cannot load certificate, Expecting: TRUSTED CERTIFICATE #2287
Comments
|
Hello, I encounter currently the same issue 2023/08/21 15:31:51 [error] 40#40: *22 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0480006C:PEM routines::no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: 10.170.78.215, server: 0.0.0.0:443 |
|
I tested some images and I found all the new images build after this 1.2-alpine didn't works. |
|
Can confirm that release 1.3.1 has this behaviour, while release 1.3.0 does not. -- Correction -- |
|
Found a workaround, which does not correspond to what the README states. If you name the crt and key files as "default.crt" or "default.key" as per https://github.com/nginx-proxy/nginx-proxy/blob/main/nginx.tmpl#L14C77-L14C77, it seems to work fine with the latest version. So, either fix the template or update the README. |
|
I ran into this as well. Creating a default.crt and default.key fixed the issue. |
|
Would this solution still support multiple virtual hosts with ssl? What's the latest version that doesn't have the issue? I'm running into the same problem, thanks! |
|
I have the same issue with the latest version. Unfortunately using the |
|
HINT: Apparently I did something wrong in the first place. With it worked. |
|
I've been unable to reproduce this, I've never had the issue with Let's Encrypt or ZeroSSL certificates, and I'm not certain what the issue is here. This error ( @osnard do you remember what command you used in the first place to produce the non working cert ? |
|
hi all , using version 1.3.0 worked |
|
I've encountered the same error while trying to use regular expression in the host together with wildcard certificate, with example compose file being below. So, if I tried to enter a non-regular expression host (for example latest-dap.localhost.markoivancic.from.hr), it worked. If I tried to enter regular expression host (for example abc-latest-dap.localhost.markoivancic.from.hr), ti would error out with "Expecting: TRUSTED CERTIFICATE". The solution which worked for me was to explicitly set the shared cert with CERT_NAME environment variable. services:
nginx-proxy:
restart: always
image: nginxproxy/nginx-proxy:latest
ports:
- 80:80
- 443:443
environment:
DEFAULT_HOST: localhost.markoivancic.from.hr
volumes:
- ./nginx-proxy/certs:/etc/nginx/certs
- /var/run/docker.sock:/tmp/docker.sock:ro
08.dap.test:
image: cicnavi/dap:08
container_name: 08.dap.test
restart: unless-stopped
expose:
- 80
- 443
user: ${CONTAINER_USER_ID}
environment:
VIRTUAL_HOST: >-
localhost.markoivancic.from.hr,
08.dap.test,
latest-dap.localhost.markoivancic.from.hr,
~^.+-latest-dap\.localhost\.markoivancic\.from\.hr$,
08-dap.localhost.markoivancic.from.hr,
~^.+-08-dap\.localhost\.markoivancic\.from\.hr$
CERT_NAME: localhost.markoivancic.from.hr
HTTPS_METHOD: noredirect
volumes:
- "./dap/08/html:/var/www/html" |
|
I generated my self-signed certificate using |
|
Was there a resolution to this? Seeing with nginx-proxy:1.4. The certs are generated with certbot on the host machine and volume mapped with container. |
|
@postelrich unfortunately there wasn't really any reproducible bug identified yet, see #2287 (comment) That probably won't change until someone provide a config and a non redacted, non production and disposable cert / key pair (or full command to generate one) that allow to reproduce the issue. |
|
@buchdag after looking further, my issue is that nginx-proxy is not picking up the ssl cert/key no matter what naming I try. If exec into the container, I can see the ssl configs are missing. If I manually add them in for the upstream server, it works. |
|
Could you:
? My guess at this point would be that you are mounting a host symlink inside the container. |
|
@buchdag it was a symlink since I'm using certbot. I think in my various attempts to get this working, I forgot that when I hardcoded I had mounted the linked directory too. Copying the generated pem files instead of symlinking to |
|
Glad you found the issue 👍 If I had to use certbot with nginx-proxy I think I would use the post renewal hook to put the certificates where they should be (with the correct name) and trigger docker-gen and/or reload the nginx config. The recommended way to get TLS certificate from an ACME CA with nginx-proxy is still to use nginx-proxy/acme-companion. |
|
@buchdag yea I tried acme-companion first but these sites are LAN only so couldn't do http challenge. |
|
I'm wondering if the network mode is part of the problem. In the original issue the network mode is host, which I believe binds the container to the host machine's IP address. I'm having a similar issue when using the driver_opts key in my networks definition where I have this: networks:
app-tier:
ipam:
config:
- subnet: 192.168.100.0/24
driver_opts:
# This binds this network's ports to the ip address defined by the BIND_IP
# environment variable.
com.docker.network.bridge.host_binding_ipv4: ${BIND_IP}The error in the logs shows that the proxy server upstream cannot get the value of "data(): 0.0.0.0:443" or something similar. The cert is included in the container in the appropriate location. Maybe this is something to check out? I have nearly identical setups in local and testing setups, with this binding being the main difference. Only this setup produces the errors. Note i'm currently using version 1.5.1 |
|
I was able to resolve this issue using the |
|
as @r14c recommended. I also used the version: '3.8'
services:
nginx:
image: nginxproxy/nginx-proxy:1.5-alpine
volumes:
- ./certs:/etc/nginx/certs:ro
- /var/run/docker.sock:/tmp/docker.sock:ro
restart: unless-stopped
ports:
- 80:80
- 443:443
networks:
mgmt-vlan:
ipv4_address: 10.0.10.225
home-assistant:
image: homeassistant/home-assistant:2024.3
volumes:
- ./homeassistant-config/config:/config
environment:
- VIRTUAL_HOST=home.something.com
- CERT_NAME=home.something.com
restart: unless-stopped
ports:
- 8123:8123
networks:
mgmt-vlan:
ipv4_address: 10.0.10.226
traccar:
image: traccar/traccar:6.2-alpine
volumes:
- ./traccar/logs:/opt/traccar/logs:rw
- ./traccar/traccar.xml:/opt/traccar/conf/traccar.xml:ro
- ./traccar/data:/opt/traccar/data:rw
environment:
#- VIRTUAL_HOST=traccar.something.com
- CERT_NAME=traccar.something.com
- |
VIRTUAL_HOST_MULTIPORTS=
{
"traccar.something.com": {
"/": { "port": 8082, "dest", ""},
"/osmand": { "port": 5055, "dest", "/"}
}
}
- CERT_NAME=traccer.something.com
restart: unless-stopped
ports:
- 80:8082
- 5055:5055
# - 5000-5150:5000-5150/udp
networks:
mgmt-vlan:
ipv4_address: 10.0.10.227
depends_on:
- traccar-db
traccar-db:
image: postgres:16.3-alpine3.20
volumes:
- type: volume
source: traccar-db-data
target: /var/lib/postgresql/data
networks:
mgmt-vlan:
ipv4_address: 10.0.10.228
environment:
POSTGRES_USER: traccar
POSTGRES_PASSWORD: traccar
POSTGRES_DB: traccar
volumes:
ho-db-data: null
traccar-db-data: null
networks:
mgmt-vlan:
driver: macvlan
driver_opts:
parent: br-mgmtdocker
ipam:
config:
- subnet: 10.0.10.224/28
gateway: 10.0.10.238 |
|
Hi, I am using Go to the Docker Desktop Terminal on the Some of my local certificates could not be displayed because of access permissions. By adding read access for the group ( Hope this helps someone else. |
|
I had a similar issue when trying to use the VIRTUAL_HOST_MULTIPORTS config. It seems there is an issue when trying to parse the YAML from the docs. When I switched to JSON, everything started working as expected. |
Can confirm! Just hit the same issue in prod. Certs generated by cerbot, been working for at least 18 months. To "resolve" -- tested with And anything newer than 1.2 yields Certificates created with certbot and renewed with openssl versions as follows: And all the versions are reading the certificate just fine: Or at least do not seem to be disliking anything about it. |
@teodoryantcheff would you be able to test more specifically with |
|
@buchdag , This is from a working nginx-proxy container running note: I'll be able to test the versions you asked for tomorrow and will send you the results. nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 10240;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
daemon off;
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/avif avif;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
font/woff woff;
font/woff2 woff2;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/wasm wasm;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/conf.d/config_additional.conf:
client_max_body_size 25m;
# To prevent error "upstream sent too big header while reading response header from upstream"
# https://www.getpagespeed.com/server-setup/nginx/tuning-proxy_buffer_size-in-nginx
proxy_buffer_size 16k;
proxy_buffers 8 16k;
proxy_busy_buffers_size 16k;
# For large cookies
large_client_header_buffers 4 16k;
# configuration file /etc/nginx/conf.d/default.conf:
# nginx-proxy version : 1.2.3
# Networks available to the container running docker-gen (which are assumed to
# match the networks available to the container running nginx):
# nginx-proxy
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
default $http_x_forwarded_proto;
'' $scheme;
}
map $http_x_forwarded_host $proxy_x_forwarded_host {
default $http_x_forwarded_host;
'' $http_host;
}
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
# server port the client connected to
map $http_x_forwarded_port $proxy_x_forwarded_port {
default $http_x_forwarded_port;
'' $server_port;
}
# If we receive Upgrade, set Connection to "upgrade"; otherwise, preserve
# NGINX's default behavior ("Connection: close").
map $http_upgrade $proxy_connection {
default upgrade;
'' close;
}
# Apply fix for very long server names
server_names_hash_bucket_size 128;
# Default dhparam
ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
# Set appropriate X-Forwarded-Ssl header based on $proxy_x_forwarded_proto
map $proxy_x_forwarded_proto $proxy_x_forwarded_ssl {
default off;
https on;
}
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost '$host $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$upstream_addr"';
access_log off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
error_log /dev/stderr;
resolver 127.0.0.11;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $proxy_x_forwarded_host;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
proxy_set_header X-Original-URI $request_uri;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";
server {
server_name _; # This is just an invalid value which will never trigger on a real hostname.
