search

fsouza / docker-ssl-proxy

Builds a docker image that proxies SSL calls to another docker container (fork of bombbomb/docker-ssl-proxy)
BSD 2-Clause "Simplified" License
43 stars 20 forks source link

doesn't work without proxy_redirect #71

Open d9k opened 2 years ago

d9k commented 2 years ago

See https://stackoverflow.com/a/24521632/1760643.

I have an issue when redirects lead to TARGET_HOST not to DOMAIN.

Solved it:

> docker exec -it {NGINX_SSL_PROXY_CONTAINER_NAME} sh
# vi /etc/nginx/nginx.conf

inside the 

location / {
}

block I added

proxy_redirect http://{TARGET_HOST} https://{DOMAIN}:{SSL_PORT};

(you need to replace {TARGET_HOST} etc with your values)

Then

# nginx -s reload

d9k commented 2 years ago

BTW, there is also SERVER_NAME undocommented env variable... Fix the docs, please, it's unclear when use SERVER_NAME. :sweat_smile:

d9k commented 2 years ago

I suggest to add

proxy_redirect http://${TARGET_HOST} https://${SERVER_NAME}:${SSL_PORT};

into nginx.conf.template

Right now I substitute the template file with -v nginx.conf.template:/nginx.conf.template

bedla commented 6 months ago

I have same issue with exposing Keycloak with local SSL. Thx @d9k with hint wit custom .template file and proxy_redirect directive.

For test case, my docker-compose.yaml looks like this:

version: "3.9"
services:
  keycloak:
    image: "quay.io/keycloak/keycloak:24.0.3"
    environment:
      KEYCLOAK_ADMIN: "admin"
      KEYCLOAK_ADMIN_PASSWORD: "admin"
    ports:
      - "8080:8080"
    networks:
      - my-network
    command:
      - "start-dev"
      - "--hostname-url=https://localhost:8443"
      - "--hostname-admin-url=https://localhost:8443"
      - "--proxy-headers=forwarded"
      - "--http-enabled=true"
      - "--hostname-debug=true"
  ingress-proxy:
    image: fsouza/docker-ssl-proxy
    environment:
      DOMAIN: localhost
      SSL_PORT: 8443
      TARGET_SCHEME: http
      TARGET_HOST: keycloak
      TARGET_PORT: 8080
    ports:
      - "8443:8443"
    networks:
      - my-network
    volumes:
      - ./nginx.conf.template:/nginx.conf.template

networks:
  my-network:

and template file nginx.conf.template looks like this:

worker_processes 1;
pid /run/nginx.pid;
daemon off;

error_log stderr info;

events { worker_connections 1024; }

http {
    sendfile on;

    map $http_upgrade $connection_upgrade {
        default upgrade;
        '' close;
    }

    server {
        listen ${SSL_PORT} ssl;

        client_max_body_size ${CLIENT_MAX_BODY_SIZE};
        ssl_certificate     /etc/nginx/certs/cert.pem;
        ssl_certificate_key /etc/nginx/certs/key.pem;

        error_page 497 301 =307 https://${SERVER_NAME}:${SSL_PORT}$request_uri;

        ssl_session_cache  builtin:1000  shared:SSL:10m;
        ssl_protocols  TLSv1.2 TLSv1.3;
        ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
        ssl_prefer_server_ciphers on;

        location / {
            proxy_pass  ${TARGET_SCHEME}://${TARGET_HOST}:${TARGET_PORT};
            proxy_http_version 1.1;
            proxy_set_header Host              ${TARGET_HOST_HEADER};
            proxy_set_header X-Real-IP         $remote_addr;
            proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-Host  $host;
            proxy_set_header X-Real-IP         $remote_addr;
            proxy_set_header Upgrade           $http_upgrade;
            proxy_set_header Connection        $connection_upgrade;
            proxy_redirect ${TARGET_SCHEME}://${TARGET_HOST}:${TARGET_PORT} https://${SERVER_NAME}:${SSL_PORT};

            proxy_buffer_size        128k;
            proxy_buffers            4 256k;
            proxy_busy_buffers_size  256k;
        }
    }}