nginx-proxy: Running nginx and docker-gen separately not working since network compatibility change

The new nginx.tmpl analyses the jwilder/nginx-proxy container’s networks and sets upstream entries for VIRTUAL_HOSTs, if and only if they share the same network (that’s fine and nice, otherwise they would not be accessible by nginx-proxy):

upstream {{ $host }} {
{{ range $container := $containers }}
        {{ $addrLen := len $container.Addresses }}

        {{ range $knownNetwork := $CurrentContainer.Networks }}
                {{ range $containerNetwork := $container.Networks }}
                        {{ if eq $knownNetwork.Name $containerNetwork.Name }}
                               [...] YES, we are able to pass requests to this VIRTUAL_HOST
                        {{ end }}
                {{ end }}
        {{ end }}
{{ end }}

Now the problem we have, when running docker-gen and nginx separately, is, that the docker-gen is not part of the list of running containers ($CurrentContainer is null since the docker-gen container is not listed in the Context []*RuntimeContainer):

docker-compose.yml

version: '2'
services:
  proxy-gen:
    image: jwilder/docker-gen
    container_name: proxy-gen
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - ./volumes/templates:/etc/docker-gen/templates:ro
      - ./volumes/log:/etc/docker-gen/log:rw
    command: -watch -only-exposed /etc/docker-gen/templates/debug.tmpl /etc/docker-gen/log/debug.log

debug.tmpl

{{ range $runtimeContainer := $ }}
    ID: {{ $runtimeContainer.ID }}
{{ end }}

{{ $CurrentContainer := where $ "ID" .Docker.CurrentContainerID | first }}

.Docker.CurrentContainerID: {{ .Docker.CurrentContainerID }}
CurrentContainer: {{ $CurrentContainer.Name }}

Example output:

proxy-gen    |  ID: 66d8cb1183a3d31cd62feb24fd26945e253c39839c6f4e6da8ca3356c0ea1538
proxy-gen    |  ID: 199b4a1d6f333218b0e8ee7135c0777b3d97e4c883461107ccc1e98671ae6c2e
proxy-gen    | .Docker.CurrentContainerID: 650033b370904f7f827a64b7331a8471e47194481e2ba73f674508a42722980e

.Docker.CurrentContainerID is not part of the list of all containers running (probably since it is still in the process of starting?). Consequently docker-gen will never find a common network with the VIRTUAL_HOST.

So even if we would connect the docker-gen container itself to our proxy network, our VIRTUAL_HOSTs would not show up as an upstream in the nginx.conf.

Sorry for the primitive way of testing this through the debug.tmpl but I have no clue about Golang yet 😃 I think it would be important to either update the docs accordingly or implement a change. I could do that, but my ideas are really limited right now. The proxy-network needs to be defined somehow instead of taking the intersection of the proxy/docker-gen container and the VIRTUAL_HOST. I thought about a VIRTUAL_NET env variable on the VIRTUAL_HOST but then we can still not guarantee that the according VIRTUAL_HOST is accessible from the proxy? Another way could be to tell the docker-gen container which container the actual proxy is?

Feedback and ideas welcome.

About this issue

Original URL
State: closed
Created 8 years ago
Comments: 15

Commits related to this issue

first commit — committed to libresh/compose-nginx by pierreozoux 8 years ago
removed -only-exposed as this is apparently breaking ability to add upstream data: https://github.com/jwilder/nginx-proxy/issues/479#issuecomment-228285794 — committed to nokios/laravel-cafe-cqrs by deleted user 7 years ago

Most upvoted comments

@NoahO I’ve reached the same state as you. Upsteam is correctly defined in the conf again, but its still not working… any updates wrt the letsencrypt companion example? I’m using the latest jwilder/nginx-proxy nginx.tmpl and a docker-compose entrypoint for nginx-gen of:

    entrypoint: /usr/local/bin/docker-gen -notify-sighup c-nginx -watch -wait 5s:30s /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf

Edit: solved it. I had a few containers I hadn’t added to the network yet, which had empty upstreams blocks. So the solution was to make sure all my containers with VIRTUAL_HOST env vars were in the same network.

Ramblurr on Jul 7, 2016

ah… I was basing my example on https://github.com/fatk/docker-letsencrypt-nginx-proxy-companion-examples/blob/master/docker-compose/v2/simple-site/docker-compose.yml which still has the -only-exposed.

noaho on Jun 24, 2016

The ´nginx-gen´ needs to join your proxy-tier network. The template is designed like that. Will add my example later, on the phone right now. Good luck!