server_tokens off;
listen 80;
listen [::]:80;
access_log /var/log/nginx/access.log vhost;
return 503;
}
# checkout.hui_site.com/
upstream checkout.hui_site.com {
# Container: sgt-checkout-container-production-c5037e
# networks:
# nginx-proxy (reachable)
# IP address: 172.18.0.7
# exposed ports: 8080/tcp
# default port: 8080
# using port: 8080
server 172.18.0.7:8080;
}
server {
server_name checkout.hui_site.com;
listen 80 ;
listen [::]:80 ;
access_log /var/log/nginx/access.log vhost;
# Do not HTTPS redirect Let's Encrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name checkout.hui_site.com;
access_log /var/log/nginx/access.log vhost;
listen 443 ssl http2 ;
listen [::]:443 ssl http2 ;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/hui_site.com.crt;
ssl_certificate_key /etc/nginx/certs/hui_site.com.key;
set $sts_header "";
if ($https) {
set $sts_header "max-age=31536000";
}
add_header Strict-Transport-Security $sts_header always;
location / {
proxy_pass http://checkout.hui_site.com;
}
}
# freight-manager.hui_site.com/
upstream freight-manager.hui_site.com {
# Container: fm-container-production-2ec02e
# networks:
# nginx-proxy (reachable)
# IP address: 172.18.0.8
# exposed ports: 8080/tcp
# default port: 8080
# using port: 8080
server 172.18.0.8:8080;
}
server {
server_name freight-manager.hui_site.com;
listen 80 ;
listen [::]:80 ;
access_log /var/log/nginx/access.log vhost;
# Do not HTTPS redirect Let's Encrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name freight-manager.hui_site.com;
access_log /var/log/nginx/access.log vhost;
listen 443 ssl http2 ;
listen [::]:443 ssl http2 ;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/hui_site.com.crt;
ssl_certificate_key /etc/nginx/certs/hui_site.com.key;
set $sts_header "";
if ($https) {
set $sts_header "max-age=31536000";
}
add_header Strict-Transport-Security $sts_header always;
location / {
proxy_pass http://freight-manager.hui_site.com;
}
}
# infisical.hui_site.com/
upstream infisical.hui_site.com {
# Container: infisical
# networks:
# nginx-proxy (reachable)
# postgres (unreachable)
# IP address: 172.18.0.4
# exposed ports: 443/tcp 8080/tcp
# default port: 80
# using port: 8080
server 172.18.0.4:8080;
}
server {
server_name infisical.hui_site.com;
listen 80 ;
listen [::]:80 ;
access_log /var/log/nginx/access.log vhost;
# Do not HTTPS redirect Let's Encrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name infisical.hui_site.com;
access_log /var/log/nginx/access.log vhost;
listen 443 ssl http2 ;
listen [::]:443 ssl http2 ;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/hui_site.com.crt;
ssl_certificate_key /etc/nginx/certs/hui_site.com.key;
set $sts_header "";
if ($https) {
set $sts_header "max-age=31536000";
}
add_header Strict-Transport-Security $sts_header always;
location / {
proxy_pass http://infisical.hui_site.com;
}
}
# production-2ec02e-freight-manager.hui_site.com/
upstream production-2ec02e-freight-manager.hui_site.com {
# Container: fm-container-production-2ec02e
# networks:
# nginx-proxy (reachable)
# IP address: 172.18.0.8
# exposed ports: 8080/tcp
# default port: 8080
# using port: 8080
server 172.18.0.8:8080;
}
server {
server_name production-2ec02e-freight-manager.hui_site.com;
listen 80 ;
listen [::]:80 ;
access_log /var/log/nginx/access.log vhost;
# Do not HTTPS redirect Let's Encrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name production-2ec02e-freight-manager.hui_site.com;
access_log /var/log/nginx/access.log vhost;
listen 443 ssl http2 ;
listen [::]:443 ssl http2 ;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/hui_site.com.crt;
ssl_certificate_key /etc/nginx/certs/hui_site.com.key;
set $sts_header "";
if ($https) {
set $sts_header "max-age=31536000";
}
add_header Strict-Transport-Security $sts_header always;
location / {
proxy_pass http://production-2ec02e-freight-manager.hui_site.com;
}
}
# production-c5037e-sgt-checkout.hui_site.com/
upstream production-c5037e-sgt-checkout.hui_site.com {
# Container: sgt-checkout-container-production-c5037e
# networks:
# nginx-proxy (reachable)
# IP address: 172.18.0.7
# exposed ports: 8080/tcp
# default port: 8080
# using port: 8080
server 172.18.0.7:8080;
}
server {
server_name production-c5037e-sgt-checkout.hui_site.com;
listen 80 ;
listen [::]:80 ;
access_log /var/log/nginx/access.log vhost;
# Do not HTTPS redirect Let's Encrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name production-c5037e-sgt-checkout.hui_site.com;
access_log /var/log/nginx/access.log vhost;
listen 443 ssl http2 ;
listen [::]:443 ssl http2 ;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/hui_site.com.crt;
ssl_certificate_key /etc/nginx/certs/hui_site.com.key;
set $sts_header "";
if ($https) {
set $sts_header "max-age=31536000";
}
add_header Strict-Transport-Security $sts_header always;
location / {
proxy_pass http://production-c5037e-sgt-checkout.hui_site.com;
}
}
# staging-2f8170-freight-manager.hui_site.com/
upstream staging-2f8170-freight-manager.hui_site.com {
# Container: fm-container-staging-2f8170
# networks:
# nginx-proxy (reachable)
# IP address: 172.18.0.6
# exposed ports: 8080/tcp
# default port: 8080
# using port: 8080
server 172.18.0.6:8080;
}
server {
server_name staging-2f8170-freight-manager.hui_site.com;
listen 80 ;
listen [::]:80 ;
access_log /var/log/nginx/access.log vhost;
# Do not HTTPS redirect Let's Encrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name staging-2f8170-freight-manager.hui_site.com;
access_log /var/log/nginx/access.log vhost;
listen 443 ssl http2 ;
listen [::]:443 ssl http2 ;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/hui_site.com.crt;
ssl_certificate_key /etc/nginx/certs/hui_site.com.key;
set $sts_header "";
if ($https) {
set $sts_header "max-age=31536000";
}
add_header Strict-Transport-Security $sts_header always;
location / {
proxy_pass http://staging-2f8170-freight-manager.hui_site.com;
}
}
# staging-bb3d8e-freight-manager.hui_site.com/
upstream staging-bb3d8e-freight-manager.hui_site.com {
# Container: fm-container-staging-bb3d8e
# networks:
# nginx-proxy (reachable)
# IP address: 172.18.0.5
# exposed ports: 8080/tcp
# default port: 8080
# using port: 8080
server 172.18.0.5:8080;
}
server {
server_name staging-bb3d8e-freight-manager.hui_site.com;
listen 80 ;
listen [::]:80 ;
access_log /var/log/nginx/access.log vhost;
# Do not HTTPS redirect Let's Encrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name staging-bb3d8e-freight-manager.hui_site.com;
access_log /var/log/nginx/access.log vhost;
listen 443 ssl http2 ;
listen [::]:443 ssl http2 ;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/hui_site.com.crt;
ssl_certificate_key /etc/nginx/certs/hui_site.com.key;
set $sts_header "";
if ($https) {
set $sts_header "max-age=31536000";
}
add_header Strict-Transport-Security $sts_header always;
location / {
proxy_pass http://staging-bb3d8e-freight-manager.hui_site.com;
}
}
# ws.hui_site.com/
upstream ws.hui_site.com {
# Container: websocket
# networks:
# nginx-proxy (reachable)
# IP address: 172.18.0.2
# exposed ports: 6001/tcp
# default port: 6001
# using port: 6001
server 172.18.0.2:6001;
}
server {
server_name ws.hui_site.com;
listen 80 ;
listen [::]:80 ;
access_log /var/log/nginx/access.log vhost;
# Do not HTTPS redirect Let's Encrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name ws.hui_site.com;
access_log /var/log/nginx/access.log vhost;
listen 443 ssl http2 ;
listen [::]:443 ssl http2 ;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/hui_site.com.crt;
ssl_certificate_key /etc/nginx/certs/hui_site.com.key;
set $sts_header "";
if ($https) {
set $sts_header "max-age=31536000";
}
add_header Strict-Transport-Security $sts_header always;
location / {
proxy_pass http://ws.hui_site.com;
}
}
|
|
edit: I'm not sure at all that's relevant
The nginx worker processes run as the When you $ docker exec --user nginx nginx-test ls -Alh /etc/nginx/certs
total 8.0K
-rw-r--r-- 1 1000 1000 4 Aug 27 18:06 foobar.crt
-rw-r----- 1 1000 1000 4 Aug 27 18:07 foobar.key
$ docker exec --user nginx nginx-test cat /etc/nginx/certs/foobar.crt
some content
$ docker exec --user nginx nginx-test cat /etc/nginx/certs/foobar.key
cat: /etc/nginx/certs/foobar.key: Permission denied |
|
@buchdag, not really: on the host: in the container:
Not only that, but on that host I was able to run I have a reproducible example from a host having those files owned by The output of which I will be able to provide tomorrow, alongside the specific version tests you requested. |
|
It seems that the I started the nginx-proxy and had the same issue. I had a look into the Once I removed the I am currently trying to reproduce that, but it sets the config all the time correctly now. But here an example for |
Exactly -- when I sat down to provide examples of the issue, I could no longer reproduce it So now all those reported below actually work. Why -- I have no idea, but it was not when I wrote those messages above... 🤦♂️ Common setuproot@docker-host-03:~/nginx-proxy# ll
total 24
drwxr-xr-x 2 root root 4096 Aug 28 05:54 ./
drwx------ 15 root root 4096 Aug 28 06:01 ../
-rw-r--r-- 1 root root 369 Jul 24 10:24 config_additional.conf
-rwxr-xr-x 1 root root 1283 Aug 28 05:54 nginx-proxy.sh*
-rw-r--r-- 1 root root 3590 Aug 9 03:05 hui_site.com.crt
-rw------- 1 root root 1704 Aug 9 03:05 hui_site.com.key
root@docker-host-03:~/nginx-proxy# cat config_additional.conf
client_max_body_size 25m;
# To prevent error "upstream sent too big header while reading response header from upstream"
# https://www.getpagespeed.com/server-setup/nginx/tuning-proxy_buffer_size-in-nginx
proxy_buffer_size 16k;
proxy_buffers 8 16k;
proxy_busy_buffers_size 16k;
# For large cookies
large_client_header_buffers 4 16k;
root@docker-host-03:~/nginx-proxy# cat nginx-proxy.sh
#!/usr/bin/env bash
set -x
docker network create nginx-proxy
docker run -d \
-p 80:80 -p 443:443 \
-v /root/nginx-proxy/config_additional.conf:/etc/nginx/conf.d/config_additional.conf:ro \
-v /root/nginx-proxy/hui_site.com.crt:/etc/nginx/certs/hui_site.com.crt:ro \
-v /root/nginx-proxy/hui_site.com.key:/etc/nginx/certs/hui_site.com.key:ro \
-v /var/run/docker.sock:/tmp/docker.sock:ro \
-e ENABLE_IPV6=true \
--net nginx-proxy \
--name nginx-proxy \
--restart unless-stopped \
nginxproxy/nginx-proxy:[xxxxx]
root@docker-host-03:~/nginx-proxy#nginxproxy/nginx-proxy:1.2-alpinesince there is no "Env": [
"ENABLE_IPV6=true",
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"NGINX_VERSION=1.23.3",
"PKG_RELEASE=1",
"NJS_VERSION=0.7.9",
"NGINX_PROXY_VERSION=1.2.3",
"DOCKER_GEN_VERSION=0.10.2",
"DOCKER_HOST=unix:///tmp/docker.sock"
],
"Cmd": [
"forego",
"start",
"-r"
],
"Image": "nginxproxy/nginx-proxy:1.2-alpine",
"Volumes": null,
"WorkingDir": "/app/",
"Entrypoint": [
"/app/docker-entrypoint.sh"
],
"OnBuild": null,
"Labels": {
"maintainer": "NGINX Docker Maintainers <[email protected]>",
"org.opencontainers.image.authors": "Nicolas Duchon <[email protected]> (@buchdag), Jason Wilder",
"org.opencontainers.image.created": "2023-03-21T06:29:26.992Z",
"org.opencontainers.image.description": "Automated nginx proxy for Docker containers using docker-gen",
"org.opencontainers.image.licenses": "MIT",
"org.opencontainers.image.revision": "6c2d17586b21dac1de33bf05230425ac1d12d2f5",
"org.opencontainers.image.source": "https://github.com/nginx-proxy/nginx-proxy",
"org.opencontainers.image.title": "nginx-proxy",
"org.opencontainers.image.url": "https://github.com/nginx-proxy/nginx-proxy",
"org.opencontainers.image.version": "1.2.3"
},certs: root@docker-host-03:~/nginx-proxy# docker exec nginx-proxy ls -l /etc/nginx/certs
total 8
-rw-r--r-- 1 root root 3590 Aug 9 03:05 hui_site.com.crt
-rw------- 1 root root 1704 Aug 9 03:05 hui_site.com.key
root@docker-host-03:~/nginx-proxy# docker exec nginx-proxy cat /etc/nginx/certs/hui_site.com.key
-----BEGIN PRIVATE KEY-----
is readableAnd the resulting config ( 1.2 generated confnginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 10240;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
daemon off;
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/avif avif;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
font/woff woff;
font/woff2 woff2;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/wasm wasm;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/conf.d/config_additional.conf:
client_max_body_size 25m;
# To prevent error "upstream sent too big header while reading response header from upstream"
# https://www.getpagespeed.com/server-setup/nginx/tuning-proxy_buffer_size-in-nginx
proxy_buffer_size 16k;
proxy_buffers 8 16k;
proxy_busy_buffers_size 16k;
# For large cookies
large_client_header_buffers 4 16k;
# configuration file /etc/nginx/conf.d/default.conf:
# nginx-proxy version : 1.2.3
# Networks available to the container running docker-gen (which are assumed to
# match the networks available to the container running nginx):
# nginx-proxy
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
default $http_x_forwarded_proto;
'' $scheme;
}
map $http_x_forwarded_host $proxy_x_forwarded_host {
default $http_x_forwarded_host;
'' $http_host;
}
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
# server port the client connected to
map $http_x_forwarded_port $proxy_x_forwarded_port {
default $http_x_forwarded_port;
'' $server_port;
