I just ran the tutorial as it is and it returns this error

ERROR: for nginx-web Cannot start service nginx-web: driver failed programming external connectivity on endpoint nginx-web (b9ecaee261bb113fbb8d93381e8ab68c3a149feb389d8d60a64534aad80ecd54): Error starting userland proxy: listen tcp MYIP:443: bind: cannot assign requested address
In the docker-compose.yml i commented out the part that mentions the IP and replaced with just

   ports:
#      - "${IP}:80:80"
#      - "${IP}:443:443"
       - "80:80"
       - "443:443"

I ran the test file and it works. But just for my culture and better understanding, what is the reason of the error?

EDIT : it seems it simply does not work :/ (see related issue)

I am trying to run the exact example shown here on my digitalocean ubuntu docker droplet.

What I changed in the .env is the filepath and IP.
Then I run ./run.sh
When I run the command to start my web app (httpd - like example) I of course changed my domain and email address.

After starting the new container I can see in the docker-compose logs following:

nginx-letsencrypt | 2017-11-15 13:03:38,628:INFO:simp_le:1213: Generating new account key
nginx-letsencrypt | TOS hash mismatch. Found: f33c27745f2bd87344be790465ef984a972fd539dc83bd4f61d4242c607ef1ee.¨

As a result the app works on http but not https

Please help

Right now, every container can be accessed by internet. Wouldn't it be a good idea to let docker-gen and letsencrypt on a different network, and just the proxy to access internet?

I'm new to Docker, I might misunderstand something!

I cloned this project. Try and debug to set up everthing.
But 443 port transmission doesn't work.
I use the command:
docker logs nginx
And the response is:
2017/08/21 09:26:52 [error] 7#7: *1 connect() failed (111: Connection refused) while connecting to upstream, client: xxx.xxx.xx.xx, server: xxx.xx, request: "GET / HTTP/1.1", upstream: "https://172.18.0.6:443/", host: "xxx.xx"

Is there any solution?

Hello,

I use your docker-compose.yml and add attach 4 website with this reverse proxy.

I add
VIRTUAL_HOST: YOUR_DOCMAIN.com, www.YOUR_DOCMAIN.com LETSENCRYPT_HOST: YOUR_DOCMAIN.com, www.YOUR_DOCMAIN.com LETSENCRYPT_EMAIL: YOUR_EMAIL@YOUR_DOCMAIN.com
with my own.

But the containers give me an error, and i can not access to my websites :

ACME server returned an error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new registration :: too many registrations for this IP

So, I think I reach the limit.
How can I delete this or fix this issue ?
Thanks :)

Excellent job guys! I'm very impressed with your work!

Where in the code I could modify the internal router that route the SNI website1.com TO container:website1 =>(VIRTUAL_HOST=website1.com) so I can hardcode all traffic to the same container:localhost???

I'm developing an app like "wix.com, squarespace.com" to generate website on the fly with HTTPS support. This project is the closest I've found to meet our criteria to solve our TLS termination problems.

The only dilemma is this project was designed for websites with different code
EX:
website1.com => custom code for website1
website2.com => custom code for website2
Each websites are separated with their own code; which is logical.

The problem is our app is already polymorphic(will pull the custom data according to the hostname)
EX:
website1.com => uses the SAME code to build website1 with DIFFERENT data according to the hostname.
website2.com => uses the SAME code to build website2 with DIFFERENT data according to the hostname.

Long story short: We cannot have 1,000,000 containers: website1,website2,...website100001; it makes no sense. It's all the same code! We just need "on the fly TLS termination". I hope to decrypt/generate all SSL on the fly and bump all the traffic to our code to do the rest of the magic.

Where in the code I could modify the internal router that route the SNI website1.com TO container:website1 =>(VIRTUAL_HOST=website1.com) so I can hardcode all traffic to the same container:localhost???

Thank you for your time :)

Error description:

If specify VIRTUAL_PROTO=fastcgi, nginx-web hang due to fastcgi.conf not found

Steps to reproduce

Add VIRTUAL_PROTO=fastcgi to environment

Expected result

• nginx-web support fastcgi mode
• nginx-web not hang

Error result

• nginx-web hang

Comments

Can we have a proper support for fastcgi mode?
The template for nginx this repo is using (nginx-proxy) already support it with proper fastcgi file under /etc/nginx.
Actually, the file comes with the nginx image is fastcgi_params.

I can commit a patch to replace the include fastcgi.conf line by include fastcgi_params. Just not quite sure that's the correct way to solve this problem.

Thank you very much for this fabulous software. Actually it's really great and easy to use.

Using this I get a proxy that distributes the requests to local docker containers on the same host where the docker-compose-letsencrypt-nginx-proxy-companion is running.

Do you have any hint, how I may get the proxy to distribute requests to a specific docker container (or standalone server that listens for example on port 5555) but runs on another machine?

Thank you
Jörg

Hi, I'm getting the following errors

nginx | 2017/10/05 21:39:23 [error] 10#10: *12 SSL_do_handshake() failed 
(SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) 
while SSL handshaking to upstream, client: 204.9.220.42"

Have you seen this before

Error description:

Hi, this issue doesn't describe a bug or something but i am trying to put things in order based on my setup and i suppose many others.

Let's say for example i have 3 websites with 3 different domains. I have example1.com, example2.com and example3.com. I decided to use a folder on my host machine, let's say /mysites and in there there are three folders containing the files of the sites. So a simple setup will be like this:

--- mysites
---- example1.com
---- example2.com
---- example3.com

1st question

What should i declare at .env file in NGINX_FILES_PATH=/path/to/your/nginx/data ?

Do i have to declare NGINX_FILES_PATH=/mysites and then in each container i have to call VIRTUAL_ROOT? For example if i want my first site (example1.com) may i use

docker run -d -e VIRTUAL_HOST=example1.com \
              --VIRTUAL_ROOT=example1.com or /mysites/example1.com
              --network=webproxy \
              --name my_app \
              httpd:alpine

???

2nd question

If we accept that the 1st question is replied and i have 3 websites working, a fourth one comes to play. But the fourth one is not a simple, if i can call it that, container with just html or php files. It's a nodejs application for example rocket.chat. An example docker-compose.yml would be

version: '3.3'

services:
  db:
    image: mongo
    volumes:
      - ./datatest/runtime/db:/data/db
      - ./datatest/dump:/dump
    command: mongod --smallfiles

  rocketchat:
    image: rocketchat/rocket.chat:latest
    environment:
      MONGO_URL: mongodb://db:27017/rocketchat
      ROOT_URL: http://example4.com
      Accounts_UseDNSDomainCheck: "false"
      VIRTUAL_HOST: example4.com
      LETSENCRYPT_HOST: example4.com
      LETSENCRYPT_EMAIL: [email protected]
    links:
      - db:db
    ports:
      - 3000:3000
    restart: always
  hubot:
    # doesnt matter for now
networks:
    default:
       external:
         name: mywebproxy

1. There is no files in any volume or something for VIRTUAL_ROOT environment variable. If it is not declared then the /var/www/public will be used based on nginx.tmpl line 165 https://github.com/evertramos/docker-compose-letsencrypt-nginx-proxy-companion/blob/5fc18d8c2e38ba6cac51e7ba87e47ea507ca2e08/nginx.tmpl#L165

2. What will happen to Let'sEncrypt certificate ? Due to lack of proper root, it could not load the files and it couldn't write at .well-known folder, so the challenge will fail.

