ${APACHE_LOG_DIR}my-app-access.log common
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/my-cert/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my-cert/privkey.pem
</VirtualHost>
In UseUrls method i have http://localhost:50001 configured as main URL, and this is redirected by Apache to HTTPS #443.
It works as charm, however I see this in logs:
warn: Microsoft.AspNetCore.HttpsPolicy.HttpsRedirectionMiddleware[3]
Failed to determine the https port for redirect.
In my configuration Apache handles https traffic, BTW, I can't communicate my app with Apache locally over HTTPS, it just doesn't work. I also think it's pointless to encrypt local internal traffic.
Unfortunately my solution requires some hacking to work 100% properly - I need to provide my public site URL in my app configuration - otherwise the app doesn't know what it's external address is. I mean - I build some links manually, because this is the core of my question - I don't know where the framework would keep such information. For example NavigationManager thinks my site URL is "http://localhost:50001", so if I need absolute URL in my app I can't use NavigationManager directly, I need to "manually" create the URL in app.
Links generated by Identity have "http" instead of "https", but it works because apache redirects everything to https.
Is there a way (and HOW) to do it more properly - a mean to officially tell the AspNET.Core it has specific external URL?
Where you have ServerName my.public.domain, use the following:
For port 80:
ServerName http://my.public.domain:80
For port 443:
ServerName https://my.public.domain:443
I decided to post about my situation after many days of troubleshooting. I recently installed NextCloud as snap on Ubuntu 18.04 and everything worked fine. I did the port forwarding and used Let’s Encrypt (from snap commands) to create the certificates for NC.
Then I decided to install Collabora server on the same machine to use the office functionality. I used the official Collaboration guides for installation mentioned here. However, in this guide, it is assumed that NC is installed manually (not snap). According to guides, I had to install Apache (or any other proxy/web server) to proxy the traffic to whether NC or Collabora.
I think there is a problem with my proxy configuration or something wrong with SSL certificates. When both Apache and snap are running, I can get to Apache page and Collabora should be running, but cannot get to NC page.
I can go to (port 443) link below and get to the page (meaning Collabora is responding?)
https://collabora.domain.com/loleaflet/dist/admin/admin.html
But when accessing the NC domain, the browser says “Did Not Connect: Potential Security Issue” and complain that the certificates are not for that NC domain I am trying to connect but the certificate is for Collabora domain. If I stop the Apache and let Snap running, I can access the NC domain with no issues (except I need to set the ports to 443 and 80 again! Is this problematic?)
My Apache proxy config file (located under /etc/apache2/sites-available/) is as follows:
<VirtualHost *:444>
ServerName nextcloud.domain.com:444
ProxyPreserveHost On
ProxyPass / https://192.168.1.50/
ProxyPassReverse / https://192.168.1.50/
SSLProxyEngine on
SSLCertificateFile /etc/letsencrypt/live/nextcloud.domain.com/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/nextcloud.domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/nextcloud.domain.com/privkey.pem
</VirtualHost>
<VirtualHost *:443>
ServerName collabora.domain.com:443
# SSL configuration, you may want to take the easy route instead and use Lets Encrypt!
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/collabora.domain.com/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/collabora.domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/collabora.domain.com/privkey.pem
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-$
SSLHonorCipherOrder on
# Encoded slashes need to be allowed
AllowEncodedSlashes NoDecode
# Container uses a unique non-signed certificate
SSLProxyEngine On
SSLProxyVerify None
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off
# keep the host
ProxyPreserveHost On
# static html, js, images, etc. served from loolwsd
# loleaflet is the client part of LibreOffice Online
ProxyPass /loleaflet https://127.0.0.1:9980/loleaflet retry=0
ProxyPassReverse /loleaflet https://127.0.0.1:9980/loleaflet
# WOPI discovery URL
ProxyPass /hosting/discovery https://127.0.0.1:9980/hosting/discovery$
ProxyPassReverse /hosting/discovery https://127.0.0.1:9980/hosting/discovery
# Main websocket
ProxyPassMatch "/lool/(.*)/ws$" wss://127.0.0.1:9980/lool/$1/ws nocanon
# Admin Console websocket
ProxyPass /lool/adminws wss://127.0.0.1:9980/lool/adminws
# Download as, Fullscreen presentation and Image upload operations
ProxyPass /lool https://127.0.0.1:9980/lool
ProxyPassReverse /lool https://127.0.0.1:9980/lool
# Endpoint with information about availability of various features
ProxyPass /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities retry=0
ProxyPassReverse /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities
</VirtualHost>
To be honest, this is first time I am setting up proxy server that do not know how it works. Most of my config file is copied and think that is the issue :) If someone can have a look at it and guide me to the right direction, that would save me lots of headache and time.