}
# If we receive Upgrade, set Connection to "upgrade"; otherwise, preserve
# NGINX's default behavior ("Connection: close").
map $http_upgrade $proxy_connection {
default upgrade;
'' close;
}
# Apply fix for very long server names
server_names_hash_bucket_size 128;
# Default dhparam
ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
# Set appropriate X-Forwarded-Ssl header based on $proxy_x_forwarded_proto
map $proxy_x_forwarded_proto $proxy_x_forwarded_ssl {
default off;
https on;
}
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost '$host $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$upstream_addr"';
access_log off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
error_log /dev/stderr;
resolver 127.0.0.11;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $proxy_x_forwarded_host;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
proxy_set_header X-Original-URI $request_uri;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";
server {
server_name _; # This is just an invalid value which will never trigger on a real hostname.
server_tokens off;
listen 80;
listen [::]:80;
access_log /var/log/nginx/access.log vhost;
return 503;
}
# checkout.hui_site.com/
upstream checkout.hui_site.com {
# Container: sgt-checkout-container-production-c5037e
# networks:
# nginx-proxy (reachable)
# IP address: 172.18.0.3
# exposed ports: 8080/tcp
# default port: 8080
# using port: 8080
server 172.18.0.3:8080;
}
server {
server_name checkout.hui_site.com;
listen 80 ;
listen [::]:80 ;
access_log /var/log/nginx/access.log vhost;
# Do not HTTPS redirect Let's Encrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name checkout.hui_site.com;
access_log /var/log/nginx/access.log vhost;
listen 443 ssl http2 ;
listen [::]:443 ssl http2 ;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/hui_site.com.crt;
ssl_certificate_key /etc/nginx/certs/hui_site.com.key;
set $sts_header "";
if ($https) {
set $sts_header "max-age=31536000";
}
add_header Strict-Transport-Security $sts_header always;
location / {
proxy_pass http://checkout.hui_site.com;
}
}
# freight-manager.hui_site.com/
upstream freight-manager.hui_site.com {
# Container: fm-container-production-2ec02e
# networks:
# nginx-proxy (reachable)
# IP address: 172.18.0.4
# exposed ports: 8080/tcp
# default port: 8080
# using port: 8080
server 172.18.0.4:8080;
}
server {
server_name freight-manager.hui_site.com;
listen 80 ;
listen [::]:80 ;
access_log /var/log/nginx/access.log vhost;
# Do not HTTPS redirect Let's Encrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name freight-manager.hui_site.com;
access_log /var/log/nginx/access.log vhost;
listen 443 ssl http2 ;
listen [::]:443 ssl http2 ;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/hui_site.com.crt;
ssl_certificate_key /etc/nginx/certs/hui_site.com.key;
set $sts_header "";
if ($https) {
set $sts_header "max-age=31536000";
}
add_header Strict-Transport-Security $sts_header always;
location / {
proxy_pass http://freight-manager.hui_site.com;
}
}
# infisical.hui_site.com/
upstream infisical.hui_site.com {
# Container: infisical
# networks:
# nginx-proxy (reachable)
# postgres (unreachable)
# IP address: 172.18.0.6
# exposed ports: 443/tcp 8080/tcp
# default port: 80
# using port: 8080
server 172.18.0.6:8080;
}
server {
server_name infisical.hui_site.com;
listen 80 ;
listen [::]:80 ;
access_log /var/log/nginx/access.log vhost;
# Do not HTTPS redirect Let's Encrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name infisical.hui_site.com;
access_log /var/log/nginx/access.log vhost;
listen 443 ssl http2 ;
listen [::]:443 ssl http2 ;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/hui_site.com.crt;
ssl_certificate_key /etc/nginx/certs/hui_site.com.key;
set $sts_header "";
if ($https) {
set $sts_header "max-age=31536000";
}
add_header Strict-Transport-Security $sts_header always;
location / {
proxy_pass http://infisical.hui_site.com;
}
}
# production-2ec02e-freight-manager.hui_site.com/
upstream production-2ec02e-freight-manager.hui_site.com {
# Container: fm-container-production-2ec02e
# networks:
# nginx-proxy (reachable)
# IP address: 172.18.0.4
# exposed ports: 8080/tcp
# default port: 8080
# using port: 8080
server 172.18.0.4:8080;
}
server {
server_name production-2ec02e-freight-manager.hui_site.com;
listen 80 ;
listen [::]:80 ;
access_log /var/log/nginx/access.log vhost;
# Do not HTTPS redirect Let's Encrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name production-2ec02e-freight-manager.hui_site.com;
access_log /var/log/nginx/access.log vhost;
listen 443 ssl http2 ;
listen [::]:443 ssl http2 ;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/hui_site.com.crt;
ssl_certificate_key /etc/nginx/certs/hui_site.com.key;
set $sts_header "";
if ($https) {
set $sts_header "max-age=31536000";
}
add_header Strict-Transport-Security $sts_header always;
location / {
proxy_pass http://production-2ec02e-freight-manager.hui_site.com;
}
}
# production-c5037e-sgt-checkout.hui_site.com/
upstream production-c5037e-sgt-checkout.hui_site.com {
# Container: sgt-checkout-container-production-c5037e
# networks:
# nginx-proxy (reachable)
# IP address: 172.18.0.3
# exposed ports: 8080/tcp
# default port: 8080
# using port: 8080
server 172.18.0.3:8080;
}
server {
server_name production-c5037e-sgt-checkout.hui_site.com;
listen 80 ;
listen [::]:80 ;
access_log /var/log/nginx/access.log vhost;
# Do not HTTPS redirect Let's Encrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name production-c5037e-sgt-checkout.hui_site.com;
access_log /var/log/nginx/access.log vhost;
listen 443 ssl http2 ;
listen [::]:443 ssl http2 ;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/hui_site.com.crt;
ssl_certificate_key /etc/nginx/certs/hui_site.com.key;
set $sts_header "";
if ($https) {
set $sts_header "max-age=31536000";
}
add_header Strict-Transport-Security $sts_header always;
location / {
proxy_pass http://production-c5037e-sgt-checkout.hui_site.com;
}
}
# ws.hui_site.com/
upstream ws.hui_site.com {
# Container: websocket
# networks:
# nginx-proxy (reachable)
# IP address: 172.18.0.8
# exposed ports: 6001/tcp
# default port: 6001
# using port: 6001
server 172.18.0.8:6001;
}
server {
server_name ws.hui_site.com;
listen 80 ;
listen [::]:80 ;
access_log /var/log/nginx/access.log vhost;
# Do not HTTPS redirect Let's Encrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name ws.hui_site.com;
access_log /var/log/nginx/access.log vhost;
listen 443 ssl http2 ;
listen [::]:443 ssl http2 ;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/hui_site.com.crt;
ssl_certificate_key /etc/nginx/certs/hui_site.com.key;
set $sts_header "";
if ($https) {
set $sts_header "max-age=31536000";
}
add_header Strict-Transport-Security $sts_header always;
location / {
proxy_pass http://ws.hui_site.com;
}
}nginxproxy/nginx-proxy:1.3.0-alpinecerts: root@docker-host-03:~/nginx-proxy# docker exec nginx-proxy ls -l /etc/nginx/certs
total 8
-rw-r--r-- 1 root root 3590 Aug 9 03:05 hui_site.com.crt
-rw------- 1 root root 1704 Aug 9 03:05 hui_site.com.key
root@docker-host-03:~/nginx-proxy# docker exec nginx-proxy cat /etc/nginx/certs/hui_site.com.key
-----BEGIN PRIVATE KEY-----
is readable1.3.0 generated confnginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 10240;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
daemon off;
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/avif avif;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
font/woff woff;
font/woff2 woff2;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/wasm wasm;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/conf.d/config_additional.conf:
client_max_body_size 25m;
# To prevent error "upstream sent too big header while reading response header from upstream"
# https://www.getpagespeed.com/server-setup/nginx/tuning-proxy_buffer_size-in-nginx
proxy_buffer_size 16k;
proxy_buffers 8 16k;
proxy_busy_buffers_size 16k;
# For large cookies
large_client_header_buffers 4 16k;
# configuration file /etc/nginx/conf.d/default.conf:
# nginx-proxy version : 1.3.0
# Networks available to the container running docker-gen (which are assumed to
# match the networks available to the container running nginx):
# nginx-proxy
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
default $http_x_forwarded_proto;
'' $scheme;
}
map $http_x_forwarded_host $proxy_x_forwarded_host {
default $http_x_forwarded_host;
'' $http_host;
}
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
# server port the client connected to
map $http_x_forwarded_port $proxy_x_forwarded_port {
default $http_x_forwarded_port;
'' $server_port;
}
# If the request from the downstream client has an "Upgrade:" header (set to any
# non-empty value), pass "Connection: upgrade" to the upstream (backend) server.
# Otherwise, the value for the "Connection" header depends on whether the user
# has enabled keepalive to the upstream server.
map $http_upgrade $proxy_connection {
default upgrade;
'' $proxy_connection_noupgrade;
}
map $upstream_keepalive $proxy_connection_noupgrade {
# Preserve nginx's default behavior (send "Connection: close").
default close;
# Use an empty string to cancel nginx's default behavior.
true '';
}
# Abuse the map directive (see <https://stackoverflow.com/q/14433309>) to ensure
# that $upstream_keepalive is always defined. This is necessary because:
# - The $proxy_connection variable is indirectly derived from
# $upstream_keepalive, so $upstream_keepalive must be defined whenever
# $proxy_connection is resolved.
# - The $proxy_connection variable is used in a proxy_set_header directive in
# the http block, so it is always fully resolved for every request -- even
# those where proxy_pass is not used (e.g., unknown virtual host).
map "" $upstream_keepalive {
# The value here should not matter because it should always be overridden in
# a location block (see the "location" template) for all requests where the
# value actually matters.
default false;
}
# Apply fix for very long server names
server_names_hash_bucket_size 128;
# Default dhparam
ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
# Set appropriate X-Forwarded-Ssl header based on $proxy_x_forwarded_proto
map $proxy_x_forwarded_proto $proxy_x_forwarded_ssl {
default off;
https on;
}
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost '$host $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$upstream_addr"';
access_log off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
error_log /dev/stderr;
resolver 127.0.0.11;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $proxy_x_forwarded_host;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
proxy_set_header X-Original-URI $request_uri;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";
server {
server_name _; # This is just an invalid value which will never trigger on a real hostname.