How can combine all the above ?

Any idea why nginx-gen fails on a reboot, with an exit code of 2? I see the problem referenced in the parent project here: (nginx-proxy/docker-gen#201) with no solution, as of yet.

Hello, I have managed to get everything working with my web app using your useful companion and guide. Is there a way I can get the www.domain.com to automatically redirect to domain.com?

Error description:

I am getting 503 Service Temporarily Unavailable error accessing site through ip only

Steps to reproduce

I just followed the steps in the documentation:
1- started up the containers on this site. modified the .env
2- started up the container in WordPress companion
I will be happy to include any logs you request.

So I was going to reverse proxy Emby (a media server), which needs some more options to work.

 location / {
    proxy_pass http://192.168.10.10:8096;  

	proxy_set_header Range $http_range;
	proxy_set_header If-Range $http_if_range;
	proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    #Next three lines allow websockets
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
	}

I tried to add these options manually to the default.conf but they got wiped automatically. Is there an alternative way to do this?

How do I enable both X-Real-IP and X-Forwarded-For in the same realip.conf file? I would like to use X-Real-IP for Docker network IPs and use X-Forwarded-For for Cloudflare IPs.

Something like below:

# Please set your docker network below
# in order to forward the user real 
# ip address to your app container
set_real_ip_from  172.18.0.0/32;
real_ip_header    X-Real-IP;
real_ip_recursive on;

set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;

real_ip_header X-Forwarded-For;

I don't think its possible to have both X-Real-IP and X-Forwarded-For in the same block. Or would X-Forwarded-For pass X-Real-IP as well? Nginx documentation is a little confusing.

The Cloudflare configuration is from their site

Hi,
I am facing the problem of proxing different ports to the same container.
This is the case of Nexus Registry setup, where the nexus container exposes 8081 for nexus and a different one (i.e. 18444) for docker registry.
I have defined two sub-domain:

• nexus.mydomain.com
• docker.nexus.mydomain.com

Both of them need to use letsencrypt.
I cannot see any good solution for proxying the request coming from "nexus.mydomain.com" to 8081 and the one coming to "docker.nexus.mydomain.com" to 18444 of the same container using this proxy-companion.
I searched a bit and the only two possibile solutions could be:

• Adding an extra nginx just to have a different container that prox all request to 18444 exposed by nexus container.
• Change the nginx template in order to parse the VIRTUAL_HOST env property in order to support something like: VIRTUAL_HOSTS="nexus.mydomain.com:8081,docker.nexus.mydomain.com:18444"

The first one seems bad to me because I am introducing an extra (not wanted) nginx.
The second one seems better, but am not so confident in changing your template because I am not familiar with that syntax.

Can you give me an advice for solving my problem?
There is any possibility to support this kind of configuration in the future?

Hi, I need some help here.

I've tried many examples but I always got the same error:
Unable to reach http://dev2.mixbrgames.com/.well-known/acme-challenge/quPFZRddLRSmxu5L_YjggYBXzE3LgWT3rsyGpIAJUYI: HTTPConnectionPool(host='dev2.mixbrgames.com', port=80): Max retries exceeded with url: /.well-known/acme-challenge/quPFZRddLRSmxu5L_YjggYBXzE3LgWT3rsyGpIAJUYI (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7fd5d7fca2d0>: Failed to establish a new connection: [Errno 111] Connection refused',)).

I'm really desperate! Here is my docker-compose.yml. Could you help me to find out a solution?

version: '3.3'

services:

  nginx:
    image: nginx
    labels:
        com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy: "true"
    container_name: nginx
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./nginx/conf.d:/etc/nginx/conf.d
      - ./nginx/vhost.d:/etc/nginx/vhost.d
      - ./nginx/html:/usr/share/nginx/html
      - ./nginx/certs:/etc/nginx/certs:ro

  nginx-gen:
    image: jwilder/docker-gen
    command: -notify-sighup nginx -watch -wait 5s:30s /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf
    container_name: nginx-gen
    restart: unless-stopped
    volumes:
      - ./nginx/conf.d:/etc/nginx/conf.d
      - ./nginx/vhost.d:/etc/nginx/vhost.d
      - ./nginx/html:/usr/share/nginx/html
      - ./nginx/certs:/etc/nginx/certs:ro
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - ./nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl:ro

  nginx-letsencrypt:
    image: jrcs/letsencrypt-nginx-proxy-companion
    container_name: nginx-letsencrypt
    restart: unless-stopped
    volumes:
      - ./nginx/conf.d:/etc/nginx/conf.d
      - ./nginx/vhost.d:/etc/nginx/vhost.d
      - ./nginx/html:/usr/share/nginx/html
      - ./nginx/certs:/etc/nginx/certs:rw
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      NGINX_DOCKER_GEN_CONTAINER: "nginx-gen"
      NGINX_PROXY_CONTAINER: "nginx"

  database:
    container_name: mixbr-database
    image: postgres
    volumes:
      - ./database:/var/lib/postgresql/data

  webserver:
    container_name: mixbr-nginx
    image: nginx
    volumes:
      - "./nginx/conf.d/:/etc/nginx/conf.d"
    environment:
      - VIRTUAL_HOST=dev2.mixbrgames.com
      - VIRTUAL_NETWORK=nginx-proxy
      - VIRTUAL_PORT=80
      - LETSENCRYPT_HOST=dev2.mixbrgames.com
      - [email protected]
    depends_on:
      - django
    links:
      - django

  django:
    build: .
    container_name: mixbr-django
    environment:
      - PYTHONUNBUFFERED=1
      - DATABASE_HOST
      - SITE_URL
      - EMAIL_HOST
      - EMAIL_PORT
      - LOBBY_FREE
      - LOBBY_MIN_PLAYERS
      - LOBBY_MAX_PLAYERS
      - MANAGER_ALLOWED_HOSTS
      - MATCH_MAX_ROUNDS
      - DEBUG
      - HTTP_X_FORWARDED_PROTOCOL
      - SECURE_SSL_REDIRECT
      - SECRET_KEY
    volumes:
      - ./application:/root
    depends_on:
      - database
    links:
      - database

Thank you!

Very nice sample. Thank you very much for sharing.
For a specific host i need to inject following setting.

proxy_http_version 1.1;
proxy_set_header Connection "";

I seems I can't drop things in ${NGINX_FILES_PATH}/vhost.d, because it's protected.
Is there another way to inject this?
Thanks you very much for helping me out.
Warm regards
paul.

I had a weird bug, that after days of debug I found out that was related with the proxy.

Error description:

Proxy was balancing request between the a running nginx container and an already closed container, so exactly half of my requests (request yes, request no) was hitting a server error.