I went through the same pain for a similar amount of time and eventaully got a simple solution.
The online instructions for docker here are correct except that they omit enabling proxy for websockets.
a2enmod proxy
a2enmod proxy_wstunnel
a2enmod proxy_http
a2enmod ssl
The only other change I had to make were to add --cap-add MKNOD to the docker start.
In Nextcloud I then only needed to add https://collab.example.com to the WAPI server address configuration after creating LetsEncrypt certs for my domain (obviously example.com is not my real domain).
I´m trying to overcome the ingress-gce limitation of redirect traffic from HTTP to HTTPS.
So, the easiest configuration whould be a Reverse Proxy with Apache2 but isn't working for me, this apache is in another VM apart from my kubernetes cluster, I just want to "proxy" the traffic so I can manipulate the request, redirect to https, etc
I´m need this specific solution to work as I can´t configure a nginx ingress at this point, it has to be done with this GCE ingress
My ingress yaml configuration is:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: my-ingress
annotations:
kubernetes.io/ingress.global-static-ip-name: my-reserved-address
kubernetes.io/ingress.allow-http: "false"
spec:
tls:
- hosts:
- mycustom.domain.com
secretName: mydomain-com-certificate
rules:
- host: mycustom.domain.com
http:
paths:
- path: /*
backend:
serviceName: tomcat-service
servicePort: 80
- path: /app/*
backend:
serviceName: spring-boot-app-service
servicePort: 80
My apache virtualhost configuration is:
<VirtualHost *:80>
ServerName myother.domain.com
Redirect permanent / https://myother.domain.com/
</VirtualHost>
<VirtualHost *:443>
ServerName myother.domain.com
ProxyPreserveHost On
ProxyRequests On
ProxyPass / https://mycustom.domain.com/
ProxyPassReverse / https://mycustom.domain.com/
SSLEngine on
SSLProxyEngine on
SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!RC4:+HIGH:+MEDIUM
SSLCertificateKeyFile /etc/ssl/domain.com/domain.com-privatekey-nopass.pem
SSLCertificateFile /etc/ssl/domain.com/domain.com.crt
SSLCACertificateFile /etc/ssl/domain.com/IntermediateCA.crt
</VirtualHost>
Every piece of the puzzle is working independent as expected, I mean, if I go to any of the following
A) https://mycustom.domain.com/tomcat_context
B) https://mycustom.domain.com/app/hello
I get the desired results, A) I get my web page and B) I get a simple response from my app
However, when I use the proxy http://myother.domain.com/tomcat_context I can see how it transform to but I always get a TEXT response from the cluster, always is
default backend - 404
I´m also checking the Apache2 logs and I can see how the correct invocation is being made internally by apache
[Wed May 22 18:39:40.757619 2019] [proxy:debug] [pid 14196:tid 140335314564864] proxy_util.c(2213): [client xxx.xxx.xxx.xxx:52636] AH00944: connecting https://mycustom.domain.com/tomcat_context to mycustom.domain.com:443
I can´t find an explanation why this is happening if all the pieces are working properly, at the end of the day my ingress-gce is like an external service to my apache proxy, it should be working already.
Also both configurations, the ingress and the apache have SSL configured and its the same exact certificate as both are running on the same domain
Any help will be appreciated
The ingress controller doesn't have a handler for myother.domain.com so produces a 404.
You either need to setup an additional Ingress host for myother.domain.com or turn ProxyPreserveHost Off so the proxy sends the mycustom.domain.com host name from the ProxyPass config.
How the tomcat application make use of the Host header is usually the decider for which way you need to map the header through the proxy.