Nginx reverse SSL proxy docker-compose

Question

I'm trying to set up nginx as a reverse proxy on my Ubuntu 18.04 server.

I've set up what I thought was correct below, but hitting http://web.service.com lands me on the default nginx welcome screen (whereas it should redirect to https:// and going to https://web.service.com I end up with a 404 error screen.

I've got the following docker-compose.yml configuration:

version: "3"
services:
    web_service:
        image: "test/webservice"
        container_name: "webservice"
        hostname: "webservice"

    mysql:
        image: "mysql:5.7"
        container_name: "mysql"
        hostname: "mysql"

    nginx:
        build:
            context: .
            dockerfile: "Dockerfile"
        image: "nginx"
        container_name: "nginx"
        hostname: "nginx"
        ports:
            - "80:80"
            - "443:443"
        volumes:
            - "/var/nginx/data/certs:/etc/nginx/certs"

Note: web_service hosts a web page on port 8080

And I've got my default nginx.conf

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}

And my custom web_service.conf which is build into the new nginx image.

server {
    listen 80;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl default_server;

    server_name www.web.server.com web.server.com;

    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  SSLv3 TLSv1;
    ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;

    access_log /var/log/nginx/access.log;
    error_log  /var/log/nginx/error.log info;

    keepalive_timeout 75 75;

    ssl_certificate /etc/nginx/certs/web_server.com.crt;
    ssl_certificate_key /etc/nginx/certs/web_server.com.key;
    ssl_session_timeout 5m;

    add_header Strict-Transport-Security "max-age=7200";

    location / {

      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;

      proxy_pass          http://webservice:8080;
      proxy_read_timeout  90;
      proxy_redirect      http://webservice:8080 https://web.service.com;
    }
}

Previously I just the web_service and mysql in the compose file and I exposed port 80:8080 for web_server .

Any thoughts as to the issue?

Answer 1

Managed to solve my issue using the following config:

upstream docker-webapp {
    server webapp:8080;
}

server {
    listen 80;

    server_name _;

    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;    

    server_name www.example.com example.com;

    ## Access and error logs.
    access_log /var/log/nginx/access.log;
    error_log  /var/log/nginx/error.log info;

    ## Keep alive timeout set to a greater value for SSL/TLS.
    keepalive_timeout 75s;

    ## Server certificate and key.
    ssl_certificate         /etc/ssl/certs/certificate.crt;
    ssl_certificate_key     /etc/ssl/certs/certificate.key;
    ssl_dhparam             /etc/ssl/certs/dhparam.pem; 

    ssl_protocols TLSv1.2 TLSv1.3;               
    ssl_prefer_server_ciphers on; 
    ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
    ssl_ecdh_curve secp384r1;               
    ssl_session_timeout  10m;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;                
    ssl_stapling on;                        
    ssl_stapling_verify on;                  
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";

    location / {
        proxy_pass         http://docker-webapp;
        proxy_redirect     off;
        proxy_set_header   Host $host;
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Host $server_name;
    }
}

as well as info found here: https://cipherli.st/

As a side note, the webapp I deployed needed to healthcheck itself, so I needed to install the public certificate into the webapp container's keystore. On top of that it also only supported up to TLSv1.2 hence why I added TLSv1.2 to the ssl_protocols line.

Answer 2

This doesn't directly answer your question, but you might give this Nginx container a try; it really makes automatically handling SSL a walk in the park.

https://hub.docker.com/r/linuxserver/letsencrypt

Answer 3

Due to in your image you're lacking of config of certificate, so you need to add ca-certificate to docker system certificates to use https (you can check it on the internet). Another thing about security risk in your config file is SSLv3. You should remove it to avoid POODLE attack .