I am putting together a demo server for a project which has multiple www sites and express/node servers. All of that runs on a single platform.
On the front end, I have an nginx handling https, and routing traffic to the proper destinations.
Behind that seat a couple of nginx instances, serving my web sites (along with multiple Express servers). All is working great, except that I think the websites server nginx instances are connected directly to port 80, when I would want all traffic to go through my front end nginx. When I run a docker ps
, I get the following:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
3ce18a670fae anon_nginx-demo "/docker-entrypoint.…" 11 minutes ago Up About a minute 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp nginx-demo
1836dd0362fe anon_www-admin-anon "/docker-entrypoint.…" 11 minutes ago Up About a minute 80/tcp www-admin-anon
...
(showing only a relevant subset here).
The instance anon_www-admin-anon clearly shows port 80 going out, or am I reading this wrong? I don't believe I have opened port 80 on this instance anywhere, it is supposed to listen to 8080, which the front end nginx talks to.
On the front end, the corresponding /etc/nginx/conf.d
file is:
upstream www-anon {
server www-admin-anon:8080;
}
server {
listen 80;
server_name my.domain.com www.my.domain.com;
location ^~ /.well-known {
access_log /var/log/nginx/access.log main;
root /etc/letsencrypt/webroot;
}
location / {
if ($scheme = http) {
return 301 https://my.domain.com$request_uri;
}
}
}
server {
listen 443 ssl http2;
server_name www.my.domain.com;
ssl_certificate /etc/letsencrypt/live/my.domain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/my.domain.com/privkey.pem; # managed by Certbot
return 301 https://my.domain.com$request_uri;
}
server {
listen 443 ssl http2;
server_name my.domain.com;
ssl_certificate /etc/letsencrypt/live/my.domain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/my.domain.com/privkey.pem; # managed by Certbot
location / {
# access_log off;
proxy_pass http://www-anon;
proxy_redirect off;
proxy_set_header Host $host;
# Find client IP address,
# see https://stackoverflow.com/questions/10849687/express-js-how-to-get-remote-client-address
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto https;
}
}
The website servers are based on nginx:1.19.6-alpine. There is a single /etc/nginx/conf.d/default.conf
file:
server {
listen 8080;
# listen [::]:8080;
server_name mydomain.com www.my.domain.com;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
# Let react-router-dom control paths
# https://stackoverflow.com/a/49252605/9316077
try_files $uri /index.html;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
I've been tweaking this thing for hours and don't see where this port 80 is coming from. If I had this in my docker-compose:
www-admin-anon:
ports:
- 8080:80
Then the 80 port gets moved:
baf6c9797f96 anon_nginx-demo "/docker-entrypoint.…" 9 seconds ago Up 7 seconds 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp nginx-demo
fb45bb620cd7 anon_www-admin-anon "/docker-entrypoint.…" 12 seconds ago Up 10 seconds 0.0.0.0:8080->80/tcp www-admin-anon
But... I don't believe I ever opened it in the first place. Is there something in the nginx:1.19.6-alpine image which is going to open port 80 by default?