Steps to reproduce

I don't know how to reproduce, but I have it on my machine since, rebooting server or even restarting your proxy don't clean the events on my server and it keeps thinking that that domain name have more then one container associated.

Expected result

proxy should only be pointing to running containers.

Comments

I would like to know how I can force clean cache an restart all domains pointers, or see the registered events and be able to manually delete the miss register event that is making my proxy act like a load balancing when only one container should be running on that domain.

Thanks for the help with this problem and for all your work on this project that let me learn docker and have multiple web services running on the same host very easily.

Error description:

After launching what should be the same container in multiple ways, docker-gen is only triggered for start_test.sh and a docker start... from the bash CLI. A bash script - with the same command - and docker-compose never trigger docker-gen. I'm sure it's something I'm doing wrong, but if it is, I'm not seeing it. Any help is welcome!

1. Launch using start_test.sh - status: WORKS!

$ ./test_start.sh home.ohana.net

The page renders the Apache "It works!" message, and docker-gen shows as being triggered in the logs:

2018/03/28 11:45:24 Received event start for container 0fbe8b559fd2
2018/03/28 11:45:29 Debounce minTimer fired
2018/03/28 11:45:29 Generated '/etc/nginx/conf.d/default.conf' from 6 containers
2018/03/28 11:45:29 Sending container 'nginx-web' signal '1'

and the right entry is created in default.conf:

# home.ohana.net
upstream home.ohana.net {
                                ## Can be connected with "webproxy" network
                        # test-web
                        server 172.21.0.5:80;
}
server {
        server_name home.ohana.net;
        listen 80 ;
        access_log /var/log/nginx/access.log vhost;
        include /etc/nginx/vhost.d/default;
        location / {
                proxy_pass http://home.ohana.net;
        }
}

2. Launch using bash CLI - status: WORKS!

$ docker run -d -e VIRTUAL_HOST=home.ohana.net --network=webproxy --name test-web httpd:alpine

The page renders the Apache "It works!" message, and it shows as being triggered in the logs:

2018/03/28 11:53:58 Received event start for container d06cdb6826c6
2018/03/28 11:54:03 Debounce minTimer fired
2018/03/28 11:54:03 Generated '/etc/nginx/conf.d/default.conf' from 6 containers
2018/03/28 11:54:03 Sending container 'nginx-web' signal '1'

3. Launch using bash script- status: FAIL!

$ ./home.sh

where home.sh looks like this - same command from the CLI in case #2:

#! /bin/bash
docker run -d -e VIRTUAL-HOST=home.ohana.net --network=webproxy --name test-web httpd:alpine

fails.

2018/03/28 12:04:20 Received event start for container 167d4f262495
2018/03/28 12:04:25 Debounce minTimer fired
2018/03/28 12:04:26 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification ''

4. Launch using docker-compose- status: FAIL!

Finally, if I launch with docker compose using:

$ docker-compose up -d

with a docker-compose.yml file that looks like:

version: '3'
services:
  web:
    container_name: test-web
    image: httpd:alpine
    restart: unless-stopped
    network_mode: "bridge"
    environment:
      - VIRTUAL-HOST=home.ohana.net
    hostname: oswald.ohana.net

networks:
  default:
    external:
      name: webproxy

It fails and docker-gen is never triggered.

2018/03/28 12:10:07 Received event start for container 018869db2ff8
2018/03/28 12:10:12 Debounce minTimer fired
2018/03/28 12:10:12 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification ''

Steps to reproduce

As indicated above.

Expected result

Any httpd:alpine - or any web-serving container - that launches should trigger docker-gen to re-create the default.conf file appropriately.

Error result

The proxy's default.conf file is only updated on certain launch methods, resulting in inaccessible web sites.

Comments

Comments

Hello, may I know how should I update the docker-compose file after I run the ./start.sh, many thanks!
I guess I need to add sth like ::
networks:
- webproxy

My original docker-compose file :

version: '3'
services:
    botlinker-service:
      image: registry.gitlab.com/liquidsky/hello-bot:v1.0
      working_dir: /code
      volumes:
        - .:/code      
      ports:
        - "80:3000"
      depends_on:
        - mongodb
    mongodb:
      image: "mongo"
      container_name: mongo
      working_dir: /code
      ports:
        - "27020:27017"

It looks like the .env only support IPv4 addresses. By default does the .env file support IPv6 as well? If so, what is the configuration format or example to enable IPv6 for Nginx?

Hello!

I used your compose scripts but I was having some trouble getting subdomains to work correct all the time - especially during the intial setup although because of some quirk of the nginx setup it worked correctly afterwards...

I made a pull request to the original nginx template that you may be interested in patching in:
nginx-proxy/nginx-proxy#943

I think a label for docker gen is missing:

from letsencrypt-nginx-proxy-companion documentation:
The com.github.jrcs.letsencrypt_nginx_proxy_companion.docker_gen label - set this label on the docker-gen container to tell the docker-letsencrypt-nginx-proxy-companion container to use it as the docker-gen when it's split from nginx (separate containers).

Error description:

I cant use ./start.sh whats the problem?

Steps to reproduce

#
# Docker Logging Config
#
# This section offers two options max-size and max-file, which follow the docker documentation
# as follow:
#
  logging:
       driver: "json-file"
       options:
         max-size: "200k"
         max-file: "10"
#
NGINX_WEB_LOG_MAX_SIZE=4m
NGINX_WEB_LOG_MAX_FILE=10

NGINX_GEN_LOG_MAX_SIZE=4m
NGINX_GEN_LOG_MAX_FILE=10

NGINX_LETSENCRYPT_LOG_MAX_SIZE=4m
NGINX_LETSENCRYPT_LOG_MAX_FILE=10

Expected result

Error result

Creating nginx-web ... error
Creating nginx-letsencrypt ...
Creating nginx-gen ...
Creating nginx-letsencrypt ... error
ERROR: for nginx-web  Cannot create container for service nginx-web: unknown log opt 'max-size' for journald log driver
Creating nginx-gen ... error
ERROR: for nginx-letsencrypt  Cannot create container for service nginx-letsencrypt: unknown log opt 'max-size' for journald log driver

ERROR: for nginx-gen  Cannot create container for service nginx-gen: unknown log opt 'max-size' for journald log driver

ERROR: for nginx-web  Cannot create container for service nginx-web: unknown log opt 'max-size' for journald log driver

ERROR: for nginx-gen  Cannot create container for service nginx-gen: unknown log opt 'max-size' for journald log driver

ERROR: for nginx-letsencrypt  Cannot create container for service nginx-letsencrypt: unknown log opt 'max-size' for journald log driver

Comments

Hi,

Should my LetsEncrypt certificated be renewing automatically? Currently, I have to kill my container and restart it to trigger a renewal.

At first I would like to apologize for my poor understanding of how nginx works.

Suppose I have 3 containers that need to expose to the public. And my domain name is haipham.me. All containers expose different ports to the host.

