Closed Hamsterman closed 1 year ago
I have now tried this with another container - the exact same issue.
docker run -d --name ReverseProxy -p 80:80 -p 443:443 --net=host -v //etc/DockerStorage/ReverseProxy:/etc/nginx/certs -v /var/run/docker.sock:/tmp/docker.sock:ro --restart=unless-stopped jwilder/nginx-proxy
docker run -d --name HomeAssistant -e VIRTUAL_HOST=DOMAIN.COM -e VIRTUAL_PORT=8123 --net=host --expose=8123 -v "//etc/DockerStorage/HomeAssistant:/config" -v /etc/localtime:/etc/localtime:ro --restart=unless-stopped homeassistant/home-assistant:stable
Anyone ?
Same. Hosts are marked as being offline unless in bridge mode.
docker run -d --name HomeAssistant -e VIRTUAL_HOST=DOMAIN.COM -e VIRTUAL_PORT=8123 --net=host --expose=8123 -v "//etc/DockerStorage/HomeAssistant:/config" -v /etc/localtime:/etc/localtime:ro --restart=unless-stopped homeassistant/home-assistant:stable
I'm not a docker expert, but I don't think putting both containers on the host network works, since the expose option probably doesn't work on the host (same as publishing ports).
docker run -d --name HomeAssistant -e VIRTUAL_HOST=DOMAIN.COM -e VIRTUAL_PORT=8123 --net=host --expose=8123 -v "//etc/DockerStorage/HomeAssistant:/config" -v /etc/localtime:/etc/localtime:ro --restart=unless-stopped homeassistant/home-assistant:stable
In this case, maybe you should try port forwarding. Remove "--net=host --expose=8123" and add "-p 8123:8123". For example: docker run -d --name HomeAssistant -p 8123:8123 -e VIRTUAL_HOST=DOMAIN.COM -e VIRTUAL_PORT=8123 -v "//etc/DockerStorage/HomeAssistant:/config" -v /etc/localtime:/etc/localtime:ro --restart=unless-stopped homeassistant/home-assistant:stable
I believe home assistant may need --net host to function properly and be able to contact/detect all accessories
To anyone affected by this, could you:
nginxproxy/nginx-proxy:0.9.3
--net=host
mode with the environment variable DEBUG
set to true
--net=host
proxied containersdocker exec run nginxproxy nginx -T
(replace nginxproxy
with the name of your nginx-proxy container)Have the same problem, trying to run Pi-hole together with other services. Found the tip to look at the config before stumbling over this issue.
It looks to my uninformed eyes as if nginx-proxy gets confused because it expects to be able to ask docker for an internal IP, but running the containers in host net mode there is none and nginx is unable to create an entry. So nginx-proxy should probably be changed to detect running with --net=host
and use the system IP (or 0.0.0.0, idk) for that.
$ docker exec run nginx-proxy nginx -T
Error: No such container: run
$ docker exec nginx-proxy nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 10240;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
daemon off;
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/avif avif;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
font/woff woff;
font/woff2 woff2;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/wasm wasm;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/conf.d/default.conf:
# nginx-proxy version : 1.0.1-6-gc4ad18f
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
default $http_x_forwarded_proto;
'' $scheme;
}
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
# server port the client connected to
map $http_x_forwarded_port $proxy_x_forwarded_port {
default $http_x_forwarded_port;
'' $server_port;
}
# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
# Connection header that may have been passed to this server
map $http_upgrade $proxy_connection {
default upgrade;
'' close;
}
# Apply fix for very long server names
server_names_hash_bucket_size 128;
# Default dhparam
ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
# Set appropriate X-Forwarded-Ssl header based on $proxy_x_forwarded_proto
map $proxy_x_forwarded_proto $proxy_x_forwarded_ssl {
default off;
https on;
}
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost '$host $remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'"$upstream_addr"';
access_log off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
error_log /dev/stderr;
resolver 1.1.1.1 [fd00::e228:6dff:fef4:5a37];
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
proxy_set_header X-Original-URI $request_uri;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";
server {
server_name _; # This is just an invalid value which will never trigger on a real hostname.
server_tokens off;
listen 80;
listen [::]:80;
access_log /var/log/nginx/access.log vhost;
return 503;
}
# pi.hole
upstream pi.hole {
# Exposed ports: []
# Default virtual port: 80
# VIRTUAL_PORT: 8080
# /!\ Virtual port not exposed
## Can be connected with "host" network
# pihole
# /!\ No IP for this network!
# Fallback entry
server 127.0.0.1 down;
}
server {
server_name pi.hole;
listen 80 default_server;
listen [::]:80 default_server;
access_log /var/log/nginx/access.log vhost;
location / {
proxy_pass http://pi.hole;
}
}
Found the relevant lines in the template:
Your issue might be similar to #2144
It looks to my uninformed eyes as if nginx-proxy gets confused because it expects to be able to ask docker for an internal IP, but running the containers in host net mode there is none and nginx is unable to create an entry. So nginx-proxy should probably be changed to detect running with
--net=host
and use the system IP (or 0.0.0.0, idk) for that.
Just submitted a PR that implements this. It detects containers running host networking and uses the gateway of the proxy bridge network as the upstream IP. This means it'll work for any target containers that listen on either this specific host interface, or more commonly listening on all host interfaces.
I am trying to use the reverseproxy in "-net host" mode but it seems like I keep getting a "Bad gateway". Is this a bug, or what am I doing wrong?
I first reported it at homebridge, but they suggested it was a ReverseProxy issue. https://github.com/homebridge/homebridge/issues/2731