Home > database >  How to set up reverse proxy with nginx, docker & cloudflare?
How to set up reverse proxy with nginx, docker & cloudflare?

Time:10-30

I have recently switched my Fedora 36 server to use docker. I tried to set up trilium and my filehosting behind a reverse proxy. I am kind of lost with my basic knowledge of docker networking and nginx reverse proxy. I set up hostnames for each container and verified that the containers can ping each other by hostname and the host system can't. I configured the reverse proxy to also address the containers by hostname.

I can reach the containers with http://host-system-ip:port but I can't access them through the reverse proxy or cloudflare's ip. Not when using the hostnames and also not when using ips in nginx.conf. Cloudflare just gives me: Web server is down Error code 521.

I already checked if fedora's selinux policy may be the problem, did a lot of research online regarding the topics and tried a lot of different approaches to this. Relevant configs are listed below, I'd be very happy if someone could help me to find a solution! (Anything marked with ??? is blanked out for privacy reasons). ???? is to distinguish the second domain.

docker-compose.yml

version: "3.9"

services:
  reverse-proxy:
    image: "nginx:stable-alpine"
    container_name: "reverse-proxy"
    networks:
      - frontend
      - backend
    hostname: "reverse-proxy"
    depends_on:
      - "filehost"
      - "trilium"
    volumes:
      - "~/dock/reverse-proxy/certs:/etc/nginx/certs:ro"
      - "~/dock/reverse-proxy/conf.d:/etc/nginx/conf.d:ro"
      - "~/dock/reverse-proxy/nginx.conf:/etc/nginx/nginx.conf:ro"
    ports:
      - "80:80"
      - "443:443"
    restart: "always"
  filehost:
    image: "nginx:stable-alpine"
    container_name: "filehost"
    networks:
      - backend
    hostname: "filehost"
    volumes:
      - "~/dock/filehost-data/html:/usr/share/nginx/html:ro"
      - "~/dock/filehost/conf.d:/etc/nginx/conf.d:ro"
      - "~/dock/filehost/nginx.conf:/etc/nginx/nginx.conf:ro"
    restart: "always"
  trilium:
    image: "zadam/trilium:latest"
    container_name: "trilium"
    networks:
      - backend
    hostname: "trilium"
    volumes:
      - "~/dock/trilium-data:/home/node/trilium-data"
    restart: "always"
    environment:
      USER_UID: "???"
      USER_GID: "???"

networks:
  frontend:
    internal: false
  backend:
    internal: true

nginx.conf (nginx - reverse-proxy & filehost)

# http://nginx.org/en/docs/ngx_core_module.html#worker_processes
worker_processes auto;
# http://nginx.org/en/docs/ngx_core_module.html#error_log
error_log /var/log/nginx/error.log;
# http://nginx.org/en/docs/ngx_core_module.html#pid
pid /run/nginx.pid;
# http://nginx.org/en/docs/ngx_core_module.html#include
include /usr/share/nginx/modules/*.conf;

# https://nginx.org/en/docs/ngx_core_module.html#events
events {
    # http://nginx.org/en/docs/ngx_core_module.html#worker_connections
    worker_connections 1024;
}

# http://nginx.org/en/docs/http/ngx_http_core_module.html#http
http {
    # http://nginx.org/en/docs/http/ngx_http_log_module.html#access_log
    access_log /var/log/nginx/access.log combined;
    # http://nginx.org/en/docs/ngx_core_module.html#include
    include /etc/nginx/mime.types;
    # https://nginx.org/en/docs/http/ngx_http_core_module.html#default_type
    default_type application/octet-stream;
    # http://nginx.org/en/docs/ngx_core_module.html#include
    include /etc/nginx/conf.d/sites-enabled/*.conf;
}

reverse-proxy.conf (nginx - reverse-proxy)

# http://nginx.org/en/docs/http/ngx_http_core_module.html#server
server {
    # http://nginx.org/en/docs/http/ngx_http_core_module.html#listen
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;
    # http://nginx.org/en/docs/ngx_core_module.html#include
    include /etc/nginx/conf.d/ssl.conf;
    # http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate
    ssl_certificate /etc/nginx/certs/???.pem;
    # http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate_key
    ssl_certificate_key /etc/nginx/certs/???.key;
    # http://nginx.org/en/docs/http/ngx_http_core_module.html#server_name
    server_name ??? www.???;
    # https://nginx.org/en/docs/http/ngx_http_core_module.html#location
    location / {
        # http://nginx.org/en/docs/ngx_core_module.html#include
        include /etc/nginx/conf.d/common-location.conf;
        # http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass
        proxy_pass http://filehost:???/;
        # https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_redirect
        proxy_redirect http://filehost:??? https://???;
    }
    # http://nginx.org/en/docs/ngx_core_module.html#include
    include /etc/nginx/conf.d/common.conf;
}