server_tokens off;
listen 80;
listen [::]:80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
access_log /var/log/nginx/access.log vhost;
# No default.crt certificate found for this vhost, so force nginx to emit a
# TLS error if the client connects via https.
ssl_ciphers aNULL;
set $empty "";
ssl_certificate data:$empty;
ssl_certificate_key data:$empty;
if ($https) {
return 444;
}
return 503;
}
# checkout.hui_site.com/
upstream checkout.hui_site.com {
# Container: sgt-checkout-container-production-c5037e
# networks:
# nginx-proxy (reachable)
# IP address: 172.18.0.3
# exposed ports: 8080/tcp
# default port: 8080
# using port: 8080
server 172.18.0.3:8080;
}
server {
server_name checkout.hui_site.com;
listen 80 ;
listen [::]:80 ;
access_log /var/log/nginx/access.log vhost;
# Do not HTTPS redirect Let's Encrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name checkout.hui_site.com;
access_log /var/log/nginx/access.log vhost;
listen 443 ssl http2 ;
listen [::]:443 ssl http2 ;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/hui_site.com.crt;
ssl_certificate_key /etc/nginx/certs/hui_site.com.key;
set $sts_header "";
if ($https) {
set $sts_header "max-age=31536000";
}
add_header Strict-Transport-Security $sts_header always;
location / {
proxy_pass http://checkout.hui_site.com;
set $upstream_keepalive false;
}
}
# freight-manager.hui_site.com/
upstream freight-manager.hui_site.com {
# Container: fm-container-production-2ec02e
# networks:
# nginx-proxy (reachable)
# IP address: 172.18.0.4
# exposed ports: 8080/tcp
# default port: 8080
# using port: 8080
server 172.18.0.4:8080;
}
server {
server_name freight-manager.hui_site.com;
listen 80 ;
listen [::]:80 ;
access_log /var/log/nginx/access.log vhost;
# Do not HTTPS redirect Let's Encrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name freight-manager.hui_site.com;
access_log /var/log/nginx/access.log vhost;
listen 443 ssl http2 ;
listen [::]:443 ssl http2 ;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/hui_site.com.crt;
ssl_certificate_key /etc/nginx/certs/hui_site.com.key;
set $sts_header "";
if ($https) {
set $sts_header "max-age=31536000";
}
add_header Strict-Transport-Security $sts_header always;
location / {
proxy_pass http://freight-manager.hui_site.com;
set $upstream_keepalive false;
}
}
# infisical.hui_site.com/
upstream infisical.hui_site.com {
# Container: infisical
# networks:
# nginx-proxy (reachable)
# postgres (unreachable)
# IP address: 172.18.0.6
# exposed ports: 443/tcp 8080/tcp
# default port: 80
# using port: 8080
server 172.18.0.6:8080;
}
server {
server_name infisical.hui_site.com;
listen 80 ;
listen [::]:80 ;
access_log /var/log/nginx/access.log vhost;
# Do not HTTPS redirect Let's Encrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name infisical.hui_site.com;
access_log /var/log/nginx/access.log vhost;
listen 443 ssl http2 ;
listen [::]:443 ssl http2 ;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/hui_site.com.crt;
ssl_certificate_key /etc/nginx/certs/hui_site.com.key;
set $sts_header "";
if ($https) {
set $sts_header "max-age=31536000";
}
add_header Strict-Transport-Security $sts_header always;
location / {
proxy_pass http://infisical.hui_site.com;
set $upstream_keepalive false;
}
}
# production-2ec02e-freight-manager.hui_site.com/
upstream production-2ec02e-freight-manager.hui_site.com {
# Container: fm-container-production-2ec02e
# networks:
# nginx-proxy (reachable)
# IP address: 172.18.0.4
# exposed ports: 8080/tcp
# default port: 8080
# using port: 8080
server 172.18.0.4:8080;
}
server {
server_name production-2ec02e-freight-manager.hui_site.com;
listen 80 ;
listen [::]:80 ;
access_log /var/log/nginx/access.log vhost;
# Do not HTTPS redirect Let's Encrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name production-2ec02e-freight-manager.hui_site.com;
access_log /var/log/nginx/access.log vhost;
listen 443 ssl http2 ;
listen [::]:443 ssl http2 ;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/hui_site.com.crt;
ssl_certificate_key /etc/nginx/certs/hui_site.com.key;
set $sts_header "";
if ($https) {
set $sts_header "max-age=31536000";
}
add_header Strict-Transport-Security $sts_header always;
location / {
proxy_pass http://production-2ec02e-freight-manager.hui_site.com;
set $upstream_keepalive false;
}
}
# production-c5037e-sgt-checkout.hui_site.com/
upstream production-c5037e-sgt-checkout.hui_site.com {
# Container: sgt-checkout-container-production-c5037e
# networks:
# nginx-proxy (reachable)
# IP address: 172.18.0.3
# exposed ports: 8080/tcp
# default port: 8080
# using port: 8080
server 172.18.0.3:8080;
}
server {
server_name production-c5037e-sgt-checkout.hui_site.com;
listen 80 ;
listen [::]:80 ;
access_log /var/log/nginx/access.log vhost;
# Do not HTTPS redirect Let's Encrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name production-c5037e-sgt-checkout.hui_site.com;
access_log /var/log/nginx/access.log vhost;
listen 443 ssl http2 ;
listen [::]:443 ssl http2 ;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/hui_site.com.crt;
ssl_certificate_key /etc/nginx/certs/hui_site.com.key;
set $sts_header "";
if ($https) {
set $sts_header "max-age=31536000";
}
add_header Strict-Transport-Security $sts_header always;
location / {
proxy_pass http://production-c5037e-sgt-checkout.hui_site.com;
set $upstream_keepalive false;
}
}
# ws.hui_site.com/
upstream ws.hui_site.com {
# Container: websocket
# networks:
# nginx-proxy (reachable)
# IP address: 172.18.0.8
# exposed ports: 6001/tcp
# default port: 6001
# using port: 6001
server 172.18.0.8:6001;
}
server {
server_name ws.hui_site.com;
listen 80 ;
listen [::]:80 ;
access_log /var/log/nginx/access.log vhost;
# Do not HTTPS redirect Let's Encrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name ws.hui_site.com;
access_log /var/log/nginx/access.log vhost;
listen 443 ssl http2 ;
listen [::]:443 ssl http2 ;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/hui_site.com.crt;
ssl_certificate_key /etc/nginx/certs/hui_site.com.key;
set $sts_header "";
if ($https) {
set $sts_header "max-age=31536000";
}
add_header Strict-Transport-Security $sts_header always;
location / {
proxy_pass http://ws.hui_site.com;
set $upstream_keepalive false;
}
}
nginxproxy/nginx-proxy:1.3.1-alpineroot@docker-host-03:~/nginx-proxy# docker exec nginx-proxy cat /etc/nginx/certs/hui_site.com.key
-----BEGIN PRIVATE KEY-----
... is readable1.3.1 generated confnginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 10240;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
daemon off;
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/avif avif;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
font/woff woff;
font/woff2 woff2;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/wasm wasm;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/conf.d/config_additional.conf:
client_max_body_size 25m;
# To prevent error "upstream sent too big header while reading response header from upstream"
# https://www.getpagespeed.com/server-setup/nginx/tuning-proxy_buffer_size-in-nginx
proxy_buffer_size 16k;
proxy_buffers 8 16k;
proxy_busy_buffers_size 16k;
# For large cookies
large_client_header_buffers 4 16k;
# configuration file /etc/nginx/conf.d/default.conf:
# nginx-proxy version : 1.3.1
# Networks available to the container running docker-gen (which are assumed to
# match the networks available to the container running nginx):
# nginx-proxy
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
default $http_x_forwarded_proto;
'' $scheme;
}
map $http_x_forwarded_host $proxy_x_forwarded_host {
default $http_x_forwarded_host;
'' $http_host;
}
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
# server port the client connected to
map $http_x_forwarded_port $proxy_x_forwarded_port {
default $http_x_forwarded_port;
'' $server_port;
}
# If the request from the downstream client has an "Upgrade:" header (set to any
# non-empty value), pass "Connection: upgrade" to the upstream (backend) server.
# Otherwise, the value for the "Connection" header depends on whether the user
# has enabled keepalive to the upstream server.
map $http_upgrade $proxy_connection {
default upgrade;
'' $proxy_connection_noupgrade;
}
map $upstream_keepalive $proxy_connection_noupgrade {
# Preserve nginx's default behavior (send "Connection: close").
default close;
# Use an empty string to cancel nginx's default behavior.
true '';
}
# Abuse the map directive (see <https://stackoverflow.com/q/14433309>) to ensure
# that $upstream_keepalive is always defined. This is necessary because:
# - The $proxy_connection variable is indirectly derived from
# $upstream_keepalive, so $upstream_keepalive must be defined whenever
# $proxy_connection is resolved.
# - The $proxy_connection variable is used in a proxy_set_header directive in
# the http block, so it is always fully resolved for every request -- even
# those where proxy_pass is not used (e.g., unknown virtual host).
map "" $upstream_keepalive {
# The value here should not matter because it should always be overridden in
# a location block (see the "location" template) for all requests where the
# value actually matters.
default false;
}
# Apply fix for very long server names
server_names_hash_bucket_size 128;
# Default dhparam
ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
# Set appropriate X-Forwarded-Ssl header based on $proxy_x_forwarded_proto
map $proxy_x_forwarded_proto $proxy_x_forwarded_ssl {
default off;
https on;
}
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost '$host $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$upstream_addr"';
access_log off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
error_log /dev/stderr;
resolver 127.0.0.11;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $proxy_x_forwarded_host;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
proxy_set_header X-Original-URI $request_uri;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";
server {
server_name _; # This is just an invalid value which will never trigger on a real hostname.
server_tokens off;
listen 80;
listen [::]:80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
access_log /var/log/nginx/access.log vhost;
