I managed to make it work. It's a complex issue. With cloudflare not supporting certificates, host.docker.internal not working well on linux, using naviserver ip in docker config will not redirect to the correct named server etc. Thank you all for your help
On Wed, Mar 6, 2024 at 4:34 PM Gustaf Neumann <neum...@wu.ac.at> wrote: > Dear Maksym, > > in order to help you, I tried to mimic your configuration: > > - nginx running in a docker container (listening on port 1000) > - nsd s1.com running in a docker container (listening on port 8081) > - nsd s2.com running on the docker host (listening on port 8082, no > container involved) > - s1 and s2 have info.tcl installed > > On the docker host, i made the following tests > 1) request to s1.com via containerized nginx > 2) request to s2.com via containerized nginx > 3) direct request to s2.com > > All requests are made via curl. > To me, everything looks ok. I still do not understand, what you see as a > problem. > > When you make a request to nginx with a host name neither s1.com or s2.com > , > the first entry is chosen, and the request goes to s1.com. This is nginx > behavior. > > all the best > > -g > > > ######################## case 1 ######################## > % curl -H "Host: s1.com" http://localhost:1000/info.tcl > Host: s1.com > X-Real-IP: 192.168.65.1 > X-Forwarded-For: 192.168.65.1 > X-Forwarded-Proto: http > X-Name: s1.com > Connection: close > User-Agent: curl/8.6.0 > Accept: */* > > ns_conn host: s1.com > > > ######################## case 2 ######################## > % curl -H "Host: s2.com" http://localhost:1000/info.tcl > Host: s2.com > X-Real-IP: 192.168.65.1 > X-Forwarded-For: 192.168.65.1 > X-Forwarded-Proto: http > X-Name: s2.com > Connection: close > User-Agent: curl/8.6.0 > Accept: */* > > ns_conn host: s2.com > > > ######################## case 3 ######################## > % curl -H "Host: s2.com" http://localhost:8082/info.tcl > Host: s2.com > User-Agent: curl/8.6.0 > Accept: */* > > ns_conn host: s2.com > > > info.tcl: > ########################################################### > ns_return 200 text/plain [subst [ns_trim -delimiter | { > |[join [lmap {key value} [ns_set array [ns_conn headers]] {set _ " > <http://localhost:8082/info.tclHost:s2.comUser-Agent:curl/8.6.0Accept:*/*ns_connhost:s2.cominfo.tcl:#%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23ns_return200text/plain[subst[ns_trim-delimiter%7C%7B%7C[join[lmap%7Bkeyvalue%7D[ns_setarray[ns_connheaders]]%7Bset_>$key: > $value\n"}] ""] > | > |ns_conn host: [ns_conn host] > }]] > ########################################################### > > > nginx configuration: > ########################################################### > server { > listen 80; > server_name s1.com; > > location / { > proxy_pass http://nsd:8081/; > proxy_set_header Host $host; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > proxy_set_header X-Forwarded-Proto $scheme; > proxy_set_header X-Name s1.com; > } > } > > server { > listen 80; > server_name s2.com; > > location / { > proxy_pass http://host.docker.internal:8082/; > proxy_set_header Host $host; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > proxy_set_header X-Forwarded-Proto $scheme; > proxy_set_header X-Name s2.com; > } > } > ########################################################### > > docker-compose.yaml > ########################################################### > version: '3' > > services: > nginx: > image: nginx:alpine > ports: > - 1000:80 > volumes: > - /opt/docker/nginx/conf.d:/etc/nginx/conf.d > depends_on: > - nsd > > nsd: > image: gustafn/naviserver:latest-alpine > container_name: nsd > restart: unless-stopped > command: /usr/local/ns/bin/nsd -f -t /usr/local/ns/conf/nsd-config.tcl -u > nsadmin -g nsadmin > ports: > - 8081:8081 > environment: > - TZ=${TZ:-Europe/Vienna} > - nsd_httpport=8081 > - nsd_httpsport= > ########################################################### > > > On 05.03.24 20:25, Maksym Zinchenko wrote: > > Hello, no right now i have single nsd with many subdomains clients, > without docker. > > For example: sub1.domain.com, sub2.domain.com etc. What i want is to move > each one of this subdomains to a separeted docker container. But I need to > move them one by one, because I still testing my application on docker, so > I want to move for example sub1 today test it, next time sub2 test it and > so on. > > While im working on one subdomain i still want to serve other subdomains. > > So my idea was to move host's nsd to other ports 8080 and 8443 and install > nginx reverse proxy, so i can redirect some subdomains to host's nsd and > some to dockerized nsd. > > Thanj you > > On Tue, 5 Mar 2024, 18:08 Gustaf Neumann (sslmail), <neum...