The first container (port 8080) should be accessible through haipham.me
The second container (port 8081) should be accessible through haipham.me/second
The third container (port 8082) should be accessible through haipham.me/third

Can I achieve the expected result above using this command?

docker run -d -e VIRTUAL_HOST=www.haipham.me \
              -e LETSENCRYPT_HOST=www.haipham.me \
              -e [email protected] \
              --network=webproxy \
              --name first_container \
              first_container

Can´t get the nginx proxy stack running. I´m receiving following error after docker-compose up -d

nginx: [emerg] no servers are inside upstream in /etc/nginx/conf.d/default.conf:54

172.20.0.3	76f248a9b40c        nginx                                    "nginx -g 'daemon ..."   8 minutes ago        Up 8 minutes        0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp   nginx
172.20.0.4	69117fd43910        jwilder/docker-gen                       "/usr/local/bin/do..."   8 minutes ago        Up 8 minutes                                                   nginx-gen
172.20.0.2	25ffaa13ea57        jrcs/letsencrypt-nginx-proxy-companion   "/bin/bash /app/en..."   8 minutes ago        Up 8 minutes                                                   nginx-letsencrypt

version: '3'
services:
  nginx:
    image: nginx
    labels:
        com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy: "true"
    container_name: nginx
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ${NGINX_FILES_PATH}/conf.d:/etc/nginx/conf.d
      - ${NGINX_FILES_PATH}/vhost.d:/etc/nginx/vhost.d
      - ${NGINX_FILES_PATH}/html:/usr/share/nginx/html
      - ${NGINX_FILES_PATH}/certs:/etc/nginx/certs:ro

  nginx-gen:
    image: jwilder/docker-gen
    command: -notify-sighup nginx -watch -wait 5s:30s /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf
    container_name: nginx-gen
    restart: unless-stopped
    volumes:
      - ${NGINX_FILES_PATH}/conf.d:/etc/nginx/conf.d
      - ${NGINX_FILES_PATH}/vhost.d:/etc/nginx/vhost.d
      - ${NGINX_FILES_PATH}/html:/usr/share/nginx/html
      - ${NGINX_FILES_PATH}/certs:/etc/nginx/certs:ro
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - ./nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl:ro

  nginx-letsencrypt:
    image: jrcs/letsencrypt-nginx-proxy-companion
    container_name: nginx-letsencrypt
    restart: unless-stopped
    volumes:
      - ${NGINX_FILES_PATH}/conf.d:/etc/nginx/conf.d
      - ${NGINX_FILES_PATH}/vhost.d:/etc/nginx/vhost.d
      - ${NGINX_FILES_PATH}/html:/usr/share/nginx/html
      - ${NGINX_FILES_PATH}/certs:/etc/nginx/certs:rw
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      NGINX_DOCKER_GEN_CONTAINER: "nginx-gen"
      NGINX_PROXY_CONTAINER: "nginx"

networks:
  default:
    external:
      name: nginx-net

NETWORK ID          NAME                    DRIVER              SCOPE
19effb9978ae        bridge                  bridge              local
0df0eb5969f2        host                    host                local
63c6b2a06fcc        nginx-net               bridge              local

docker network inspect nginx-net
[
    {
        "Name": "nginx-net",
        "Id": "63c6b2a06fcc401fb2c96fe04db5b2f1fa8c2cab7dfa332dceb75118a34df694",
        "Created": "2017-09-11T10:14:18.250846025+02:00",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": {},
            "Config": [
                {
                    "Subnet": "172.20.0.0/16",
                    "Gateway": "172.20.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "25ffaa13ea575b44a0b0f9c622fad00e1a6969b733cf0833c40c9a5d6b58aa70": {
                "Name": "nginx-letsencrypt",
                "EndpointID": "203fac333305559b5812e06e74cc3d2fc6f80d1767645635a818785e5b155f35",
                "MacAddress": "02:42:ac:14:00:02",
                "IPv4Address": "172.20.0.2/16",
                "IPv6Address": ""
            },
            "69117fd439106c7a80484f89869ab67773fb66e0e9a0c52f8abce0c05f346e8f": {
                "Name": "nginx-gen",
                "EndpointID": "b2ff13386f97f336745555775c0d7370838fbce5c226a10db658f3e893e04229",
                "MacAddress": "02:42:ac:14:00:04",
                "IPv4Address": "172.20.0.4/16",
                "IPv6Address": ""
            },
            "76f248a9b40c506bc4d4107f2a65456c9aed5324e669ad28025316d914da010b": {
                "Name": "nginx",
                "EndpointID": "a473170c93354a76d25766882ccb240f18c97b8865f50bca2bd5e86a79d77478",
                "MacAddress": "02:42:ac:14:00:03",
                "IPv4Address": "172.20.0.3/16",
                "IPv6Address": ""
            }
        },
        "Options": {},
        "Labels": {}
    }
]

cat .env
NGINX_FILES_PATH=/etc/nginx/docker

cat  /etc/nginx/docker/conf.d/default.conf
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
  default $http_x_forwarded_proto;
  ''      $scheme;
}
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
# server port the client connected to
map $http_x_forwarded_port $proxy_x_forwarded_port {
  default $http_x_forwarded_port;
  ''      $server_port;
}
# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
# Connection header that may have been passed to this server
map $http_upgrade $proxy_connection {
  default upgrade;
  '' close;
}
# Apply fix for very long server names
server_names_hash_bucket_size 128;
# Default dhparam
ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
# Set appropriate X-Forwarded-Ssl header
map $scheme $proxy_x_forwarded_ssl {
  default off;
  https on;
}
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost '$host $remote_addr - $remote_user [$time_local] '
                 '"$request" $status $body_bytes_sent '
                 '"$http_referer" "$http_user_agent"';
access_log off;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";
server {
	server_name _; # This is just an invalid value which will never trigger on a real hostname.
	listen 80;
	access_log /var/log/nginx/access.log vhost;
	return 503;
}
# example.com
upstream example.com {
}
server {
	server_name example.com;
	listen 80 ;
	access_log /var/log/nginx/access.log vhost;
	location / {
		proxy_pass http://example.com;
	}
}
# www.example.com
upstream www.example.com {
}
server {
	server_name www.example.com;
	listen 80 ;
	access_log /var/log/nginx/access.log vhost;
	location / {
		proxy_pass http://www.example.com;
	}
}

Client:
 Version:      17.06.2-ce
 API version:  1.30
 Go version:   go1.8.3
 Git commit:   cec0b72
 Built:        Tue Sep  5 20:00:17 2017
 OS/Arch:      linux/amd64

Server:
 Version:      17.06.2-ce
 API version:  1.30 (minimum version 1.12)
 Go version:   go1.8.3
 Git commit:   cec0b72
 Built:        Tue Sep  5 19:59:11 2017
 OS/Arch:      linux/amd64
 Experimental: false

Error description:

Can not create and run nginx-web

Steps to reproduce

Expected result

Error result

error: for nginx-web Cannot start service nginx-web: driver failed programming external connectivity on endpoint nginx-web (1cbf2756494a4eed28b69f8cc6a91eec3261c963e31269d75f8f3484caf3fda4): Error starting userland proxy: listen tcp x.x.x.x:443: bind: cannot assign requested address

Comments

This is an Ubuntu 16.04 running in azure. Both port 80 and 443 is open

Error description:

Proxy is not working for that configuration. I have another docker container working well with domain & SSL but that one won't by proxified.

