I'm using docker-compose to config my app with a meteor
app container and an nginx
container, here's my docker-compose
file:
version: '2'
services:
webapp:
image: webapp.image.uri:latest
ports:
- "3000:3000"
environment:
- ROOT_URL=https://my.app.url
nginx:
image: nginx.image.uri:latest
volumes:
- certs:/etc/letsencrypt
- certs-data:/data/letsencrypt
ports:
- "80:80"
- "443:443"
I'm using nginx
for handling HTTPS requests. What I want to do is to configure nginx
so that, when user access my.app.url
I can get the meteor
app (port 3000) working on port 443
.
By the way, here's the nginx
config that I'm using:
server {
listen 80;
listen [::]:80;
server_name my.app.url;
location / {
rewrite ^ https://$host$request_uri? permanent;
}
location ^~ /.well-known {
allow all;
root /data/letsencrypt/;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name my.app.url;
ssl on;
add_header Strict-Transport-Security "max-age=31536000" always;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!ADH:!AECDH:!MD5;";
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;
ssl_certificate /etc/letsencrypt/live/my.app.url/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/my.app.url/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/my.app.url/chain.pem;
access_log /dev/stdout;
error_log /dev/stderr info;
# other configs
}
Thanks so much in advanced !
What I want to do is to configure nginx so that, when user access my.app.url I can get the meteor app working on port 443
You can use the nginx_http_rewrite_module to redirect http to https permanently. Change your first server block to this:
server {
listen 80;
listen [::]:80;
server_name my.app.url;
return 301 https://my.app.url$request_uri;
}
more of nginx_http_rewrite_module you can refer this http://nginx.org/en/docs/http/ngx_http_rewrite_module.html#return
About port forward, imagine your app server listen the port 3000, you can add an upstream block to the http block.
upstream app {
server 127.0.0.1:3000; #image the nginx is in same machine with your app server
}
AND add this line to your second server block :
proxy_pass https://app;
And now all connections from outside will be https and you app listened at port 3000 could also handle request from 443.
I got it working. This is how I modified my docker-compose.yml
file:
version: '2'
services:
webapp:
image: webapp.image.uri:latest
ports:
- "3000:3000"
environment:
- ROOT_URL=https://my.app.url
nginx:
image: nginx.image.uri:latest
volumes:
- certs:/etc/letsencrypt
- certs-data:/data/letsencrypt
ports:
- "80:80"
- "443:443"
links: # new
- webapp
volumes_from:
- webapp
And this is the nginx
config file:
server {
listen 80;
listen [::]:80;
server_name my.app.url;
location / {
rewrite ^ https://$host$request_uri? permanent;
}
location ^~ /.well-known {
allow all;
root /data/letsencrypt/;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name my.app.url;
ssl on;
add_header Strict-Transport-Security "max-age=31536000" always;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!ADH:!AECDH:!MD5;";
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;
ssl_certificate /etc/letsencrypt/live/my.app.url/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/my.app.url/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/my.app.url/chain.pem;
access_log /dev/stdout;
error_log /dev/stderr info;
# other configs
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
proxy_pass http://webapp:3000;
}
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.