nginx-proxy: Mac m1 Http works but https is broken?

Hi,

on http is everything it fine. But on https i got this:

nginx.1     | 2021/06/20 18:51:26 [notice] 30#30: signal 17 (SIGCHLD) received from 99
nginx.1     | 2021/06/20 18:51:26 [alert] 30#30: worker process 99 exited on signal 11
nginx.1     | 2021/06/20 18:51:26 [notice] 30#30: start worker process 103
nginx.1     | 2021/06/20 18:51:26 [notice] 30#30: signal 29 (SIGIO) received
nginx.1     | 2021/06/20 18:51:26 [notice] 30#30: signal 17 (SIGCHLD) received from 100
nginx.1     | 2021/06/20 18:51:26 [alert] 30#30: worker process 100 exited on signal 11
nginx.1     | 2021/06/20 18:51:26 [notice] 30#30: start worker process 104
nginx.1     | 2021/06/20 18:51:26 [notice] 30#30: signal 29 (SIGIO) received
nginx.1     | 2021/06/20 18:51:27 [notice] 30#30: signal 17 (SIGCHLD) received from 101
nginx.1     | 2021/06/20 18:51:27 [alert] 30#30: worker process 101 exited on signal 11
nginx.1     | 2021/06/20 18:51:27 [notice] 30#30: start worker process 105
nginx.1     | 2021/06/20 18:51:27 [notice] 30#30: signal 29 (SIGIO) received
nginx.1     | 2021/06/20 18:51:27 [notice] 30#30: signal 17 (SIGCHLD) received from 102
nginx.1     | 2021/06/20 18:51:27 [alert] 30#30: worker process 102 exited on signal 11
nginx.1     | 2021/06/20 18:51:27 [notice] 30#30: start worker process 106
nginx.1     | 2021/06/20 18:51:27 [notice] 30#30: signal 29 (SIGIO) received
nginx.1     | 2021/06/20 18:51:27 [notice] 30#30: signal 17 (SIGCHLD) received from 103
nginx.1     | 2021/06/20 18:51:27 [alert] 30#30: worker process 103 exited on signal 11
nginx.1     | 2021/06/20 18:51:27 [notice] 30#30: start worker process 107
nginx.1     | 2021/06/20 18:51:27 [notice] 30#30: signal 29 (SIGIO) received
nginx.1     | 2021/06/20 18:51:28 [notice] 30#30: signal 17 (SIGCHLD) received from 104
nginx.1     | 2021/06/20 18:51:28 [alert] 30#30: worker process 104 exited on signal 11
nginx.1     | 2021/06/20 18:51:28 [notice] 30#30: start worker process 108
nginx.1     | 2021/06/20 18:51:28 [notice] 30#30: signal 29 (SIGIO) received
nginx.1     | 2021/06/20 18:51:28 [notice] 30#30: signal 17 (SIGCHLD) received from 105
nginx.1     | 2021/06/20 18:51:28 [alert] 30#30: worker process 105 exited on signal 11
nginx.1     | 2021/06/20 18:51:28 [notice] 30#30: start worker process 109
nginx.1     | 2021/06/20 18:51:28 [notice] 30#30: signal 29 (SIGIO) received

here is the docker-compose.yml

version: '3'
services:
  #######################################
  # Delegate requests to container via
  # Nginx reverse proxy
  #######################################
  nginx-proxy:
    container_name: nginx-proxy
    image: jwilder/nginx-proxy
    build:
      context: docker/nginx-proxy
    ports:
      - "80:80"
      - "443:443"
    networks:
      - default
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - ./docker/nginx-proxy/nginx.tmpl:/app/nginx.tmpl:ro
      - ./docker/nginx-proxy/certs/default.key:/etc/nginx/certs/default.key:ro
      - ./docker/nginx-proxy/certs/default.crt:/etc/nginx/certs/default.crt:ro

networks:
  default:
    external:
      name: kult-dev-network

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 17 (9 by maintainers)

Most upvoted comments

tl;dr – a possible work-around would be to use nginxproxy/nginx-proxy:alpine image instead of a debian-based one.

@buchdag sorry for the late reply, was busy week 😅

Yea, I thought about http1.1 as well, however forcing that doesn’t seem to change anything. And nginx debug mode doesn’t seem to log anything extra.

❯ curl -k --http1.1 --header 'Host: app.local' https://127.0.0.1 -vvv
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use http/1.1
* Server certificate:
* <redacted cert info> 
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: app.local
> User-Agent: curl/7.64.1
> Accept: */*
>
* Empty reply from server
* Connection #0 to host 127.0.0.1 left intact
curl: (52) Empty reply from server
* Closing connection 0

Now the interesting bit is that this doesn’t manifest if I use alpine flavour of nginx image (i.o.w. nginx:alpine)! The output looks quite close to the “broken” one:

❯ curl -k --header 'Host: app.local' https://127.0.0.1 -vvv
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
* Server certificate:
*  subject: O=mkcert development certificate; OU=alex@vackerflicka (Alexei Mikhailov)
*  start date: Jul  1 13:28:53 2021 GMT
*  expire date: Oct  1 13:28:53 2023 GMT
*  issuer: O=mkcert development CA; OU=alex@vackerflicka (Alexei Mikhailov); CN=mkcert alex@vackerflicka (Alexei Mikhailov)
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x12280d600)
> GET / HTTP/2
> Host: app.local
> User-Agent: curl/7.64.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
< server: nginx/1.21.0
< date: Mon, 12 Jul 2021 08:59:21 GMT
< content-type: text/html
< content-length: 612
< last-modified: Tue, 06 Jul 2021 14:59:17 GMT
< etag: "60e46fc5-264"
< accept-ranges: bytes
< strict-transport-security: max-age=31536000
<
<!DOCTYPE html>
<...redacted standard nginx page>
* Connection #0 to host 127.0.0.1 left intact
* Closing connection 0

While researching this I’ve stumbled upon a rather old, but very similar issue in nginx issue tracker, that claims the problem to happen due to -O2 optimisation flags.

Now, looking at the nginx -V output from docker image, it seems that it used -O2 during compilation, so that might be what causing this issue? And since alpine builds don’t use gcc, this doesn’t manifest?

❯ docker run nginx nginx -V
...
nginx version: nginx/1.21.1
built by gcc 8.3.0 (Debian 8.3.0-6)
built with OpenSSL 1.1.1d  10 Sep 2019
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.21.1/debian/debuild-base/nginx-1.21.1=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'

Anyhoo to sum up, using alpine-based nginx-proxy build instead of debian one solves the issue for my local env, which is good enough for me 😅

Feel free to ping me if you want to test something!

+3
kblcuk on Jul 12, 2021

@kblcuk thanks for investigating this, seems there isn’t much we can do from this project end. 😒

At least the alpine based image is working. 👍

+2
buchdag on Jul 13, 2021

Inactive issue, closing.

+1
buchdag on Apr 30, 2023

Any other debug info I can provide?

I think next step would be running the three container setup (nginx and docker-gen in split containers) with nginx in debug mode. Do you know how to do this or do you need assistance ?

+1
buchdag on Jul 1, 2021
Read more comments on GitHub
← nginx-proxy: Latest update of dockergen / forego broke container ("pthread_create failed")
nginx-proxy: nginx process shuts itself down immediately, seemingly without any error →