Steps to reproduce

Start the following configuration:

docker-compose.yml

  parity:
    image: parity/parity:v1.8.9
    ports:
        -8545:8545
    volumes:
      - ./parity/testnet:/config
      - ${PARITY_DATA_DIR:-./data/parity/testnet}:/data
    entrypoint: ["/config/entry.sh"]
    environment:
      VIRTUAL_HOST: ${DOMAINS:-}
      LETSENCRYPT_HOST: ${DOMAINS:-}
      LETSENCRYPT_EMAIL: ${LETSENCRYPT_EMAIL:-}

networks:
  default:
    external:
      name: ${NETWORK:-webproxy}

I have another container running with basically same configuration but different image and different DOMAINS variable, which works well.

Error result

curl answers 502 Bad gateway both on 80 and 443

./data/nginx/conf.d/default.conf

... 
# not working
upstream parity.domain.com {
			server 172.18.0.5 down;
...
# working
upstream other.domain.com {
			server 172.18.0.6:4040;
}
...
}

Comments

Note that the parity server is working if I call directly port 8545

Maybe the problem is from parity image exposing multiple ports.
How the proxy handle this ? Which port it chooses to proxy ?

Hi. I followed the steps and now I see It works! on the domain homepage. So how do I tell it to forward this request for mydomain.com to port 6060 on the host?

I'm using docker swarm to host the app on port 6060.

I ran changed the path in the .env file to point to my nginx config. Then I ran ./start.sh

Finally i did

docker run -d -e VIRTUAL_HOST=myprefix.westus.cloudapp.azure.com \
              -e LETSENCRYPT_HOST=myprefix.westus.cloudapp.azure.com \
              -e [email protected] \
              --network=webproxy \
              --name my_app \
              httpd:alpine

So I need that request for myprefix.westus.cloudapp.azure.com to forward to port 6060 on the host.

Then, I will need to make myprefix.westus.cloudapp.azure.com/dev forward to port 6061. Where do I do that?

I saw something about WEB_PORTS and VIRTUAL_PORT but the docs are slim on them, is that the right setting?

Hi @evertramos,

Sorry if it a simple question but I read many times your README and try to find a solution via the previous questions asked by other users. I'm still sticked.

My computer is my own server. So I bought a domain name ( in this example, it's 'toto.com') on OVH and I just configured the DynHost like that: storage.toto.com = MYEXTERNALIP.
So when you ask the -e VIRTUAL_HOST=your.domain.com or -e LETSENCRYPT_HOST=your.domain.com to start the docker container, I wrote something like this:

docker run -d -e VIRTUAL_HOST=storage.toto.com \
              -e LETSENCRYPT_HOST=storage.toto.com \
              -e [email protected] \
              --network=webproxy \
              --name my_app \
              httpd:alpine

Are you agree with that ?

BTW: When do I change --network=webproxy ? I didn't undertand this line ... In my case, I have only one virtual_host. Maybe later, I will have more one VIRTUAL_HOST. So should I change something in this case ?

Then:

I need to have this configuration in default.conf file:

server {
  listen 4430;
  access_log /var/nginxSSL.txt;
  root /storage/myuser;
  autoindex on;
  ssl on;
  ssl_certificate .....;
  ssl_certificate_key ......;
  location / {
    try_files $uri $uri/ =404;
    auth_basic "Restricted Content";
    auth_basic_user_file /etc/nginx/.htpasswd
  }
}

Before your docker, I wrote and defined fully the default.conf file by hand.
After to follow your instructions, I remarks that in the default.conf file, these lines are missing:

autoindex on;
ssl on;
root /storage/myuser; // this line is the most important for me

Where can I define the root line. I have to mount a volume from the host I guess otherwise I can't have my files ? I saw a default.conf file in the data folder. Should I edit it directly ?

Thank you in advance and sorry to be so confusing about all your stuff (BTW amazing) but which is new for me :)

Regards

Question

Hello, I want to use GeoIP on the site behind the proxy server, is it possible?

Thx.

I find the instructions difficult to follow and I'm a professional.

1. I have a domain name that uses DDNS to point to my router. What do I enter for the IP variable in .env given I don't have a static IP? Entering my domain name throws an invalid docker-compose file error.

2. What is the NGINX_FILES_PATH? Is this my custom nginx running behind the proxy, or is this configuration for the proxy itself? (where are the config files for this? When and how does the nginx.tmpl file come into play?)

   NGINX_FILES_PATH=/path/to/your/nginx/data

3. As a result (probably), my nginx-letsencrypt and nginx-gen containers are stuck in a restart loop.
   Is there any way to view logs to figure out the problem?
   Are there HTTP access logs?

4. Regarding the "Starting your web containers" section, can I run any web application behind the proxy? What if these applications run on different ports? Where do I tell the proxy to forward to those ports on the web containers?

I read the Readme multiple times and tried all test scripts without success.

Iniciei este docker-compose.yml junto com o outro repositório seu (WordPress), porém está retornando um erro 503.

nginx-letsencrypt    | Sleep for 3600s
nginx-letsencrypt    | 2017/07/03 19:14:50 Generated '/app/letsencrypt_service_data' from 1 containers
nginx-letsencrypt    | 2017/07/03 19:14:50 Running '/app/update_certs'
nginx-letsencrypt    | 2017/07/03 19:14:50 Watching docker events
nginx-letsencrypt    | Sleep for 3600s
nginx-letsencrypt    | 2017/07/03 19:14:50 Contents of /app/letsencrypt_service_data did not change. Skipping notification '/app/update_certs'
nginx-letsencrypt    | 2017/07/03 19:14:53 Received event start for container ca91608a7e3c
nginx-letsencrypt    | 2017/07/03 19:14:53 Received event start for container 34921ddf8dcc
nginx-letsencrypt    | 2017/07/03 19:15:08 Debounce minTimer fired
nginx-letsencrypt    | 2017/07/03 19:15:08 Generated '/app/letsencrypt_service_data' from 3 containers
nginx-letsencrypt    | 2017/07/03 19:15:08 Running '/app/update_certs'
nginx-letsencrypt    | Reloading nginx docker-gen (using separate container nginx-gen)...
nginx-letsencrypt    | Reloading nginx (using separate container nginx)...
nginx-letsencrypt    | Creating/renewal api.laboratorioimec.com.br certificates... (api.laboratorioimec.com.br)
nginx-letsencrypt    | 2017-07-03 19:15:09,650:INFO:simp_le:1213: Generating new account key
nginx-letsencrypt    | 2017-07-03 19:15:15,360:WARNING:simp_le:1304: api.laboratorioimec.com.br was not successfully self-verified. CA is likely to fail as well!
nginx-letsencrypt    | 2017-07-03 19:15:15,635:INFO:simp_le:1314: Generating new certificate private key
nginx-letsencrypt    | 2017-07-03 19:15:17,641:ERROR:simp_le:1272: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Is there a warning log entry about unsuccessful self-verification? Are all your domains accessible from the internet? Failing authorizations: https://acme-v01.api.letsencrypt.org/acme/authz/0x9Ne278n4l3MKpJ_DBCmTuIIH2qc_M5hCHkGeYNHJ4
nginx-letsencrypt    | Challenge validation has failed, see error log.
nginx-letsencrypt    | 
nginx-letsencrypt    | Debugging tips: -v improves output verbosity. Help is available under --help.
nginx-letsencrypt    | Creating/renewal laboratorioimec.com.br certificates... (laboratorioimec.com.br)
nginx-letsencrypt    | 2017-07-03 19:15:18,324:INFO:simp_le:1213: Generating new account key
nginx-letsencrypt    | 2017-07-03 19:15:22,717:WARNING:simp_le:1304: laboratorioimec.com.br was not successfully self-verified. CA is likely to fail as well!
nginx-letsencrypt    | 2017-07-03 19:15:22,992:INFO:simp_le:1314: Generating new certificate private key
nginx-letsencrypt    | 2017-07-03 19:15:23,450:ERROR:simp_le:1272: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Is there a warning log entry about unsuccessful self-verification? Are all your domains accessible from the internet? Failing authorizations: https://acme-v01.api.letsencrypt.org/acme/authz/DG97RDg-vDKjJ_TzrREimxn3OSyCrsFVaXH2OpXV1uk
nginx-letsencrypt    | Challenge validation has failed, see error log.
nginx-letsencrypt    | 
nginx-letsencrypt    | Debugging tips: -v improves output verbosity. Help is available under --help.
nginx-letsencrypt    | Sleep for 3600s

