I'm trying to get Apache Guacamole and an NGINX reverse proxy set up in Docker, and having some trouble with getting an HTTPS connection to work off of NGINX (HTTP works fine). I'm self-teaching myself through most of this, and have tried every suggestion to try to fix similar problems, but no luck.
Right now, both containers launch perfectly fine, with no issues showing up in the reverse-proxy logs:
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
docker ps
shows both as running, with the proper ports being exposed for the reverse proxy:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
60b4f2e6c3e2 nginx:latest "/docker-entrypoint.…" 2 hours ago Up 2 hours 0.0.0.0:80->80/tcp, 0.0.0.0:433->433/tcp reverse-proxy
a4c7f1fc4759 oznu/guacamole "/init" 2 hours ago Up 2 hours 8080/tcp guacamole
netstat -tulpn | grep LISTEN
also shows the port as being exposed (and doesn't show up when the container is not running so it seems to be coming from the right spot):
tcp 0 0 0.0.0.0:5900 0.0.0.0:* LISTEN 1391/vino-server
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 30538/docker-proxy
tcp 0 0 0.0.0.0:433 0.0.0.0:* LISTEN 30499/docker-proxy
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 577/systemd-resolve
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 4489/sshd: /usr/sbi
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 624/cupsd
tcp6 0 0 :::5900 :::* LISTEN 1391/vino-server
tcp6 0 0 :::22 :::* LISTEN 4489/sshd: /usr/sbi
tcp6 0 0 ::1:631 :::* LISTEN 624/cupsd
However, both trying to access https://localhost, https://example.com, or just even trying to nmap the machine locally or externally shows port 80 open and port 433 closed.
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-11 18:57 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00011s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
631/tcp open ipp
5900/tcp open vnc
I have a feeling it is a networking/firewall issue somewhere, and tried following a guide to reset iptables to defaults but that did not seem to fix anything. I don't believe this should be having any impact, but the certificates are self-signed while I try to test, before getting Let's Encrypt set up. Below are my docker-compose.yml and nginx.conf.
docker-compose.yml
version: '3'
services:
reverse-proxy:
image: nginx:latest
container_name: reverse-proxy
ports:
- 80:80
- 433:433
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf
- ./example.com.crt:/etc/nginx/example.com.crt
- ./example.com.key:/etc/nginx/example.com.key
depends_on:
- guacamole
restart: always
guacamole:
image: oznu/guacamole
container_name: guacamole
expose:
- 8080
volumes:
- /home/user/guacamole:/config
restart: always
nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
server {
listen 80;
server_name example.com;
return 302 https://$host$request_uri; #302 for testing purposes, will be 301 later
}
server {
listen 433 ssl;
server_name example.com;
ssl_certificate /etc/nginx/example.com.crt;
ssl_certificate_key /etc/nginx/example.com.key;
location / {
proxy_pass http://guacamole:8080;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
access_log off;
}
}
}
Thank you in advance for any help!
Best Answer
Solved it after some more troubleshooting and searching the right keywords to stumble upon this post. I was listening and forwarding 433 when HTTPS is 443, whoops. Good lesson in learning to double-check your code for errors I guess.