On Mon, Jun 20, 2016 at 11:56 AM +0700, “NoahO” notifications@github.com wrote:

Sure,

Tried again today with the latest version of everything, fetched all the images again etc.

I’ve done a find and replace to change my hostname to my_host for privacy.

Appreciate the help!

jwilder/docker-gen latest 6b53c623237a 6 days ago 17.21 MB

nginx latest 0d409d33b27e 2 weeks ago 182.8 MB

cloudesire/webdav latest 90b56fe81cf1 9 weeks ago 202.3 MB

docker version Client: Version: 1.11.2 API version: 1.23 Go version: go1.5.4 Git commit: b9f10c9 Built: Wed Jun 1 22:00:43 2016 OS/Arch: linux/amd64

Server: Version: 1.11.2 API version: 1.23 Go version: go1.5.4 Git commit: b9f10c9 Built: Wed Jun 1 22:00:43 2016 OS/Arch: linux/amd64

docker-compose version 1.7.1, build 0a9ab35 docker-py version: 1.8.1 CPython version: 2.7.9 OpenSSL version: OpenSSL 1.0.1e 11 Feb 2013

docker-compose.yml

nginx: image: nginx container_name: nginx volumes: - “/etc/nginx/conf.d” - “/etc/nginx/vhost.d” - “/usr/share/nginx/html” - “./Data/nginx-proxy/config/certs:/etc/nginx/certs:ro” ports: - “80:80” - “443:443” networks: - proxy-tier

nginx-gen: image: jwilder/docker-gen container_name: nginx-gen volumes:
- “./nginx-gen/nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl:ro” - “/var/run/docker.sock:/tmp/docker.sock:ro” volumes_from: - nginx entrypoint: /usr/local/bin/docker-gen -notify-sighup nginx -watch -only-exposed -wait 5s:30s /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf

letsencrypt-nginx-proxy-companion: image: jrcs/letsencrypt-nginx-proxy-companion container_name: letsencrypt-nginx-proxy-companion volumes_from: - nginx volumes: - “/var/run/docker.sock:/var/run/docker.sock:ro” - “./Data/nginx-proxy/config/certs:/etc/nginx/certs:rw” environment: - NGINX_DOCKER_GEN_CONTAINER=nginx-gen

webdav: image: cloudesire/webdav volumes: - “./Data/webdav/config:/srv/webdav” expose:
- “80” environment: - VIRTUAL_NETWORK=nginx-proxy - VIRTUAL_PORT=80 - APACHE_PORT=80 networks: - proxy-tier

networks: proxy-tier: external: name: nginx-proxy

docker-compose.override.yml webdav: environment: - VIRTUAL_HOST=my_host - LETSENCRYPT_HOST=my_host - LETSENCRYPT_EMAIL=my_email

nginx: volumes: - “./Data/nginx-proxy/config/my_host:/etc/nginx/htpasswd/my_host:ro”

docker exec -it nginx-gen cat /etc/nginx/conf.d/default.conf

If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the

scheme used to connect to this server

map $http_x_forwarded_proto $proxy_x_forwarded_proto { default $http_x_forwarded_proto; ‘’ $scheme; }

If we receive Upgrade, set Connection to “upgrade”; otherwise, delete any

Connection header that may have been passed to this server

map $http_upgrade $proxy_connection { default upgrade; ‘’ close; } gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; log_format vhost '$host $remote_addr - $remote_user [$time_local] ’ '“$request” $status $body_bytes_sent ’ ‘“$http_referer” “$http_user_agent”’; access_log off;

HTTP 1.1 support

proxy_http_version 1.1; proxy_buffering off; proxy_set_header Host $http_host; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $proxy_connection; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; server { server_name _; # This is just an invalid value which will never trigger on a real hostname. listen 80; access_log /var/log/nginx/access.log vhost; return 503; } upstream my_host { } server { server_name my_host; listen 80 ; access_log /var/log/nginx/access.log vhost; return 301 https://$host$request_uri; } server { server_name my_host; listen 443 ssl http2 ; access_log /var/log/nginx/access.log vhost; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA; ssl_prefer_server_ciphers on; ssl_session_timeout 5m; ssl_session_cache shared:SSL:50m; ssl_certificate /etc/nginx/certs/my_host.crt; ssl_certificate_key /etc/nginx/certs/my_host.key; ssl_dhparam /etc/nginx/certs/my_host.dhparam.pem; add_header Strict-Transport-Security “max-age=31536000”; include /etc/nginx/vhost.d/default; location / { proxy_pass http://my_host; auth_basic “Restricted my_host”; auth_basic_user_file /etc/nginx/htpasswd/my_host; }

}

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

boggyhole on Jun 20, 2016