Hello, I want to use a proxy container in front of other containers. I’ve already successfully configured this using HAProxy, but I would like to do it with nginx.
It worked well without SSL, the request were successfully transmitted. But with SSL, I can’t do it.
Here is my nginx configuration for the proxy :
server
{
listen 80;
listen [::]:80;
server_name sub.domain.tld;
include conf.d/acme.inc;
include conf.d/redirect_http.inc;
}
server
{
listen 443 ssl http2 ;
listen [::]:443 ssl http2;
server_name sub.domain.tld;
ssl on;
ssl_certificate /etc/ssl/acme/sub.domain.tld/fullchain.pem;
ssl_certificate_key /etc/ssl/acme/private/sub.domain.tld/privkey.pem;
ssl_protocols TLSv1.2; # Because stable nginx
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_ciphers 'ECDH+CHACHA20:ECDHE+AES:!SHA1';
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout 1h;
ssl_session_cache shared:SSL:20m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
location /
{
proxy_set_header X-Forwarded-By $server_addr:$server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_pass http://containername.lxd/;
}
}
and here is a very basic configuration on the targeted container (containername) :
server
{
listen 80;
listen [::]:80;
root /www/sub.domain.tld/;
index index.html;
server_name sub.domain.tld;
location /
{
try_files $uri $uri/ =404;
}
location ~ /\.ht
{
deny all;
}
}
My iptables (and ip6tables) rules shouldn’t be an issue because they worked well with HAProxy, and I use the same container, with the same IPs.
If I try to curl from a distant host I’ve got this error :curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to sub.domain.tld:443
Any idea where the problem might be?