@wu.ac.at> > wrote: > >> Hi Maxsym, >> >> if i understand correctly, you are sending from the docker host requests >> to a single dockerized nginx instance, that forwards these requests to a >> single dockerized nsd backend instance. The nginx instance distinguishes >> the incoming requests to the same port based on the host header field. And >> the same should happen as well on the backend (nsd). >> >> Is this a correct understanding of your setup? >> >> This is somewhat unusual, since typically one uses nginx to forward >> requests to multiple backend instances. So i am not sure, why you are doing >> this. I am not an nginx expert, but my suspicion is that one does not need >> 2 nginx “server” definitions for this. >> >> The problem that you are seeing is that on the backend, you see always >> the same host header field, which is used for virtual hosting. Correct? >> >> Maybe install for your backend servers the following script e.g. under >> the name “info.tcl” and show the result of “curl -H ….” requests, and what >> you are expecting. >> >> all the best >> -g >> >> ns_return 200 text/plain [subst [ns_trim -delimiter | { >> |[join [lmap {key value} [ns_set array [ns_conn headers]] {set _ >> "$key: $value\n"}] ""] >> | >> >> |ns_conn host: [ns_conn host] >> >> |ns_conn peer: [ns_conn peeraddr] >> |ns_conn peer -source configured: [ns_conn peeraddr -source >> configured] >> |ns_conn peer -source direct: [ns_conn peeraddr -source direct] >> >> |ns_conn peer -source forwarded: [ns_conn peeraddr -source forwarded] >> >> }]] >> >> >> >> On 04.03.2024, at 11:45, Maksym Zinchenko <siqsu...@gmail.com> wrote: >> >> I have a Naviserver with a couple of virtual web servers listening on a >> single ip:port. I want to move all those virtual servers to Docker >> containers gradually. So I'm trying to install Nginx Reverse Proxy on my >> Docker container and configure it to redirect requests to my host >> Naviserver. >> >> I've changed my Naviserver config to listen to 8080 and 8443 ports on >> docker host gateway IP: >> >> /opt/ns/bin/nsd -w -u nsadmin -t /opt/ns/conf/dz_nsd.tcl -b >>> 172.17.0.1:8080,172.17.0.1:8443 >> >> >> In my Nginx config I have 2 listeners one for dev and dummy1 subdomains: >> >> server { >>> listen 80; >>> server_name dev.daidze.org; >>> >>> location / { >>> proxy_set_header X-Real-IP $remote_addr; >>> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; >>> proxy_set_header Host $http_host; >>> proxy_set_header X-Forwarded-Proto $scheme; >>> proxy_pass http://172.17.0.1:8080/; >>> } >>> } >>> >>> server { >>> listen 443 ssl; >>> server_name dev.daidze.org; >>> ssl_certificate /opt/ns/modules/nsssl/fullchain.pem; >>> ssl_certificate_key /opt/ns/modules/nsssl/privkey.pem; >>> ssl_prefer_server_ciphers on; >>> >>> location / { >>> proxy_set_header X-Real-IP $remote_addr; >>> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; >>> proxy_set_header Host $http_host; >>> proxy_set_header X-Forwarded-Proto $scheme; >>> proxy_pass https://172.17.0.1:8443/; >>> } >>> } >>> >>> server { >>> listen 80; >>> server_name dummy1.daidze.org; >>> >>> location / { >>> proxy_set_header X-Real-IP $remote_addr; >>> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; >>> proxy_set_header Host $http_host; >>> proxy_set_header X-Forwarded-Proto $scheme; >>> proxy_pass http://172.17.0.1:8080/; >>> } >>> } >>> >>> server { >>> listen 443 ssl; >>> server_name dummy1.daidze.org; >>> ssl_certificate /opt/ns/modules/nsssl/fullchain.pem; >>> ssl_certificate_key /opt/ns/modules/nsssl/privkey.pem; >>> ssl_prefer_server_ciphers on; >>> >>> location / { >>> proxy_set_header X-Real-IP $remote_addr; >>> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; >>> proxy_set_header Host $http_host; >>> proxy_set_header X-Forwarded-Proto $scheme; >>> proxy_pass https://172.17.0.1:8443/; >>> } >>> } >> >> >> I'm using proxy_set_header Host $http_host; to redirect the headers real >> Host parameter to my host Naviserver installation, but I'm getting response >> only from the dev Virtual server. It doesn't matter what url I request >> dev.daidze.org or dummy1.daidze.org. Here an example of request to >> https://dummy1.daidze.org/ : >> >> dev server >>> X-Real-IP: 172.64.238.37 >>> X-Forwarded-For: 165.90.99.154, 172.64.238.37 >>> Host: dummy1.daidze.org >>> X-Forwarded-Proto: https >>> Connection: close >>> accept-encoding: gzip, br >>> CF-RAY: 85f13d442cd66671-MAD >>> CF-Visitor: {"scheme":"https"} >>> user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) >>> Gecko/20100101 Firefox/123.0 >>> accept: >>> text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 >>> >>> accept-language: en-US,en;q=0.5 >>> upgrade-insecure-requests: 1 >>> sec-fetch-dest: document >>> sec-fetch-mode: navigate >>> sec-fetch-site: none >>> sec-fetch-user: ?1 >>> sec-gpc: 1 >>> pragma: no-cache >>> cache-control: no-cache >>> CF-Connecting-IP: 165.90.99.154 >>> CDN-Loop: cloudflare >>> CF-IPCountry: CV >> >> >> What am I doing wrong? According to Naviserver docs redirection is done >> based on the content of the *host* header field. Right? So this should >> work. >> >> Thank you, >> Maksym >> _______________________________________________ >> naviserver-devel mailing list >> naviserver-devel@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/naviserver-devel >> >> >> _______________________________________________ >> naviserver-devel mailing list >> naviserver-devel@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/naviserver-devel >> > > > _______________________________________________ > naviserver-devel mailing > listnaviserver-devel@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/naviserver-devel > > _______________________________________________ > naviserver-devel mailing list > naviserver-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/naviserver-devel >
_______________________________________________ naviserver-devel mailing list naviserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/naviserver-devel
