NGINX Docker – HTTPS Not Being Exposed Outside

dockernetworkingnginxreverse-proxyUbuntu

I'm trying to get Apache Guacamole and an NGINX reverse proxy set up in Docker, and having some trouble with getting an HTTPS connection to work off of NGINX (HTTP works fine). I'm self-teaching myself through most of this, and have tried every suggestion to try to fix similar problems, but no luck.

Right now, both containers launch perfectly fine, with no issues showing up in the reverse-proxy logs:

/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up

docker ps shows both as running, with the proper ports being exposed for the reverse proxy:

CONTAINER ID   IMAGE            COMMAND                  CREATED       STATUS       PORTS                                      NAMES
60b4f2e6c3e2   nginx:latest     "/docker-entrypoint.…"   2 hours ago   Up 2 hours   0.0.0.0:80->80/tcp, 0.0.0.0:433->433/tcp   reverse-proxy
a4c7f1fc4759   oznu/guacamole   "/init"                  2 hours ago   Up 2 hours   8080/tcp                                   guacamole

netstat -tulpn | grep LISTEN also shows the port as being exposed (and doesn't show up when the container is not running so it seems to be coming from the right spot):

tcp        0      0 0.0.0.0:5900            0.0.0.0:*               LISTEN      1391/vino-server
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      30538/docker-proxy
tcp        0      0 0.0.0.0:433             0.0.0.0:*               LISTEN      30499/docker-proxy
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      577/systemd-resolve
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      4489/sshd: /usr/sbi
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      624/cupsd
tcp6       0      0 :::5900                 :::*                    LISTEN      1391/vino-server
tcp6       0      0 :::22                   :::*                    LISTEN      4489/sshd: /usr/sbi
tcp6       0      0 ::1:631                 :::*                    LISTEN      624/cupsd

However, both trying to access https://localhost, https://example.com, or just even trying to nmap the machine locally or externally shows port 80 open and port 433 closed.

Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-11 18:57 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00011s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
631/tcp  open  ipp
5900/tcp open  vnc

I have a feeling it is a networking/firewall issue somewhere, and tried following a guide to reset iptables to defaults but that did not seem to fix anything. I don't believe this should be having any impact, but the certificates are self-signed while I try to test, before getting Let's Encrypt set up. Below are my docker-compose.yml and nginx.conf.

docker-compose.yml

version: '3'

services:
  reverse-proxy:
    image: nginx:latest
    container_name: reverse-proxy
    ports:
      - 80:80
      - 433:433
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf
      - ./example.com.crt:/etc/nginx/example.com.crt
      - ./example.com.key:/etc/nginx/example.com.key
    depends_on:
      - guacamole
    restart: always
  
  guacamole:
    image: oznu/guacamole
    container_name: guacamole
    expose:
      - 8080
    volumes:
      - /home/user/guacamole:/config
    restart: always

nginx.conf

worker_processes 1;

events {
    worker_connections 1024;
}

http {
    
    server {
        listen 80;
        server_name example.com;
        return 302 https://$host$request_uri; #302 for testing purposes, will be 301 later
    }
    
    server {
        listen 433 ssl;
        server_name example.com;
        
        ssl_certificate /etc/nginx/example.com.crt;
        ssl_certificate_key /etc/nginx/example.com.key;
        
        location / {
            proxy_pass http://guacamole:8080;
            proxy_buffering off;
            proxy_http_version 1.1;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $http_connection;
            access_log off;
        }
    }
}

Thank you in advance for any help!

Best Answer

Solved it after some more troubleshooting and searching the right keywords to stumble upon this post. I was listening and forwarding 433 when HTTPS is 443, whoops. Good lesson in learning to double-check your code for errors I guess.

Related Topic