Hello,

How I can active, read or access to error_log ? I've an error 400 and I don't know why.

Thanks

Error description:

Can not get SSL to work. Using the test_start script, I've got port 80 working. When I try port 443, I get ERR_CONNECTION_REFUSED.

Steps to reproduce

Assume my domain is: devtsaw

run: ./start.sh (nginx-web, nginx-letsencrypt, and nginx-gen all running)
run: docker run -dit -e VIRTUAL_HOST=devtsaw -e LETSENCRYPT_HOST=devtsaw --network=webproxy --name test-web httpd:alpine

Expected result

When accessing http://devtsaw -> It works!
When accessing https://devtsaw -> It works!

Error result

When accessing https://devtsaw -> ERR_CONNECTION_REFUSED

Comments

Logs from nginx-letsencrypt:

2018/03/01 18:44:27 Received event start for container 7f81283b86e5
2018/03/01 18:44:42 Debounce minTimer fired
2018/03/01 18:44:42 Generated '/app/letsencrypt_service_data' from 9 containers
2018/03/01 18:44:42 Running '/app/update_certs'
/etc/nginx/certs/devtsaw /app
Creating/renewal devtsaw certificates... (devtsaw)
2018-03-01 18:44:43,175:INFO:simp_le:1538: Retrieving Let's Encrypt latest Terms of Service.
2018-03-01 18:44:44,417:INFO:simp_le:1356: Generating new account key
2018-03-01 18:44:45,200:WARNING:simp_le:1371: --email was not provided; ACME CA will have no way of contacting you.
ACME server returned an error: urn:acme:error:malformed :: The request message was malformed :: Error creating new authz :: DNS name does not have enough labels

UPDATE: My domain, devtsaw, is an internal domain to my network, and after doing some research on this error I found that letsencrypt (or any public CA) can only issue certificates for valid public domain names. So, my guess is that it is failing because my domain is not passing some validity check. What if I want it to run on a private domain and my domain doesn't have to follow the public standard?

This leads me to a new question. I can generate my own certs, so can I tell nginx to use an existing cert instead of generating one? Or, can I provide my own CA (or subordinate) to sign the generated cert?

Hello again, love this tool !

May I know whether I can forward a request with specific url path to a specific container port using this git ?

E.g.
https://app.ABC.com/fileUpload => forward to port 5001 ( file_service ) to handle file upload
meanwhile
https://app.ABC.com => forward to port 5000 ( bot_service ) to do the chat

Here 's my docker compose file :

services:
      bot_service:
      image: registry.gitlab.com/liquidsky/hello_bot:v1.2
      ports:
        - 5000:80
      environment:
        - PORT=80              
        - ENV=development
        - DB_MONGO_HOST=mongodb_service
        - DB_MONGO_PORT=27017
        - DB_MONGO_NAME=bot_data       
      depends_on:
        - mongodb_service
    file_service:
      image: registry.gitlab.com/liquidsky/hello_bot:v1.0
      ports:
        - 5001:80
      depends_on:
        - bot_service
    mongodb_service:
      image: "mongo"
      container_name: mongo

Thank you !
ありがとうございます

I have errors but do not know if this is linked.

The description of the letsencrypt companion says:

The "com.github.jrcs.letsencrypt_nginx_proxy_companion.docker_gen" label - set this label on the docker-gen container to tell the docker-letsencrypt-nginx-proxy-companion container to use it as the docker-gen when it's split from nginx (separate containers).

source: https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion#optional-container-environment-variables

We do not set this label. Should we better?

Am not having any luck getting this to work with:
https://github.com/Enalean/docker-tuleap-aio

Is there any chance you could show me an example docker-compose.yml that might work?

Error description:

Configured nginx, wordpress, but after rebooting server, cannot show the website again.
I tried restart all containers.
What should I do?

Steps to reproduce

1. config nginx docker
2. config wordpress
3. wordpress works
4. restart server

Expected result

after reboot, nginx should work again.

here is the log from nginx.
2017/11/19 18:56:26 [error] 7#7: *5 connect() failed (113: No route to host) while connecting to upstream, client: 192.168.1.1, server: www.sectiongo.com, request: "GET /favicon.ico HTTP/2.0", upstream: "https://172.18.0.6:443/favicon.ico", host: "www.sectiongo.com", referrer: "https://www.sectiongo.com/" www.sectiongo.com 192.168.1.1 - - [19/Nov/2017:18:56:26 +0000] "GET /favicon.ico HTTP/2.0" 502 575 "https://www.sectiongo.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"

Error result

Comments

2018/04/04 16:25:43 Received event start for container aaf3da298d04
2018/04/04 16:25:58 Debounce minTimer fired
2018/04/04 16:25:58 Generated '/app/letsencrypt_service_data' from 8 containers
2018/04/04 16:25:58 Running '/app/signal_le_service'
/usr/lib/python2.7/site-packages/acme/jose/jwa.py:110: CryptographyDeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
  signer = key.signer(self.padding, self.hash)
2018-04-04 16:26:01,395:INFO:simp_le:1479: Generating new certificate private key
2018-04-04 16:26:03,097:ERROR:simp_le:1446: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains' DNS entries, your host's network/firewall setup and your webserver config. If a domain's DNS entry has both A and AAAA fields set up, some CAs such as Let's Encrypt will perform the challenge validation over IPv6. If your DNS provider does not answer correctly to CAA records request, Let's Encrypt won't issue a certificate for your domain (see https://letsencrypt.org/docs/caa/). Failing authorizations: https://acme-v01.api.letsencrypt.org/acme/authz/NauJbVSFVxZ00hja2_8Zx9ceBkZg3qBv4_9lZ6iYwsA
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/simp_le.py", line 1584, in main
    return main_with_exceptions(cli_args)
  File "/usr/lib/python2.7/site-packages/simp_le.py", line 1567, in main_with_exceptions
    persist_new_data(args, existing_data)
  File "/usr/lib/python2.7/site-packages/simp_le.py", line 1489, in persist_new_data
    account_key=client.key, key=None, cert=None, chain=None))
  File "/usr/lib/python2.7/site-packages/simp_le.py", line 1195, in persist_data
    plugin.save(new_data)
  File "/usr/lib/python2.7/site-packages/simp_le.py", line 493, in save
    key = self.dump_key(data.key)
  File "/usr/lib/python2.7/site-packages/simp_le.py", line 436, in dump_key
    return OpenSSL.crypto.dump_privatekey(self.typ, data.wrapped).strip()
AttributeError: 'NoneType' object has no attribute 'wrapped'

