Nginx-proxy: SSL/https running problem using docker image of reverse nginx-proxy

Created on 12 Jul 2016  路  3Comments  路  Source: nginx-proxy/nginx-proxy

Hi, I crosspost here a message i posted into rocket.chat application issues, because i don't know if it comes from nginx-proxy or rocket.chat docker images.

https://github.com/RocketChat/Rocket.Chat/issues/3757

I'm using the latest version of rocket chat.

I use the great Automated Nginx Reverse Proxy for Docker : nginx-proxy made by @jwilder https://github.com/jwilder/nginx-proxy

sudo docker run --name nginx -d -p 80:80 -p 443:443 -v /var/run/docker.sock:/tmp/docker.sock:ro -v /etc/ssl/certs:/etc/nginx/certs jwilder/nginx-proxy

As you can see here, the certificate is accessible without too many problems from outside, so nginx get the correct team.comnmodel.org.cert and team.comnmodel.org.key into /etc/ssl/certs

You can see more information here on ssllabs. I see here that server supports weak Diffie-Hellman (DH) key exchange parameters, do i need to change certs / key name ?

But when i check the logs with docker logs nginx i see this error : 

nginx.1    | 2016/07/12 16:25:59 [error] 36#36: *39 peer closed connection in SSL handshake while SSL handshaking to upstream, client: 193.52.161.53, server: team.comnmodel.org, request: "GET /favicon.ico HTTP/1.1", upstream: "https://172.17.0.4:3000/favicon.ico", host: "team.comnmodel.org", referrer: "https://team.comnmodel.org/"
nginx.1    | team.comnmodel.org 193.52.161.53 - - [12/Jul/2016:16:25:59 +0000] "GET /favicon.ico HTTP/1.1" 502 575 "https://team.comnmodel.org/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/51.0.2704.79 Chrome/51.0.2704.79 Safari/537.36"

Generated conf into /etc/nginx/conf.d/default.conf is equal to 

root@6b38363acc86:/etc/nginx/conf.d# ls
default.conf
root@6b38363acc86:/etc/nginx/conf.d# cat default.conf  
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
  default $http_x_forwarded_proto;
  ''      $scheme;
}
# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
# Connection header that may have been passed to this server
map $http_upgrade $proxy_connection {
  default upgrade;
  '' close;
}
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost '$host $remote_addr - $remote_user [$time_local] '
                 '"$request" $status $body_bytes_sent '
                 '"$http_referer" "$http_user_agent"';
access_log off;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;

server {  
        server_name _; # This is just an invalid value which will never trigger on a real hostname.
        listen 80;  
        access_log /var/log/nginx/access.log vhost;
        return 503;  
}
upstream team.comnmodel.org {
                                ## Can be connect with "bridge" network
                        # rocketchat
                        server 172.17.0.4:3000;
}
server {
        server_name team.comnmodel.org;
        listen 443 ssl http2 ;
        access_log /var/log/nginx/access.log vhost;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
        ssl_prefer_server_ciphers on;
        ssl_session_timeout 5m;
        ssl_session_cache shared:SSL:50m;
        ssl_certificate /etc/nginx/certs/team.comnmodel.org.crt;
        ssl_certificate_key /etc/nginx/certs/team.comnmodel.org.key;
        location / {
                proxy_pass https://team.comnmodel.org;
        }
}
server {
        server_name team.comnmodel.org;
        listen 80 ;
        access_log /var/log/nginx/access.log vhost;
        location / {
                proxy_pass https://team.comnmodel.org;
        }
}

I run rocketchat with this configuration, using the environment variable provided by https://github.com/jwilder/nginx-proxy : 

sudo docker-compose up -d mongo
sudo docker-compose run -d --name rocketchat -e VIRTUAL_HOST="team.comnmodel.org" -e VIRTUAL_PROTO="https" -e VIRTUAL_PORT="3000" -e HTTPS_METHOD="noredirect" rocketchat

d401a4407ec1        rocketchat/rocket.chat:latest   "node main.js"           27 minutes ago      Up 27 minutes       3000/tcp                                   rocketchat
6b38363acc86        jwilder/nginx-proxy             "/app/docker-entrypoi"   30 minutes ago      Up 30 minutes       0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp   nginx
80a0879219c0        osixia/openldap                 "/container/tool/run"    3 hours ago         Up 3 hours          0.0.0.0:389->389/tcp, 636/tcp              openLdap
6d24fc1be9bf        mongo                           "/entrypoint.sh mongo"   4 days ago          Up 4 days           27017/tcp                                  rocketchat_mongo_1

My docker-compose is a copy/paste of docker-compose given by rocket.chat documentation

But https://team.comnmodel.org/ or http://team.comnmodel.org/ continue to return 502 bad gateway error :-1:

When i use rocket chat with nginx-proxy SSL / 443:443 disabled, it works perfectly.

I don't know if its a problem from nginx-proxy, or a problem from rocket.chat ssl configuration.

picture reyman

Most helpful comment

Hi, try remove VIRTUAL_PROTO="https", that tells nginx-proxy to talk https with the rocket chat containers which does not seems to be the case, it probably wants plain http.

picture wader on 13 Jul 2016
👍4

All 3 comments

Hi, try remove VIRTUAL_PROTO="https", that tells nginx-proxy to talk https with the rocket chat containers which does not seems to be the case, it probably wants plain http.

wader picture wader on 13 Jul 2016
👍4

Thanks @wader , it works now :) :+1:

reyman picture reyman on 13 Jul 2016
👍2

This helped me debug the nginx config from here. I needed to change the https in proxy_pass to http

lucy-h picture lucy-h on 4 Aug 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

senzacionale picture senzacionale  路  4Comments
lagivan picture lagivan  路  3Comments
Soufraz picture Soufraz  路  3Comments
strech345 picture strech345  路  4Comments
nickjanssen picture nickjanssen  路  3Comments