# No default.crt certificate found for this vhost, so force nginx to emit a
# TLS error if the client connects via https.
ssl_ciphers aNULL;
set $empty "";
ssl_certificate data:$empty;
ssl_certificate_key data:$empty;
if ($https) {
return 444;
}
return 503;
}
# checkout.hui_site.com/
upstream checkout.hui_site.com {
# Container: sgt-checkout-container-production-c5037e
# networks:
# nginx-proxy (reachable)
# IP address: 172.18.0.3
# exposed ports: 8080/tcp
# default port: 8080
# using port: 8080
server 172.18.0.3:8080;
}
server {
server_name checkout.hui_site.com;
listen 80 ;
listen [::]:80 ;
access_log /var/log/nginx/access.log vhost;
# Do not HTTPS redirect Let's Encrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name checkout.hui_site.com;
access_log /var/log/nginx/access.log vhost;
listen 443 ssl http2 ;
listen [::]:443 ssl http2 ;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/hui_site.com.crt;
ssl_certificate_key /etc/nginx/certs/hui_site.com.key;
set $sts_header "";
if ($https) {
set $sts_header "max-age=31536000";
}
add_header Strict-Transport-Security $sts_header always;
location / {
proxy_pass http://checkout.hui_site.com;
set $upstream_keepalive false;
}
}
# freight-manager.hui_site.com/
upstream freight-manager.hui_site.com {
# Container: fm-container-production-2ec02e
# networks:
# nginx-proxy (reachable)
# IP address: 172.18.0.4
# exposed ports: 8080/tcp
# default port: 8080
# using port: 8080
server 172.18.0.4:8080;
}
server {
server_name freight-manager.hui_site.com;
listen 80 ;
listen [::]:80 ;
access_log /var/log/nginx/access.log vhost;
# Do not HTTPS redirect Let's Encrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name freight-manager.hui_site.com;
access_log /var/log/nginx/access.log vhost;
listen 443 ssl http2 ;
listen [::]:443 ssl http2 ;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/hui_site.com.crt;
ssl_certificate_key /etc/nginx/certs/hui_site.com.key;
set $sts_header "";
if ($https) {
set $sts_header "max-age=31536000";
}
add_header Strict-Transport-Security $sts_header always;
location / {
proxy_pass http://freight-manager.hui_site.com;
set $upstream_keepalive false;
}
}
# infisical.hui_site.com/
upstream infisical.hui_site.com {
# Container: infisical
# networks:
# nginx-proxy (reachable)
# postgres (unreachable)
# IP address: 172.18.0.6
# exposed ports: 443/tcp 8080/tcp
# default port: 80
# using port: 8080
server 172.18.0.6:8080;
}
server {
server_name infisical.hui_site.com;
listen 80 ;
listen [::]:80 ;
access_log /var/log/nginx/access.log vhost;
# Do not HTTPS redirect Let's Encrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name infisical.hui_site.com;
access_log /var/log/nginx/access.log vhost;
listen 443 ssl http2 ;
listen [::]:443 ssl http2 ;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/hui_site.com.crt;
ssl_certificate_key /etc/nginx/certs/hui_site.com.key;
set $sts_header "";
if ($https) {
set $sts_header "max-age=31536000";
}
add_header Strict-Transport-Security $sts_header always;
location / {
proxy_pass http://infisical.hui_site.com;
set $upstream_keepalive false;
}
}
# production-2ec02e-freight-manager.hui_site.com/
upstream production-2ec02e-freight-manager.hui_site.com {
# Container: fm-container-production-2ec02e
# networks:
# nginx-proxy (reachable)
# IP address: 172.18.0.4
# exposed ports: 8080/tcp
# default port: 8080
# using port: 8080
server 172.18.0.4:8080;
}
server {
server_name production-2ec02e-freight-manager.hui_site.com;
listen 80 ;
listen [::]:80 ;
access_log /var/log/nginx/access.log vhost;
# Do not HTTPS redirect Let's Encrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name production-2ec02e-freight-manager.hui_site.com;
access_log /var/log/nginx/access.log vhost;
listen 443 ssl http2 ;
listen [::]:443 ssl http2 ;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/hui_site.com.crt;
ssl_certificate_key /etc/nginx/certs/hui_site.com.key;
set $sts_header "";
if ($https) {
set $sts_header "max-age=31536000";
}
add_header Strict-Transport-Security $sts_header always;
location / {
proxy_pass http://production-2ec02e-freight-manager.hui_site.com;
set $upstream_keepalive false;
}
}
# production-c5037e-sgt-checkout.hui_site.com/
upstream production-c5037e-sgt-checkout.hui_site.com {
# Container: sgt-checkout-container-production-c5037e
# networks:
# nginx-proxy (reachable)
# IP address: 172.18.0.3
# exposed ports: 8080/tcp
# default port: 8080
# using port: 8080
server 172.18.0.3:8080;
}
server {
server_name production-c5037e-sgt-checkout.hui_site.com;
listen 80 ;
listen [::]:80 ;
access_log /var/log/nginx/access.log vhost;
# Do not HTTPS redirect Let's Encrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name production-c5037e-sgt-checkout.hui_site.com;
access_log /var/log/nginx/access.log vhost;
listen 443 ssl http2 ;
listen [::]:443 ssl http2 ;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/hui_site.com.crt;
ssl_certificate_key /etc/nginx/certs/hui_site.com.key;
set $sts_header "";
if ($https) {
set $sts_header "max-age=31536000";
}
add_header Strict-Transport-Security $sts_header always;
location / {
proxy_pass http://production-c5037e-sgt-checkout.hui_site.com;
set $upstream_keepalive false;
}
}
# ws.hui_site.com/
upstream ws.hui_site.com {
# Container: websocket
# networks:
# nginx-proxy (reachable)
# IP address: 172.18.0.8
# exposed ports: 6001/tcp
# default port: 6001
# using port: 6001
server 172.18.0.8:6001;
}
server {
server_name ws.hui_site.com;
listen 80 ;
listen [::]:80 ;
access_log /var/log/nginx/access.log vhost;
# Do not HTTPS redirect Let's Encrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name ws.hui_site.com;
access_log /var/log/nginx/access.log vhost;
listen 443 ssl http2 ;
listen [::]:443 ssl http2 ;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/hui_site.com.crt;
ssl_certificate_key /etc/nginx/certs/hui_site.com.key;
set $sts_header "";
if ($https) {
set $sts_header "max-age=31536000";
}
add_header Strict-Transport-Security $sts_header always;
location / {
proxy_pass http://ws.hui_site.com;
set $upstream_keepalive false;
}
}nginxproxy/nginx-proxy:1.6-alpineroot@docker-host-03:~/nginx-proxy# docker exec nginx-proxy cat /etc/nginx/certs/hui_site.com.key
-----BEGIN PRIVATE KEY-----
... is readable1.6 generated confnginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 10240;
}
worker_rlimit_nofile 20480;
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
include /etc/nginx/toplevel.conf.d/*.conf;
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/avif avif;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
font/woff woff;
font/woff2 woff2;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/wasm wasm;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/conf.d/config_additional.conf:
client_max_body_size 25m;
# To prevent error "upstream sent too big header while reading response header from upstream"
# https://www.getpagespeed.com/server-setup/nginx/tuning-proxy_buffer_size-in-nginx
proxy_buffer_size 16k;
proxy_buffers 8 16k;
proxy_busy_buffers_size 16k;
# For large cookies
large_client_header_buffers 4 16k;
# configuration file /etc/nginx/conf.d/default.conf:
# nginx-proxy version : 1.6.0
# Networks available to the container running docker-gen (which are assumed to
# match the networks available to the container running nginx):
# nginx-proxy
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
default $http_x_forwarded_proto;
'' $scheme;
}
map $http_x_forwarded_host $proxy_x_forwarded_host {
default $http_x_forwarded_host;
'' $host;
}
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
# server port the client connected to
map $http_x_forwarded_port $proxy_x_forwarded_port {
default $http_x_forwarded_port;
'' $server_port;
}
# Include the port in the Host header sent to the container if it is non-standard
map $server_port $host_port {
default :$server_port;
80 '';
443 '';
}
# If the request from the downstream client has an "Upgrade:" header (set to any
# non-empty value), pass "Connection: upgrade" to the upstream (backend) server.
# Otherwise, the value for the "Connection" header depends on whether the user
# has enabled keepalive to the upstream server.
map $http_upgrade $proxy_connection {
default upgrade;
'' $proxy_connection_noupgrade;
}
map $upstream_keepalive $proxy_connection_noupgrade {
# Preserve nginx's default behavior (send "Connection: close").
default close;
# Use an empty string to cancel nginx's default behavior.
true '';
}
# Abuse the map directive (see <https://stackoverflow.com/q/14433309>) to ensure
# that $upstream_keepalive is always defined. This is necessary because:
# - The $proxy_connection variable is indirectly derived from
# $upstream_keepalive, so $upstream_keepalive must be defined whenever
# $proxy_connection is resolved.
# - The $proxy_connection variable is used in a proxy_set_header directive in
# the http block, so it is always fully resolved for every request -- even
# those where proxy_pass is not used (e.g., unknown virtual host).
map "" $upstream_keepalive {
# The value here should not matter because it should always be overridden in
# a location block (see the "location" template) for all requests where the
# value actually matters.
default false;
}
# Apply fix for very long server names
server_names_hash_bucket_size 128;
# Default dhparam
ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
# Set appropriate X-Forwarded-Ssl header based on $proxy_x_forwarded_proto
map $proxy_x_forwarded_proto $proxy_x_forwarded_ssl {
default off;
https on;
}
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost escape=default '$host $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$upstream_addr"';
access_log off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305';
ssl_prefer_server_ciphers off;
error_log /dev/stderr;
resolver 127.0.0.11;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_set_header Host $host$host_port;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $proxy_x_forwarded_host;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
proxy_set_header X-Original-URI $request_uri;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";
server {
server_name _; # This is just an invalid value which will never trigger on a real hostname.
server_tokens off;
access_log /var/log/nginx/access.log vhost;
http2 on;
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# No default.crt certificate found for this vhost, so force nginx to emit a
