Login/Register
jwilder/nginx-proxy: Not able to integrate ssl with Nginx
Asked Answered
ssldockerproxyjwilder-nginx-proxy
R

2

6

We are working on setting up multiple website hosting with single port and jwilder/nginx-proxy via SSL, We are able to deploy the solution without ssl and its working fine but while we are trying to put it with SSL its failing on HTTPs Call. Our docker-compose file is as below:

docker-compose.yml

site1:
  build: site1
  environment:
    VIRTUAL_HOST: site1.domainlocal.com
    VIRTUAL_PROTO: https
  restart: always

site2:
  build: site2
  environment:
    VIRTUAL_HOST: site2.domainlocal.com
    VIRTUAL_PROTO: https
  restart: always

site3:
  build: site3
  environment:
    VIRTUAL_HOST: site3.domainlocal.com
    VIRTUAL_PROTO: https
  restart: always

nginx-proxy:
  image: jwilder/nginx-proxy:alpine
  ports:
    - "80:80"
    - "443:443"
  volumes:
    - /var/run/docker.sock:/tmp/docker.sock:ro
    - certs:/etc/nginx/certs:ro

  restart: always
  privileged: true

PS: the "certs" folder is kept in the same folder as the docker-compose file.

Using self signed certificate using openssl

Folder structure is like:

Main_folder-|
            |- docker-compose.yml
            |
            |- certs/.csr and .key files
            |
            |- site1/Dockerfile + Nodejs
            |- site2/Dockerfile + Nodejs
            |- site3/Dockerfile + Nodejs

Please suggest the possible cause of the issue and solution over same.

Output of docker ps:

CONTAINER ID        IMAGE                 COMMAND                  CREATED             STATUS              PORTS                                      NAMES
c71b52c3e6bd        compose_site3   "/bin/sh -c 'node ..."   3 days ago          Up 3 days           80/tcp                                     compose_site3_1
41ffb9ec3983        jwilder/nginx-proxy   "/app/docker-entry..."   3 days ago          Up 3 days           0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp   compose_nginx-proxy_1
a154257c62ec        compose_site1   "/bin/sh -c 'node ..."   3 days ago          Up 3 days           80/tcp                                     compose_site1_1
3ed556e9287e        compose_site2   "/bin/sh -c 'node ..."   3 days ago          Up 3 days           80/tcp                                     compose_site2_1
Rothermere answered 27/9, 2017 at 8:52 Comment(11)
Please correct your docker-compose.yml formattingUnipod
This code was copied from linux machine so it is appearing this way.Its indentation is perfectly fine in actual machine and also its working perfectly fine without HTTPS.Rothermere
formatting has been updatedRothermere
What is the error that you get when using https?Unipod
while trying to open url using https its showing site1.domainlocal.com refused to connect. ERR_CONNECTION_REFUSED.Rothermere
This is in your browser? or in some logs?Unipod
on Curl command getting: curl: (35) Unknown SSL protocol error in connection to site1.domainlocal.com:443Rothermere
I just tried to connect to it right now, http works for me but https has a connection refusedUnipod
its happening with me as well http is working without any issue but https failingRothermere
Add the output of docker ps to your questionUnipod
@TarunLalwani I have added the output of docker ps into the questionRothermere
R
6

So after spending so much time on it finally I am able to solve the issue. So for ssl integration with jwilder/nginx-proxy there is no mandate to name the certificate and key in the name of domain instead it can be of any name just you need to mention the certificate name in docker-compose file (I found this approach by just hit and trial). So your docker compose file should look like:

site1:
  build: site1
  environment:
    VIRTUAL_HOST: site1.domainlocal.com
    CERT_NAME: mycertificate
  volumes:
    - /etc/ssl/certs:/etc/ssl/certs:ro
  restart: always

site2:
  build: site2
  environment:
    VIRTUAL_HOST: site2.domainlocal.com
    CERT_NAME: mycertificate
  volumes:
    - /etc/ssl/certs:/etc/ssl/certs:ro
  restart: always

site3:
  build: site3
  environment:
    VIRTUAL_HOST: site3.domainlocal.com
    CERT_NAME: mycertificate
  volumes:
    - /etc/ssl/certs:/etc/ssl/certs:ro
  restart: always

nginx-proxy:
  image: jwilder/nginx-proxy:alpine
  ports:
    - "80:80"
    - "443:443"
  environment:
    DEFAULT_HOST: domainlocal.com #default host
    CERT_NAME: mycertificate # Wildcard Certificate name without extension  
  volumes:
    - /var/run/docker.sock:/tmp/docker.sock:ro
    - /etc/ssl/certs:/etc/nginx/certs  #certificate path in docker container

  restart: always
  privileged: true

and just build and run the compose using "docker-compose up --build" and congrats now you are by on secured layer.

Rothermere answered 6/10, 2017 at 11:28 Comment(3)
Hi, i am still new, could you explain how to get CERT_NAME ? and is that name of file mycertificate ? if i'am using in localhost, so i must change domainlocal.com to localhost?Dogoodism
you can use any name(e.g default name) of your certificate)Rothermere
Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification 'nginx -s reload' I got this error.. :(Dogoodism
B
1

Your certificate should end with a '.crt' extension, not '.csr'. Also make sure it is named appropriately for the domain, matching the VIRTUAL_HOST variable. According to the documentation:

The certificate and keys should be named after the virtual host with a .crt and .key extension. For example, a container with VIRTUAL_HOST=foo.bar.com should have a foo.bar.com.crt and foo.bar.com.key file in the certs directory.

Bloodcurdling answered 4/10, 2017 at 0:37 Comment(1)
We have got the solution of it. That we will post here very soon, so the conclusion is there is nothing mandate to name the certificate with the domain name, it can be of any name and yes they should have .crt and .key extension as jwilder proxy recognizes only .crt and .key files only. Will update the final solution soon.Rothermere

© 2022 - 2024 — McMap. All rights reserved.