Unhandled error has happened, traceback is above

Always happens when deploying a Node application. All other 8 containers work normally.

version: '2'

services:
  app:
    hostname: app
    build: ./backend
    restart: on-failure
    expose:
      - '3000'
    command: sh -c "sleep 5 && npm start"
    working_dir: /app
    volumes:
    - ./backend:/app
    - /app/node_modules
    environment:
      VIRTUAL_HOST: api.example.pw
      LETSENCRYPT_HOST: api.example.pw
      LETSENCRYPT_EMAIL: [email protected]
networks:
  default:
    external:
      name: webproxy

Error description:

Hello, were i can find the home dir of my Virtualhost, where the index.html is stored?
Really dumb question but i cant find it....

My Ngnix Data dir is /ngnix/data
There is an Folder namend Html, when i place data here or create an folder namend like the domain it dont works...

Steps to reproduce

Expected result

Error result

Comments

Hi,

I have a question about this setup:

• a.example.com -> nginx (docker-nginx) (192.168.51.111) -> (resolved to external IP) 192.168.51.122

Is it possible to have cross machine proxy reversing using docker nginx proxy?

Thanks.

Hi @evertramos

I have an other problem I think with httpd.

docker run -d -e VIRTUAL_HOST=storage.toto.com \
              -e LETSENCRYPT_HOST=storage.toto.com \
              -e [email protected] \
              --network=webproxy \
              --name my_app \
              httpd:alpine

Give me this error in the docker container:

AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.26.0.2. Set the 'ServerName' directive globally to suppress this message
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.26.0.2. Set the 'ServerName' directive globally to suppress this message

Is it normal ? How to fix it in the case where it's not normal ?
NB: Everything seems to work properly even with this error

Hello

I'ld like to know why you went all the way to make your own version of nginx template ? I'm working on using latest nginx + jwilder dockergen + jrcs letsencrypt on a docker swarm, and that might be a very important point for me :-)

Cheers,

To solve an error

gitlab_1  | ==> /var/log/gitlab/nginx/error.log <==
gitlab_1  | 2017/12/30 16:23:16 [emerg] 3606#0: BIO_new_file("/etc/gitlab/ssl/gitlab.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/gitlab/ssl/gitlab.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file)

add following options into GITLAB_OMNIBUS_CONFIG

nginx['listen_port'] = 80
nginx['listen_https'] = false
nginx['proxy_set_headers'] = {
    "X-Forwarded-Proto" => "https",
    "X-Forwarded-Ssl" => "on"
}

reference

Hello,

I am facing a problem with setting up my environment. My server is written in Golang + MongoDB + Redis and I am trying to make it work all together with your great tool.

I am also using Vsale.io (Digital Ocean analogue) as a VPS. I have cloned your repo to one folder and have other code (Go + Mongo + Redis) and different docker-compose.yml file for these containers. I have connected all of them to one network webproxy (docker network inspect shows that containers are all set), opened port :80 on Golang side but it still doesn't want to open the page even though all containers are running. Also I am using a public IP that is provided by Vsale.io in the dashboard and OS is Ubuntu 16.04.

Do you have any suggestions that I can try to fix this issue? Or maybe it would be better if I send some logs and information?

Thank you 🙂

d

Hi,
Very sorry to disturb you -- I have tried everything I can think of to get Tomcat 8 SSL-reverse-proxied and I'm hitting a brick wall here. I'm wondering if I'm missing something obvious or if there is a bug with the library now.
Steps to reproduce:

1. Verified that I could run the following:
   docker run -it --rm -p 8888:8080 tomcat:8.0
   from here (https://hub.docker.com/_/tomcat/)
2. Modified the running tomcat container (using the standard command sudo docker exec -i -t /bin/bash
   as follows:
   a)
   https://www.n0r1sk.com/index.php/2017/07/07/nginx-reverse-proxy-with-ssl-offloading-and-apache-tomcat-backends/
   Followed the above instructions, but changed
   <Connector port="${port.prefix}1" URIEncoding="UTF-8" executor="tomcatThreadPool" protocol="HTTP/1.1" scheme="https" secure="true" proxyPort="443" connectionTimeout="410000" />
   to
   <Connector port="8443" URIEncoding="UTF-8" executor="tomcatThreadPool" protocol="HTTP/1.1" scheme="https" secure="true" proxyPort="443" connectionTimeout="410000" />
   because the former caused Tomcat to fail to load the connector.

b) Set up an admin / manager password using the following instructions and made sure that everything worked:
https://tecadmin.net/set-admin-password-in-tomcat/

3. Committed the tomcat container, tagging it as tomcatrunner2

4. Created an .env file as follows:
   NGINX_FILES_PATH=/home/travistheadmin/docker-compose-letsencrypt-nginx-proxy-companion/myEnv

5. validated that I could run the vanilla docker-compose.yml with no issues, and made sure that certificates were generated, etc.

6. Shut down the whole service using docker-compose down

7. edited the docker-compose.yml as follows (to include tomcatrunner2:

`version: '3'
services:
nginx:
image: nginx
labels:
com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy: "true"
container_name: nginx
restart: unless-stopped
ports:
- "80:80"
- "443:443"
volumes:
- ${NGINX_FILES_PATH}/conf.d:/etc/nginx/conf.d
- ${NGINX_FILES_PATH}/vhost.d:/etc/nginx/vhost.d
- ${NGINX_FILES_PATH}/html:/usr/share/nginx/html
- ${NGINX_FILES_PATH}/certs:/etc/nginx/certs:ro

nginx-gen:
image: jwilder/docker-gen
command: -notify-sighup nginx -watch -wait 5s:30s /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf
container_name: nginx-gen
restart: unless-stopped
volumes:
- ${NGINX_FILES_PATH}/conf.d:/etc/nginx/conf.d
- ${NGINX_FILES_PATH}/vhost.d:/etc/nginx/vhost.d
- ${NGINX_FILES_PATH}/html:/usr/share/nginx/html
- ${NGINX_FILES_PATH}/certs:/etc/nginx/certs:ro
- /var/run/docker.sock:/tmp/docker.sock:ro
- ./nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl:ro