# TLS error if the client connects via https.
ssl_ciphers aNULL;
set $empty "";
ssl_certificate data:$empty;
ssl_certificate_key data:$empty;
if ($https) {
return 444;
}
location ^~ / {
return 503;
}
}
# checkout.hui_site.com/
upstream checkout.hui_site.com {
# Container: sgt-checkout-container-production-c5037e
# networks:
# nginx-proxy (reachable)
# IP address: 172.18.0.3
# exposed ports: 8080/tcp
# default port: 8080
# using port: 8080
server 172.18.0.3:8080;
}
server {
server_name checkout.hui_site.com;
access_log /var/log/nginx/access.log vhost;
listen 80 ;
listen [::]:80 ;
# Do not HTTPS redirect Let's Encrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name checkout.hui_site.com;
access_log /var/log/nginx/access.log vhost;
http2 on;
listen 443 ssl ;
listen [::]:443 ssl ;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/hui_site.com.crt;
ssl_certificate_key /etc/nginx/certs/hui_site.com.key;
set $sts_header "";
if ($https) {
set $sts_header "max-age=31536000";
}
add_header Strict-Transport-Security $sts_header always;
location / {
proxy_pass http://checkout.hui_site.com;
set $upstream_keepalive false;
}
}
# freight-manager.hui_site.com/
upstream freight-manager.hui_site.com {
# Container: fm-container-production-2ec02e
# networks:
# nginx-proxy (reachable)
# IP address: 172.18.0.4
# exposed ports: 8080/tcp
# default port: 8080
# using port: 8080
server 172.18.0.4:8080;
}
server {
server_name freight-manager.hui_site.com;
access_log /var/log/nginx/access.log vhost;
listen 80 ;
listen [::]:80 ;
# Do not HTTPS redirect Let's Encrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name freight-manager.hui_site.com;
access_log /var/log/nginx/access.log vhost;
http2 on;
listen 443 ssl ;
listen [::]:443 ssl ;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/hui_site.com.crt;
ssl_certificate_key /etc/nginx/certs/hui_site.com.key;
set $sts_header "";
if ($https) {
set $sts_header "max-age=31536000";
}
add_header Strict-Transport-Security $sts_header always;
location / {
proxy_pass http://freight-manager.hui_site.com;
set $upstream_keepalive false;
}
}
# infisical.hui_site.com/
upstream infisical.hui_site.com {
# Container: infisical
# networks:
# nginx-proxy (reachable)
# postgres (unreachable)
# IP address: 172.18.0.6
# exposed ports: 443/tcp 8080/tcp
# default port: 80
# using port: 8080
server 172.18.0.6:8080;
}
server {
server_name infisical.hui_site.com;
access_log /var/log/nginx/access.log vhost;
listen 80 ;
listen [::]:80 ;
# Do not HTTPS redirect Let's Encrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name infisical.hui_site.com;
access_log /var/log/nginx/access.log vhost;
http2 on;
listen 443 ssl ;
listen [::]:443 ssl ;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/hui_site.com.crt;
ssl_certificate_key /etc/nginx/certs/hui_site.com.key;
set $sts_header "";
if ($https) {
set $sts_header "max-age=31536000";
}
add_header Strict-Transport-Security $sts_header always;
location / {
proxy_pass http://infisical.hui_site.com;
set $upstream_keepalive false;
}
}
# production-2ec02e-freight-manager.hui_site.com/
upstream production-2ec02e-freight-manager.hui_site.com {
# Container: fm-container-production-2ec02e
# networks:
# nginx-proxy (reachable)
# IP address: 172.18.0.4
# exposed ports: 8080/tcp
# default port: 8080
# using port: 8080
server 172.18.0.4:8080;
}
server {
server_name production-2ec02e-freight-manager.hui_site.com;
access_log /var/log/nginx/access.log vhost;
listen 80 ;
listen [::]:80 ;
# Do not HTTPS redirect Let's Encrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name production-2ec02e-freight-manager.hui_site.com;
access_log /var/log/nginx/access.log vhost;
http2 on;
listen 443 ssl ;
listen [::]:443 ssl ;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/hui_site.com.crt;
ssl_certificate_key /etc/nginx/certs/hui_site.com.key;
set $sts_header "";
if ($https) {
set $sts_header "max-age=31536000";
}
add_header Strict-Transport-Security $sts_header always;
location / {
proxy_pass http://production-2ec02e-freight-manager.hui_site.com;
set $upstream_keepalive false;
}
}
# production-c5037e-sgt-checkout.hui_site.com/
upstream production-c5037e-sgt-checkout.hui_site.com {
# Container: sgt-checkout-container-production-c5037e
# networks:
# nginx-proxy (reachable)
# IP address: 172.18.0.3
# exposed ports: 8080/tcp
# default port: 8080
# using port: 8080
server 172.18.0.3:8080;
}
server {
server_name production-c5037e-sgt-checkout.hui_site.com;
access_log /var/log/nginx/access.log vhost;
listen 80 ;
listen [::]:80 ;
# Do not HTTPS redirect Let's Encrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name production-c5037e-sgt-checkout.hui_site.com;
access_log /var/log/nginx/access.log vhost;
http2 on;
listen 443 ssl ;
listen [::]:443 ssl ;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/hui_site.com.crt;
ssl_certificate_key /etc/nginx/certs/hui_site.com.key;
set $sts_header "";
if ($https) {
set $sts_header "max-age=31536000";
}
add_header Strict-Transport-Security $sts_header always;
location / {
proxy_pass http://production-c5037e-sgt-checkout.hui_site.com;
set $upstream_keepalive false;
}
}
# ws.hui_site.com/
upstream ws.hui_site.com {
# Container: websocket
# networks:
# nginx-proxy (reachable)
# IP address: 172.18.0.8
# exposed ports: 6001/tcp
# default port: 6001
# using port: 6001
server 172.18.0.8:6001;
}
server {
server_name ws.hui_site.com;
access_log /var/log/nginx/access.log vhost;
listen 80 ;
listen [::]:80 ;
# Do not HTTPS redirect Let's Encrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name ws.hui_site.com;
access_log /var/log/nginx/access.log vhost;
http2 on;
listen 443 ssl ;
listen [::]:443 ssl ;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/hui_site.com.crt;
ssl_certificate_key /etc/nginx/certs/hui_site.com.key;
set $sts_header "";
if ($https) {
set $sts_header "max-age=31536000";
}
add_header Strict-Transport-Security $sts_header always;
location / {
proxy_pass http://ws.hui_site.com;
set $upstream_keepalive false;
}
} |
|
I could have added the produced nginx configs as file attachments. |
|
@teodoryantcheff I took the liberty to add collapsible sections to your previous message. Did anything else change on your setup between the non working and the now working use of 1.6 ? Did you add a default certificate and key ? The lines quoted by @jacekv seem to be likely culprit but I really need to see them in the context of a fully generated config that can reliably reproduce the issue. To anyone experiencing this bug : please ONLY post full nginx configs obtained with |
Thank you! I should have been smarter about that.
Unfortunately, did not change anything. Just as described above. Same system, same certificates, same host, same everything. It was not working at one time and then magically started producing working nginx configs. Sorry for the lack of depth in that description.... |
|
Chiming in with some more data on the issue. We're facing the same errors, but our service is running without an issue behind the proxy...which is... strange? certsbpz@bpz-api-fra1:~/nginx-proxy$ docker exec nginx-proxy-1.6-alpine ls -l /etc/nginx/certs
total 8
-rw-r--r-- 1 root root 2851 Aug 12 19:15 hui_site.crt
-rw------- 1 root root 241 Aug 12 19:15 hui_site.keygenerated confbpz@bpz-api-fra1:~/nginx-proxy$ docker exec nginx-proxy-1.6-alpine nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 10240;
}
worker_rlimit_nofile 20480;
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
include /etc/nginx/toplevel.conf.d/*.conf;
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/avif avif;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
font/woff woff;
font/woff2 woff2;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/wasm wasm;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/conf.d/config_additional.conf:
client_max_body_size 1000m;
send_timeout 5m;
client_body_timeout 5m;
client_header_timeout 5m;
# configuration file /etc/nginx/conf.d/default.conf:
# nginx-proxy version : 1.6.0
# Networks available to the container running docker-gen (which are assumed to
# match the networks available to the container running nginx):
# nginx-proxy
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
default $http_x_forwarded_proto;
'' $scheme;
}
map $http_x_forwarded_host $proxy_x_forwarded_host {
default $http_x_forwarded_host;
'' $host;
}
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
# server port the client connected to
map $http_x_forwarded_port $proxy_x_forwarded_port {
default $http_x_forwarded_port;
'' $server_port;
}
# Include the port in the Host header sent to the container if it is non-standard
map $server_port $host_port {
default :$server_port;
80 '';
443 '';
}
# If the request from the downstream client has an "Upgrade:" header (set to any
# non-empty value), pass "Connection: upgrade" to the upstream (backend) server.
# Otherwise, the value for the "Connection" header depends on whether the user
# has enabled keepalive to the upstream server.
map $http_upgrade $proxy_connection {
default upgrade;
'' $proxy_connection_noupgrade;
}
map $upstream_keepalive $proxy_connection_noupgrade {
# Preserve nginx's default behavior (send "Connection: close").
default close;
# Use an empty string to cancel nginx's default behavior.
true '';
}
# Abuse the map directive (see <https://stackoverflow.com/q/14433309>) to ensure
# that $upstream_keepalive is always defined. This is necessary because:
# - The $proxy_connection variable is indirectly derived from
# $upstream_keepalive, so $upstream_keepalive must be defined whenever
# $proxy_connection is resolved.
# - The $proxy_connection variable is used in a proxy_set_header directive in
# the http block, so it is always fully resolved for every request -- even
# those where proxy_pass is not used (e.g., unknown virtual host).
map "" $upstream_keepalive {
# The value here should not matter because it should always be overridden in
# a location block (see the "location" template) for all requests where the
# value actually matters.
default false;
}
# Apply fix for very long server names
server_names_hash_bucket_size 128;
# Default dhparam
ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
# Set appropriate X-Forwarded-Ssl header based on $proxy_x_forwarded_proto
map $proxy_x_forwarded_proto $proxy_x_forwarded_ssl {
default off;
https on;
}
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost escape=default '$host $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$upstream_addr"';
access_log off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305';
ssl_prefer_server_ciphers off;
error_log /dev/stderr;
resolver 127.0.0.11;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_set_header Host $host$host_port;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $proxy_x_forwarded_host;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
proxy_set_header X-Original-URI $request_uri;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";
server {
server_name _; # This is just an invalid value which will never trigger on a real hostname.
server_tokens off;
access_log /var/log/nginx/access.log vhost;
http2 on;
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# No default.crt certificate found for this vhost, so force nginx to emit a
# TLS error if the client connects via https.
ssl_ciphers aNULL;
set $empty "";
ssl_certificate data:$empty;
ssl_certificate_key data:$empty;
if ($https) {
return 444;
}
location ^~ / {
return 503;
}
}
# api.hui_site.com/
upstream api.hui_site.com {
# Container: bpz-api-prod-backend-1
# networks:
# nginx-proxy (reachable)
# IP address: 172.18.0.3
# exposed ports: (none)
# default port: 80
# using port: 8082
server 172.18.0.3:8082;
}
server {
server_name api.hui_site.com;
access_log /var/log/nginx/access.log vhost;
listen 80 ;
listen [::]:80 ;
# Do not HTTPS redirect Let's Encrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name api.hui_site.com;
access_log /var/log/nginx/access.log vhost;
http2 on;
listen 443 ssl ;
listen [::]:443 ssl ;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/api.hui_site.com.crt;
ssl_certificate_key /etc/nginx/certs/api.hui_site.com.key;
set $sts_header "";
if ($https) {
set $sts_header "max-age=31536000";
}
add_header Strict-Transport-Security $sts_header always;
location / {
proxy_pass http://api.hui_site.com;
set $upstream_keepalive false;
}
}When checking the logs, i see subsequent requests from our uptime monitors, which, of course, make the same requests periodically, all of them are resolved successfully, but some of them have the error logged right after. The logsnginx.1 | api.hui_site.com 159.89.185.30 - - [13/Sep/2024:05:52:21 +0000] "GET /admin/login HTTP/2.0" 200 5929 "-" "DigitalOcean Uptime Probe 0.22.0 (https://digitalocean.com)" "172.18.0.3:8082"