# http://nginx.org/en/docs/http/ngx_http_core_module.html#server
server {
    # http://nginx.org/en/docs/http/ngx_http_core_module.html#listen
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    # http://nginx.org/en/docs/ngx_core_module.html#include
    include /etc/nginx/conf.d/ssl.conf;
    # http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate
    ssl_certificate /etc/nginx/certs/????.pem;
    # http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate_key
    ssl_certificate_key /etc/nginx/certs/????.key;
    # http://nginx.org/en/docs/http/ngx_http_core_module.html#server_name
    server_name ???? www.????;
    # https://nginx.org/en/docs/http/ngx_http_core_module.html#location
    location / {
        # http://nginx.org/en/docs/ngx_core_module.html#include
        include /etc/nginx/conf.d/common-location.conf;
        # http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass
        proxy_pass http://trilium:???/;
        # https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_redirect
        proxy_redirect http://trilium:??? https://????;
    }
    # http://nginx.org/en/docs/ngx_core_module.html#include
    include /etc/nginx/conf.d/common.conf;
}

# http://nginx.org/en/docs/ngx_core_module.html#include
include /etc/nginx/conf.d/redirect.conf;

/etc/nginx/conf.d/ssl.conf (nginx - reverse-proxy)

# http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols
ssl_protocols TLSv1.3;
# http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers
ssl_ciphers 'EECDH AESGCM:EDH AESGCM';
# http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ecdh_curve
ssl_ecdh_curve secp384r1;
# http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_prefer_server_ciphers
ssl_prefer_server_ciphers on;
# http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam
ssl_dhparam /etc/nginx/certs/dhparam.pem;
# http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache
ssl_session_cache shared:SSL:10m;
# http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_timeout
ssl_session_timeout 10m;
# http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets
ssl_session_tickets off;
# http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
ssl_stapling on;
# http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling_verify
ssl_stapling_verify on;
# http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_verify_client
ssl_verify_client on;
# http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_client_certificate
ssl_client_certificate /etc/nginx/certs/authenticated_origin_pull_ca.pem;
# http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_trusted_certificate
ssl_trusted_certificate /etc/nginx/certs/origin_ca_ecc_root.pem;

/etc/nginx/conf.d/common-location.conf (nginx - reverse-proxy)

# https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_http_version
proxy_http_version 1.1;
# https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_bypass
proxy_cache_bypass $http_upgrade;
# http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_read_timeout
proxy_read_timeout 90;
# https://docs.oracle.com/en-us/iaas/Content/Balance/Reference/httpheaders.htm
proxy_set_header X-Real-IP $remote_addr;
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto
proxy_set_header X-Forwarded-Proto $scheme;
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Host
proxy_set_header Host $host;
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host
proxy_set_header X-Forwarded-Host $host;
# https://docs.oracle.com/en-us/iaas/Content/Balance/Reference/httpheaders.htm
proxy_set_header X-Forwarded-Port $server_port;
# http://nginx.org/en/docs/http/websocket.html
## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Upgrade
proxy_set_header Upgrade $http_upgrade;
## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Connection
proxy_set_header Connection 'upgrade';

/etc/nginx/conf.d/common.conf (nginx - reverse-proxy)

# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
add_header Strict-Transport-Security "max-age=15780000; includeSubDomains; preload" always;
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
add_header X-Frame-Options SAMEORIGIN;
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
add_header X-XSS-Protection "1; mode=block";
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
add_header X-Content-Type-Options nosniff;
# http://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens
server_tokens off;
# http://nginx.org/en/docs/http/ngx_http_gzip_module.html#gzip
gzip off;
# http://nginx.org/en/docs/http/ngx_http_core_module.html#sendfile
sendfile on;
# http://nginx.org/en/docs/http/ngx_http_core_module.html#tcp_nopush
tcp_nopush on;
# http://nginx.org/en/docs/http/ngx_http_core_module.html#tcp_nodelay
tcp_nodelay on;
# http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout
keepalive_timeout 65;
# http://nginx.org/en/docs/http/ngx_http_core_module.html#types_hash_max_size
types_hash_max_size 4096;
# http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size
client_max_body_size 0;

/etc/nginx/conf.d/redirect.conf (nginx - reverse-proxy)

# http://nginx.org/en/docs/http/ngx_http_core_module.html#server
server {
    # http://nginx.org/en/docs/http/ngx_http_core_module.html#listen
    listen 80;
    listen [::]:80;
    # http://nginx.org/en/docs/http/ngx_http_core_module.html#server_name
    server_name _;
    # http://nginx.org/en/docs/http/ngx_http_rewrite_module.html#return
    return 301 https://$host$request_uri;
}

???.conf (nginx - filehost)

# http://nginx.org/en/docs/http/ngx_http_core_module.html#server
server {
    # http://nginx.org/en/docs/http/ngx_http_core_module.html#listen
    listen 80 default_server;
    listen [::]:80 default_server;
    # http://nginx.org/en/docs/http/ngx_http_core_module.html#server_name
    server_name ??? www.???;
    # https://nginx.org/en/docs/http/ngx_http_core_module.html#location
    location / {
        # http://nginx.org/en/docs/http/ngx_http_autoindex_module.html#autoindex
        autoindex on;
        # http://nginx.org/en/docs/http/ngx_http_autoindex_module.html#autoindex_exact_size
        autoindex_exact_size off;
        # http://nginx.org/en/docs/http/ngx_http_autoindex_module.html#autoindex_format
        autoindex_format html;
        # http://nginx.org/en/docs/http/ngx_http_autoindex_module.html#autoindex_localtime
        autoindex_localtime off;
    }
    # http://nginx.org/en/docs/http/ngx_http_core_module.html#root
    root /usr/share/nginx/html;
}

CodePudding user response:

The missing ; was the problem.. The answer is in the question now since I just added 2 missing ;.

  • Related