Open tnemeth opened 2 years ago
In conf/opencve.cfg
:
server_name
variable is set to 192.168.42.202/opencve
use_reverse_proxy
is set to True
In docker-compose.yml
, I changed the webserver ports to 127.0.0.1:${OPENCVE_PORT:-8000}:8000
in order to limit the listening service to be on localhost:8000 only.
Then, nginx configuration is as specified above:
location /opencve {
include proxy_params;
proxy_pass http://localhost:8000;
}
The output of docker ps
displays the webserver correctly listening on 127.0.0.1:8000. So why can't the webserver display pages correctly ?
What am I missing ?
@ldurnez any idea on that ?
I'm coming back for news on this subject :) Is there a mean to get logs of why requests fail ?
Hi,
Any news on this subject ? I'm facing exactly the same issue
Hi,
Could you give us the content of include proxy_params;
?
I think you miss some header on your nginx config.
proxy_pass http://webserver:8000;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
To go further: https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header
It worked for me with this config:
Part of docker-compose.yml
loadbalancer:
<<: *opencve_defaults
image: nginx:latest
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf:ro
depends_on:
- webserver
networks:
- frontend
ports:
- ${OPENCVE_PORT:-8000}:80
webserver:
<<: *opencve_defaults
build:
context: .
args:
- OPENCVE_VERSION=${OPENCVE_VERSION}
- HTTP_PROXY=${HTTP_PROXY:-}
- HTTPS_PROXY=${HTTPS_PROXY:-}
dockerfile: Dockerfile
depends_on:
- postgres
command: webserver -b 0.0.0.0:8000
deploy:
replicas: 3
networks:
- frontend
- backend
File: nginx.conf
http {
server {
listen 80;
location / {
proxy_pass http://webserver:8000;
proxy_set_header Host $http_host;
}
}
}
Hi !
The contents of proxy_params
are the following:
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
The proxy_pass http://webserver:8000;
line shouldn't be necessary here since it's in the sites-enabled/revers-proxy
file along the server configuration (what you put in your nginx.conf
file). Note that I use the nginx installation on the host system, not in another docker.
My reverse-proxy configuration is then :
# redirects accesses to host:443 (SSL) to localhost:8000 (no ssl)
# since logins/passwords would circulate in clear otherwise
server {
listen 443 ssl default_server;
# TODO : use real certs.
include snippets/snakeoil.conf;
# ...
location /opencve {
include proxy_params;
# opencve docker exposes its web interface on localhost:8000
proxy_pass http://localhost:8000;
proxy_set_header Host $http_host;
}
}
I just added the last proxy_set_header Host $http_host;
line with no effect... I'll have a deeper look at my conf since I let it alone for all these months as I couldn't have that https access...
When using nginx as a reverse proxy, my docker-compose.yml
webserver section is:
services:
webserver:
<<: *opencve_defaults
container_name: webserver
build:
context: .
args:
- OPENCVE_VERSION=${OPENCVE_VERSION}
- HTTP_PROXY=${HTTP_PROXY:-}
- HTTPS_PROXY=${HTTPS_PROXY:-}
dockerfile: Dockerfile
depends_on:
- postgres
command: webserver -b 0.0.0.0:8000
networks:
- backend
ports:
- 127.0.0.1:${OPENCVE_PORT:-8000}:8000
Also, the server_name
in opencve.cfg is set to server_name = public.ip.addr/opencve
when configuring the docker for https accesses from the reverse proxy.
Context
Hi.
I'm in the process of switching the web access to https using a reverse proxy on the host on which the dockers are instantiated. The reverse proxy, using nginx, is configured to map the host public ip address (for now) as follows:
The
opencve.cfg
file is modified so that theserver_name
variable is theip.ad.dr.es/opencve
and setuse_reverse_proxy
toTrue
. I didn't change the Dockerfile nor thedocker-compose.yml
file regarding to the launch of the web server command.Expected Behavior
I expected the service would be usable over https.
Actual Behavior
A 404 error page is displayed. Changing the
server_name
to that of the public address and port makes opencve reachable but without being proxyfied.Steps to Reproduce the Problem
Specifications
Screenshots (optional)