nginx.1 | 2024/09/13 05:52:21 [error] 27#27: *11099 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0480006C:PEM routines::no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: 185.81.68.125, server: 0.0.0.0:443
nginx.1 | api.hui_site.com 188.166.6.106 - - [13/Sep/2024:05:52:24 +0000] "GET /admin/login HTTP/2.0" 200 5929 "-" "DigitalOcean Uptime Probe 0.22.0 (https://digitalocean.com)" "172.18.0.3:8082"
nginx.1 | api.hui_site.com 138.68.248.57 - - [13/Sep/2024:05:52:34 +0000] "GET /admin/login HTTP/2.0" 200 5929 "-" "DigitalOcean Uptime Probe 0.22.0 (https://digitalocean.com)" "172.18.0.3:8082"
nginx.1 | api.hui_site.com 134.209.103.241 - - [13/Sep/2024:05:52:47 +0000] "GET /admin/login HTTP/2.0" 200 5929 "-" "DigitalOcean Uptime Probe 0.22.0 (https://digitalocean.com)" "172.18.0.3:8082"
nginx.1 | api.hui_site.com 159.89.185.30 - - [13/Sep/2024:05:53:21 +0000] "GET /admin/login HTTP/2.0" 200 5929 "-" "DigitalOcean Uptime Probe 0.22.0 (https://digitalocean.com)" "172.18.0.3:8082"
nginx.1 | api.hui_site.com 188.166.6.106 - - [13/Sep/2024:05:53:24 +0000] "GET /admin/login HTTP/2.0" 200 5929 "-" "DigitalOcean Uptime Probe 0.22.0 (https://digitalocean.com)" "172.18.0.3:8082"
nginx.1 | api.hui_site.com 138.68.248.57 - - [13/Sep/2024:05:53:33 +0000] "GET /admin/login HTTP/2.0" 200 5929 "-" "DigitalOcean Uptime Probe 0.22.0 (https://digitalocean.com)" "172.18.0.3:8082"
nginx.1 | 2024/09/13 05:53:38 [error] 27#27: *11112 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0480006C:PEM routines::no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: 88.80.189.24, server: 0.0.0.0:443
nginx.1 | api.hui_site.com 134.209.103.241 - - [13/Sep/2024:05:53:47 +0000] "GET /admin/login HTTP/2.0" 200 5929 "-" "DigitalOcean Uptime Probe 0.22.0 (https://digitalocean.com)" "172.18.0.3:8082" |
|
#2520 should have fixed this, please chime in if you still encounter the issue with I'll do a new patch release by the end of the week. |
|
Fix released in version |
LiohMoeller
added a commit
to LiohMoeller/pixelfed
that referenced
this issue
Jan 5, 2025
Expecting: TRUSTED CERTIFICATE) while SSL handshaking fixes: nginx-proxy/nginx-proxy#2287
eufelipemateus
added a commit
to eufelipemateus/pixelfed
that referenced
this issue
Mar 4, 2025
* resolve merge conflicts * resolve merge conflicts * resolve merge conflicts * Update CollectionController, fix showCollection signature * Update ApiV1Dot1Controller, fix in-app registration * Update changelog * Fix missing video thumbnails on hashtag page (pixelfed#5394). * Update VerifyCsrfToken middleware, add oauth token. Fixes pixelfed#5426 * Fix oauth endpoint * New translations web.php (Portuguese, Brazilian) [ci skip] * New translations web.php (Portuguese) [ci skip] * New translations web.php (Serbian (Cyrillic)) [ci skip] * New translations web.php (Chinese Simplified) [ci skip] * New translations web.php (Chinese Traditional) [ci skip] * New translations web.php (Serbian (Latin)) [ci skip] * Update AdminSettingsController, increase max photo size limit from 50MB to 1GB * Update changelog. Fixes pixelfed#5431 * New translations web.php (Portuguese, Brazilian) [ci skip] * New translations web.php (Portuguese) [ci skip] * New translations web.php (Serbian (Cyrillic)) [ci skip] * New translations web.php (Chinese Simplified) [ci skip] * New translations web.php (Chinese Traditional) [ci skip] * New translations web.php (Serbian (Latin)) [ci skip] * Update BearerTokenResponse, return scopes in oauth/token endpoint. Fixes pixelfed#5286 * Update changelog * Fix typo * Update docker-compose.yml Expecting: TRUSTED CERTIFICATE) while SSL handshaking fixes: nginx-proxy/nginx-proxy#2287 * Refactor Hashtag component from pixelfed#5427 * Update compiled assets * Update AP Status Transformer, fix inReplyTo. Fixes pixelfed#5409 * Update changelog * Update .env.docker Updated DOCKER_PROXY_VERSION in .env * Update docker-compose.yml use DOCKER_PROXY_VERSION env var instead * Update Data Export, refactor following/follower and statuses exports to allow accounts of any size with api entity instead of ap * Update changelog * Update .env.docker Registry has changed. Old registry has been discontinued in August 2024. New Registry added, format of Docker tag has been adjusted as it now contains the Debian Release as well. Sample Version is set to current stable but can be adjusted to any of the available branches. * Update .env.docker Stick major.minor according to https://jippi.github.io/docker-pixelfed/customize/tags/#pixelfed-version Disable Debian Release Check until it's solved in dottie. Closes pixelfed#5264 * New translations web.php (Portuguese, Brazilian) [ci skip] * New translations web.php (German) [ci skip] * Add ReclaimUsername command * Update oauth/token, fix scope to be space separated string instead of array * New translations web.php (Spanish) [ci skip] * New translations web.php (German) [ci skip] * Fix notifications not being delivered by directly checking the state from the database * Add a push notification when a user is mentioned in a comment * New translations web.php (Spanish) [ci skip] * New translations web.php (German) [ci skip] * Fix text no posts archived * Update SearchApiV2Service, fix hashtag search * Increase username length limit from 15 to 30 * Update Discover, fix account bug * Add story components * Update AP Helpers, fix comment bug * New translations web.php (Finnish) [ci skip] * Update PublicApiController * New translations web.php (Finnish) [ci skip] * fix: don't restore memory limit after cities import Since this command can only be invoked by CLI, the process will exit after a successful import, so restoring the transient PHP memory limit doesn't really have any affect. In PHP 8.4, this throws the following error (which doesn't happen in 8.3 and below) > [entrypoint / 11-first-time-setup.sh] - (stderr) 128769/128769 [▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓] 100%[2025-01-20 11:29:23] production.ERROR: Failed to set memory limit to 134217728 bytes (Current memory usage is 134746112 bytes) {"exception":"[object] (ErrorException(code: 0): Failed to set memory limit to 134217728 bytes (Current memory usage is 134746112 bytes) at /var/www/app/Console/Commands/ImportCities.php:140) It seems to be a 8.4 behavior change, so removing the logic would make it go away * New translations web.php (Finnish) [ci skip] * New translations web.php (Finnish) [ci skip] * New translations web.php (Portuguese) [ci skip] * Update ComposeController, add max_media_attachments attribute * Update changelog * New translations web.php (Portuguese) [ci skip] * add kickstarter and monthly users badge (pixelfed#5589) Co-authored-by: daniel <[email protected]> * add kickstarter and monthly users badge (pixelfed#5589) (pixelfed#5591) Co-authored-by: Simon Laux <[email protected]> * DM * Staging (pixelfed#5594) * add kickstarter and monthly users badge (pixelfed#5589) Co-authored-by: daniel <[email protected]> * DM --------- Co-authored-by: Simon Laux <[email protected]> * Fix the local column for statuses to not include remote shares (pixelfed#5513) * Fix the local column for statuses to not include remote shares * Chunk the migration * Refactor migration * Staging (pixelfed#5603) * add kickstarter and monthly users badge (pixelfed#5589) Co-authored-by: daniel <[email protected]> * DM * Fix the local column for statuses to not include remote shares (pixelfed#5513) * Fix the local column for statuses to not include remote shares * Chunk the migration * Refactor migration --------- Co-authored-by: Simon Laux <[email protected]> Co-authored-by: Anil Kulkarni <[email protected]> * Fix GroupController, move groups enabled check to each method to fix route:list * Update changelog * Staging (pixelfed#5604) * add kickstarter and monthly users badge (pixelfed#5589) Co-authored-by: daniel <[email protected]> * DM * Fix the local column for statuses to not include remote shares (pixelfed#5513) * Fix the local column for statuses to not include remote shares * Chunk the migration * Refactor migration * Fix GroupController, move groups enabled check to each method to fix route:list * Update changelog --------- Co-authored-by: Simon Laux <[email protected]> Co-authored-by: Anil Kulkarni <[email protected]> * Update AdminSettingsController, persist updates to ConfigCacheService * Fix pixelfed#5619 * Update FixUsernames.php * fix(compose-modal): avoid WebGL if it's not needed * fix(compose-modal): update webgl-media-editor * New translations web.php (Hungarian) [ci skip] * Update MediaStorageService, handle local media deletes after successful S3 upload * Update changelog * Add AppRegister * Add form * Add rate limits, fix typo and styling * Update AppServiceProvider.php * Fix redirects * Update routes * Update AppRegisterController * Update AppRegisterController.php * Update AppRegisterController * New translations web.php (Russian) [ci skip] * Improve onboarding response * New translations web.php (Russian) [ci skip] * Updaet AppRegisterController, add client id/secret * use config_cache for max_caption_length * Update AppRegisterController.php * Update AppRegisterController.php * AdminStatsService: do not count deleted users * Skip thumbnail cloud upload if no thumbnail exists migrate2cloud fails on media without thumbnail. fix check for existing thumbnail, skip upload if none exists. * Refactor based on @jippi review * Update nodeinfo * Update ApiV1Controller, add mobile_registration attribute * Update ApiV1Controller.php * Update auth.php * Update ApiV1Controller.php * Update .env.example Adding the parameter INSTANCE_DISCOVER_PUBLIC="true" to prevent a HTTP 403 error at the explorer tab in the instance preview. * Update AccountTransformer.php * New variable for lang spanish * Variable for lang spanish * Update Dockerfile, fixes pixelfed#5535 pixelfed#5559 * Fix pixelfed#5582 * Fix pixelfed#5632 * Update status twitter:card to summary_large_image for images/albums * Update changelog * Staging (pixelfed#5674) * Update .env.docker Registry has changed. Old registry has been discontinued in August 2024. New Registry added, format of Docker tag has been adjusted as it now contains the Debian Release as well. Sample Version is set to current stable but can be adjusted to any of the available branches. * Update .env.docker Stick major.minor according to https://jippi.github.io/docker-pixelfed/customize/tags/#pixelfed-version Disable Debian Release Check until it's solved in dottie. Closes pixelfed#5264 * New translations web.php (Finnish) [ci skip] * New translations web.php (Finnish) [ci skip] * fix: don't restore memory limit after cities import Since this command can only be invoked by CLI, the process will exit after a successful import, so restoring the transient PHP memory limit doesn't really have any affect. In PHP 8.4, this throws the following error (which doesn't happen in 8.3 and below) > [entrypoint / 11-first-time-setup.sh] - (stderr) 128769/128769 [▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓] 100%[2025-01-20 11:29:23] production.ERROR: Failed to set memory limit to 134217728 bytes (Current memory usage is 134746112 bytes) {"exception":"[object] (ErrorException(code: 0): Failed to set memory limit to 134217728 bytes (Current memory usage is 134746112 bytes) at /var/www/app/Console/Commands/ImportCities.php:140) It seems to be a 8.4 behavior change, so removing the logic would make it go away * New translations web.php (Finnish) [ci skip] * New translations web.php (Finnish) [ci skip] * New translations web.php (Portuguese) [ci skip] * New translations web.php (Portuguese) [ci skip] * fix(compose-modal): avoid WebGL if it's not needed * fix(compose-modal): update webgl-media-editor * New translations web.php (Hungarian) [ci skip] * New translations web.php (Russian) [ci skip] * New translations web.php (Russian) [ci skip] * Update .env.example Adding the parameter INSTANCE_DISCOVER_PUBLIC="true" to prevent a HTTP 403 error at the explorer tab in the instance preview. * New variable for lang spanish * Variable for lang spanish * Update Dockerfile, fixes pixelfed#5535 pixelfed#5559 * Fix pixelfed#5582 * Fix pixelfed#5632 * Update status twitter:card to summary_large_image for images/albums * Update changelog --------- Co-authored-by: Lioh Moeller <[email protected]> Co-authored-by: Christian Winther <[email protected]> Co-authored-by: Taye Adeyemi <[email protected]> Co-authored-by: stemy2 <[email protected]> Co-authored-by: Uthanien <[email protected]> * New translations web.php (Slovak) [ci skip] * New variable for lan spanish on auth, profile, helpcenter, navmenu and settings * Update MediaController, fix redirect bug * Correct some typos in Spanish translations * add settings link in dropdown menu * New translations web.php (French) [ci skip] * fix icon name * Update resources/lang/es/navmenu.php Co-authored-by: Mackenzie <[email protected]> * Update resources/lang/es/profile.php Co-authored-by: Mackenzie <[email