nginx-letsencrypt:
image: jrcs/letsencrypt-nginx-proxy-companion
container_name: nginx-letsencrypt
restart: unless-stopped
volumes:
- ${NGINX_FILES_PATH}/conf.d:/etc/nginx/conf.d
- ${NGINX_FILES_PATH}/vhost.d:/etc/nginx/vhost.d
- ${NGINX_FILES_PATH}/html:/usr/share/nginx/html
- ${NGINX_FILES_PATH}/certs:/etc/nginx/certs:rw
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
NGINX_FILES_PATH: "/home/travistheadmin/docker-compose-letsencrypt-nginx-proxy-companion/myEnv"
NGINX_DOCKER_GEN_CONTAINER: "nginx-gen"
NGINX_PROXY_CONTAINER: "nginx"
VIRTUAL_PORT: 443

tomcat:
image: 'tomcatrunner2'
expose:
- '443'
- '80'
environment:
VIRTUAL_HOST: "www.mywebsite.com"
VIRTUAL_PROTO: "https"
VIRTUAL_PORT: "443"
LETSENCRYPT_HOST: "www.mywebsite.com"
LETSENCRYPT_EMAIL: "[email protected]"`

8. Proceeded to get a "502 Bad Gateway" error for every permutation I can think of related to the above config. The logs are as follows:
   Docker version 17.06.1-ce, build 874a737
   docker-compose version 1.15.0, build e12f3b9

NGINX ( a small sample)
www.myserver.com 68.13.x.y - - [02/Sep/2017:06:58:48 +0000] "GET /favicon.ico HTTP/2.0" 502 575 "https://www.myserver.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36" 2017/09/02 06:58:48 [error] 9#9: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 68.13.y.x, server: www.myserver.com, request: "GET /favicon.ico HTTP/2.0", upstream: "https://172.19.0.2:443/favicon.ico", host: "www.myserver.com", referrer: "https://www.myserver.com/"

Proxy Companion
Sleep for 3600s 2017/09/02 06:58:40 Generated '/app/letsencrypt_service_data' from 2 containers 2017/09/02 06:58:40 Running '/app/update_certs' 2017/09/02 06:58:40 Watching docker events Reloading nginx docker-gen (using separate container nginx-gen)... 2017/09/02 06:58:40 Contents of /app/letsencrypt_service_data did not change. Skipping notification '/app/update_certs' Reloading nginx (using separate container nginx)... Creating/renewal www.myserver.com certificates... (www.myserver.com) 2017-09-02 06:58:41,630:INFO:simp_le:1384: Certificates already exist and renewal is not necessary, exiting with status code 1. Sleep for 3600s

Docker Gen:
2017/09/02 06:58:40 Generated '/etc/nginx/conf.d/default.conf' from 4 containers 2017/09/02 06:58:40 Sending container 'nginx' signal '1' 2017/09/02 06:58:40 Watching docker events 2017/09/02 06:58:40 Received signal: hangup 2017/09/02 06:58:40 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification '' 2017/09/02 06:58:40 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification '' 2017/09/02 06:58:40 Received signal: hangup

Apache Tomcat:
02-Sep-2017 06:58:40.972 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version: Apache Tomcat/8.0.46 02-Sep-2017 06:58:40.976 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server built: Aug 10 2017 10:10:31 UTC 02-Sep-2017 06:58:40.977 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server number: 8.0.46.0 02-Sep-2017 06:58:40.977 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name: Linux 02-Sep-2017 06:58:40.978 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version: 4.4.0-93-generic 02-Sep-2017 06:58:40.978 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Architecture: amd64 02-Sep-2017 06:58:40.979 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home: /usr/lib/jvm/java-7-openjdk-amd64/jre 02-Sep-2017 06:58:40.979 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version: 1.7.0_151-b01 02-Sep-2017 06:58:40.980 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor: Oracle Corporation 02-Sep-2017 06:58:40.980 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE: /usr/local/tomcat 02-Sep-2017 06:58:40.981 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME: /usr/local/tomcat 02-Sep-2017 06:58:40.981 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties 02-Sep-2017 06:58:40.982 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager 02-Sep-2017 06:58:40.986 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djdk.tls.ephemeralDHKeySize=2048 02-Sep-2017 06:58:40.987 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.protocol.handler.pkgs=org.apache.catalina.webresources 02-Sep-2017 06:58:40.987 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.endorsed.dirs=/usr/local/tomcat/endorsed 02-Sep-2017 06:58:40.988 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=/usr/local/tomcat 02-Sep-2017 06:58:40.988 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=/usr/local/tomcat 02-Sep-2017 06:58:40.988 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.io.tmpdir=/usr/local/tomcat/temp 02-Sep-2017 06:58:40.989 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR based Apache Tomcat Native library 1.2.12 using APR version 1.5.1. 02-Sep-2017 06:58:40.989 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. 02-Sep-2017 06:58:40.996 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized (OpenSSL 1.1.0f 25 May 2017) 02-Sep-2017 06:58:41.288 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-apr-8443"] 02-Sep-2017 06:58:41.351 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-apr-8080"] 02-Sep-2017 06:58:41.352 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["ajp-apr-8009"] 02-Sep-2017 06:58:41.362 INFO [main] org.apache.catalina.startup.Catalina.load Initialization processed in 1949 ms 02-Sep-2017 06:58:41.535 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service Catalina 02-Sep-2017 06:58:41.550 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet Engine: Apache Tomcat/8.0.46 02-Sep-2017 06:58:41.602 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory /usr/local/tomcat/webapps/examples 02-Sep-2017 07:05:16.208 WARNING [localhost-startStop-1] org.apache.catalina.util.SessionIdGeneratorBase.createSecureRandom Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [392,716] milliseconds. 02-Sep-2017 07:05:16.329 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory /usr/local/tomcat/webapps/examples has finished in 394,726 ms 02-Sep-2017 07:05:16.343 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory /usr/local/tomcat/webapps/ROOT 02-Sep-2017 07:05:16.394 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory /usr/local/tomcat/webapps/ROOT has finished in 51 ms 02-Sep-2017 07:05:16.394 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory /usr/local/tomcat/webapps/docs 02-Sep-2017 07:05:16.434 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory /usr/local/tomcat/webapps/docs has finished in 40 ms 02-Sep-2017 07:05:16.435 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory /usr/local/tomcat/webapps/host-manager 02-Sep-2017 07:05:16.490 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory /usr/local/tomcat/webapps/host-manager has finished in 54 ms 02-Sep-2017 07:05:16.490 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory /usr/local/tomcat/webapps/manager 02-Sep-2017 07:05:16.538 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory /usr/local/tomcat/webapps/manager has finished in 48 ms 02-Sep-2017 07:05:16.546 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-apr-8443"] 02-Sep-2017 07:05:16.604 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-apr-8080"] 02-Sep-2017 07:05:16.665 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["ajp-apr-8009"] 02-Sep-2017 07:05:16.674 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 395311 ms

Any help you could provide in troubleshooting would be immensely appreciated.