protected]> * Update resources/lang/es/profile.php Co-authored-by: Mackenzie <[email protected]> * Update resources/lang/es/helpcenter.php Co-authored-by: Mackenzie <[email protected]> * Update resources/lang/es/profile.php Co-authored-by: Mackenzie <[email protected]> * Update resources/lang/es/helpcenter.php Co-authored-by: Mackenzie <[email protected]> * Update resources/lang/es/profile.php Co-authored-by: Mackenzie <[email protected]> * Update resources/lang/es/helpcenter.php Co-authored-by: Mackenzie <[email protected]> * Update resources/lang/es/navmenu.php Co-authored-by: Mackenzie <[email protected]> * Update resources/lang/es/helpcenter.php Co-authored-by: Mackenzie <[email protected]> * Update resources/lang/es/navmenu.php Co-authored-by: Mackenzie <[email protected]> * Add localization:generate command to generate the js/vue l10n files from the blade translations * Move fallback media route * Prevent pulse crash when it is not configured * Update CuratedOnboarding, add new app:curated-onboarding command, extend email verification window to 7 days and fix resend verification mails * Update CHANGELOG.md * Add media:replacedomain command to replace S3 media urls * add embed translation for lang es in file helpcenter.php and full file site.php translated to es * minor fix in site.php lang es * New translations web.php (Spanish) [ci skip] * Update DirectMessageController, fix performance issue * Update DirectMessageController, fix query * Fix curl * New translations web.php (Bengali) [ci skip] * Update NewStatusPipeline, replaces pixelfed#5706 * Update NewStatusPipeline, improve fallback * Update dev from * add send weekly popular posts email (#24) * add send weekly popular posts email. * limit run in production * hide landing page * feat-dev: analytics feature (#25) * hotfix: send email just production * add app register * update front build * Update settings.php * Update settings.php * Update settings.php * add missing keys * adjust: fix pt navmenu.php * Update iar.blade.php - Fix in-app reg without hcaptcha (pixelfed#5807) * Staging (pixelfed#5674) * Update .env.docker Registry has changed. Old registry has been discontinued in August 2024. New Registry added, format of Docker tag has been adjusted as it now contains the Debian Release as well. Sample Version is set to current stable but can be adjusted to any of the available branches. * Update .env.docker Stick major.minor according to https://jippi.github.io/docker-pixelfed/customize/tags/#pixelfed-version Disable Debian Release Check until it's solved in dottie. Closes pixelfed#5264 * New translations web.php (Finnish) [ci skip] * New translations web.php (Finnish) [ci skip] * fix: don't restore memory limit after cities import Since this command can only be invoked by CLI, the process will exit after a successful import, so restoring the transient PHP memory limit doesn't really have any affect. In PHP 8.4, this throws the following error (which doesn't happen in 8.3 and below) > [entrypoint / 11-first-time-setup.sh] - (stderr) 128769/128769 [▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓] 100%[2025-01-20 11:29:23] production.ERROR: Failed to set memory limit to 134217728 bytes (Current memory usage is 134746112 bytes) {"exception":"[object] (ErrorException(code: 0): Failed to set memory limit to 134217728 bytes (Current memory usage is 134746112 bytes) at /var/www/app/Console/Commands/ImportCities.php:140) It seems to be a 8.4 behavior change, so removing the logic would make it go away * New translations web.php (Finnish) [ci skip] * New translations web.php (Finnish) [ci skip] * New translations web.php (Portuguese) [ci skip] * New translations web.php (Portuguese) [ci skip] * fix(compose-modal): avoid WebGL if it's not needed * fix(compose-modal): update webgl-media-editor * New translations web.php (Hungarian) [ci skip] * New translations web.php (Russian) [ci skip] * New translations web.php (Russian) [ci skip] * Update .env.example Adding the parameter INSTANCE_DISCOVER_PUBLIC="true" to prevent a HTTP 403 error at the explorer tab in the instance preview. * New variable for lang spanish * Variable for lang spanish * Update Dockerfile, fixes pixelfed#5535 pixelfed#5559 * Fix pixelfed#5582 * Fix pixelfed#5632 * Update status twitter:card to summary_large_image for images/albums * Update changelog --------- Co-authored-by: Lioh Moeller <[email protected]> Co-authored-by: Christian Winther <[email protected]> Co-authored-by: Taye Adeyemi <[email protected]> Co-authored-by: stemy2 <[email protected]> Co-authored-by: Uthanien <[email protected]> * Update iar.blade.php --------- Co-authored-by: daniel <[email protected]> Co-authored-by: Lioh Moeller <[email protected]> Co-authored-by: Christian Winther <[email protected]> Co-authored-by: Taye Adeyemi <[email protected]> Co-authored-by: stemy2 <[email protected]> Co-authored-by: Uthanien <[email protected]> * Update iar.blade.php - Fix in-app reg without hcaptcha (pixelfed#5807) (pixelfed#5808) * Staging (pixelfed#5674) * Update .env.docker Registry has changed. Old registry has been discontinued in August 2024. New Registry added, format of Docker tag has been adjusted as it now contains the Debian Release as well. Sample Version is set to current stable but can be adjusted to any of the available branches. * Update .env.docker Stick major.minor according to https://jippi.github.io/docker-pixelfed/customize/tags/#pixelfed-version Disable Debian Release Check until it's solved in dottie. Closes pixelfed#5264 * New translations web.php (Finnish) [ci skip] * New translations web.php (Finnish) [ci skip] * fix: don't restore memory limit after cities import Since this command can only be invoked by CLI, the process will exit after a successful import, so restoring the transient PHP memory limit doesn't really have any affect. In PHP 8.4, this throws the following error (which doesn't happen in 8.3 and below) > [entrypoint / 11-first-time-setup.sh] - (stderr) 128769/128769 [▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓] 100%[2025-01-20 11:29:23] production.ERROR: Failed to set memory limit to 134217728 bytes (Current memory usage is 134746112 bytes) {"exception":"[object] (ErrorException(code: 0): Failed to set memory limit to 134217728 bytes (Current memory usage is 134746112 bytes) at /var/www/app/Console/Commands/ImportCities.php:140) It seems to be a 8.4 behavior change, so removing the logic would make it go away * New translations web.php (Finnish) [ci skip] * New translations web.php (Finnish) [ci skip] * New translations web.php (Portuguese) [ci skip] * New translations web.php (Portuguese) [ci skip] * fix(compose-modal): avoid WebGL if it's not needed * fix(compose-modal): update webgl-media-editor * New translations web.php (Hungarian) [ci skip] * New translations web.php (Russian) [ci skip] * New translations web.php (Russian) [ci skip] * Update .env.example Adding the parameter INSTANCE_DISCOVER_PUBLIC="true" to prevent a HTTP 403 error at the explorer tab in the instance preview. * New variable for lang spanish * Variable for lang spanish * Update Dockerfile, fixes pixelfed#5535 pixelfed#5559 * Fix pixelfed#5582 * Fix pixelfed#5632 * Update status twitter:card to summary_large_image for images/albums * Update changelog --------- * Update iar.blade.php --------- Co-authored-by: Shlee <[email protected]> Co-authored-by: Lioh Moeller <[email protected]> Co-authored-by: Christian Winther <[email protected]> Co-authored-by: Taye Adeyemi <[email protected]> Co-authored-by: stemy2 <[email protected]> Co-authored-by: Uthanien <[email protected]> * fix register * 19 add analytics feature (#27) * feat-dev: analytics feature * upgrade version package * upgrach commit package.lock * change seguindo * fix link * fix conflics * update notifications * Add app register email verify resends * Update composer * Update changelog * Update IG import command * Add app register email verify resends (pixelfed#5814) * Update iar.blade.php - Fix in-app reg without hcaptcha (pixelfed#5807) * Staging (pixelfed#5674) * Update .env.docker Registry has changed. Old registry has been discontinued in August 2024. New Registry added, format of Docker tag has been adjusted as it now contains the Debian Release as well. Sample Version is set to current stable but can be adjusted to any of the available branches. * Update .env.docker Stick major.minor according to https://jippi.github.io/docker-pixelfed/customize/tags/#pixelfed-version Disable Debian Release Check until it's solved in dottie. Closes pixelfed#5264 * New translations web.php (Finnish) [ci skip] * New translations web.php (Finnish) [ci skip] * fix: don't restore memory limit after cities import Since this command can only be invoked by CLI, the process will exit after a successful import, so restoring the transient PHP memory limit doesn't really have any affect. In PHP 8.4, this throws the following error (which doesn't happen in 8.3 and below) > [entrypoint / 11-first-time-setup.sh] - (stderr) 128769/128769 [▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓] 100%[2025-01-20 11:29:23] production.ERROR: Failed to set memory limit to 134217728 bytes (Current memory usage is 134746112 bytes) {"exception":"[object] (ErrorException(code: 0): Failed to set memory limit to 134217728 bytes (Current memory usage is 134746112 bytes) at /var/www/app/Console/Commands/ImportCities.php:140) It seems to be a 8.4 behavior change, so removing the logic would make it go away * New translations web.php (Finnish) [ci skip] * New translations web.php (Finnish) [ci skip] * New translations web.php (Portuguese) [ci skip] * New translations web.php (Portuguese) [ci skip] * fix(compose-modal): avoid WebGL if it's not needed * fix(compose-modal): update webgl-media-editor * New translations web.php (Hungarian) [ci skip] * New translations web.php (Russian) [ci skip] * New translations web.php (Russian) [ci skip] * Update .env.example Adding the parameter INSTANCE_DISCOVER_PUBLIC="true" to prevent a HTTP 403 error at the explorer tab in the instance preview. * New variable for lang spanish * Variable for lang spanish * Update Dockerfile, fixes pixelfed#5535 pixelfed#5559 * Fix pixelfed#5582 * Fix pixelfed#5632 * Update status twitter:card to summary_large_image for images/albums * Update changelog --------- Co-authored-by: Lioh Moeller <[email protected]> Co-authored-by: Christian Winther <[email protected]> Co-authored-by: Taye Adeyemi <[email protected]> Co-authored-by: stemy2 <[email protected]> Co-authored-by: Uthanien <[email protected]> * Update iar.blade.php --------- Co-authored-by: daniel <[email protected]> Co-authored-by: Lioh Moeller <[email protected]> Co-authored-by: Christian Winther <[email protected]> Co-authored-by: Taye Adeyemi <[email protected]> Co-authored-by: stemy2 <[email protected]> Co-authored-by: Uthanien <[email protected]> * Add app register email verify resends * Update composer * Update changelog * Update IG import command --------- Co-authored-by: Shlee <[email protected]> Co-authored-by: Lioh Moeller <[email protected]> Co-authored-by: Christian Winther <[email protected]> Co-authored-by: Taye Adeyemi <[email protected]> Co-authored-by: stemy2 <[email protected]> Co-authored-by: Uthanien <[email protected]> * Update App Register to expire codes after 4 hours instead of 60 minutes * Update CHANGELOG.md * Update AppServiceProvider.php * Update AppRegisterController * update web vars * add missing keys * Update --------- Co-authored-by: root (Deneir) <root@deneir> Co-authored-by: Daniel Supernault <[email protected]> Co-authored-by: Dan Helfman <[email protected]> Co-authored-by: Lioh Moeller <[email protected]> Co-authored-by: Anil Kulkarni <[email protected]> Co-authored-by: Medformatik <[email protected]> Co-authored-by: Christian Winther <[email protected]> Co-authored-by: Simon Laux <[email protected]> Co-authored-by: Anil Kulkarni <[email protected]> Co-authored-by: Shlee <[email protected]> Co-authored-by: Taye Adeyemi <[email protected]> Co-authored-by: Mackenzie Morgan <[email protected]> Co-authored-by: Rm Yakovenko <[email protected]> Co-authored-by: tercean <[email protected]> Co-authored-by: stemy2 <[email protected]> Co-authored-by: Uthanien <[email protected]> Co-authored-by: Felipe Espinosa C. <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Cannot run HTTPS on the 1.3.1 image due to the following startup error:
nginx-proxy_1 | nginx.1 | 2023/08/18 15:59:31 [error] 46#46: *1 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: <IP>, server: 0.0.0.0:8881This is the Docker compose to reproduce it:
For reference these are the crt and key files (REDACTED):
Tried using a crt file produced with
openssl x509 -in dtapi.domain.com.crt --trustout -out dtapi.domain.com.crtwithout any change of output.The text was updated successfully, but these errors were encountered: