Docker configuration for SSL reverse proxy usage.

[tnemeth]

Context

Hi.

I'm in the process of switching the web access to https using a reverse proxy on the host on which the dockers are instantiated.
The reverse proxy, using nginx, is configured to map the host public ip address (for now) as follows:

        location /opencve {
                include proxy_params;
                proxy_pass http://localhost:8000;
        }

The opencve.cfg file is modified so that the server_name variable is the ip.ad.dr.es/opencve and set use_reverse_proxy to True. I didn't change the Dockerfile nor the docker-compose.yml file regarding to the launch of the web server command.

Expected Behavior

I expected the service would be usable over https.

Actual Behavior

A 404 error page is displayed. Changing the server_name to that of the public address and port makes opencve reachable but without being proxyfied.

Steps to Reproduce the Problem

• install opencve using dockers with the mentioned configuration
• configure nginx on the host to be a reverse proxy for opencve
• try and access the https port on the host.

Specifications

• OpenCVE version: 1.2.3
• Platform: debian 11
• Docker version: 20.10.5+dfsg1-1+b5
• Docker-compose version: 1.25.0-1

Screenshots (optional)

[tnemeth]

In conf/opencve.cfg :

• the server_name variable is set to 192.168.42.202/opencve
• the use_reverse_proxy is set to True

In docker-compose.yml, I changed the webserver ports to 127.0.0.1:${OPENCVE_PORT:-8000}:8000 in order to limit the listening service to be on localhost:8000 only.

Then, nginx configuration is as specified above:

location /opencve {
        include proxy_params;
        proxy_pass http://localhost:8000;
}

The output of docker ps displays the webserver correctly listening on 127.0.0.1:8000. So why can't the webserver display pages correctly ?
What am I missing ?

[ncrocfer]

@ldurnez any idea on that ?

[tnemeth]

I'm coming back for news on this subject :)
Is there a mean to get logs of why requests fail ?

[kossithedon]

Hi,

Any news on this subject ? I'm facing exactly the same issue

[Hactarus]

Hi,

Could you give us the content of include proxy_params; ?
I think you miss some header on your nginx config.

proxy_pass		http://webserver:8000;
proxy_set_header	Host			$http_host;
proxy_set_header	X-Real-IP		$remote_addr;
proxy_set_header	X-Forwarded-For	$proxy_add_x_forwarded_for;
proxy_set_header	X-Forwarded-Proto	$scheme;

To go further: https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header

It worked for me with this config:
Part of docker-compose.yml

    loadbalancer:
        <<: *opencve_defaults
        image: nginx:latest
        volumes:
            - ./nginx.conf:/etc/nginx/nginx.conf:ro
        depends_on:
            - webserver
        networks:
            - frontend
        ports:
            - ${OPENCVE_PORT:-8000}:80
    webserver:
        <<: *opencve_defaults
        build:
            context: .
            args:
                - OPENCVE_VERSION=${OPENCVE_VERSION}
                - HTTP_PROXY=${HTTP_PROXY:-}
                - HTTPS_PROXY=${HTTPS_PROXY:-}
            dockerfile: Dockerfile
        depends_on:
            - postgres
        command: webserver -b 0.0.0.0:8000
        deploy:
            replicas: 3
        networks:
            - frontend
            - backend

File: nginx.conf

http {
	server {
		listen 80;
		location / {
			proxy_pass http://webserver:8000;
			proxy_set_header	Host $http_host;
		}
	}
}

[tnemeth]

Hi !

The contents of proxy_params are the following:

proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

The proxy_pass http://webserver:8000; line shouldn't be necessary here since it's in the sites-enabled/revers-proxy file along the server configuration (what you put in your nginx.conf file). Note that I use the nginx installation on the host system, not in another docker.

My reverse-proxy configuration is then :

# redirects accesses to host:443 (SSL) to localhost:8000 (no ssl)
# since logins/passwords would circulate in clear otherwise
server {
        listen 443 ssl default_server;
        # TODO : use real certs.
        include snippets/snakeoil.conf;

        # ...

        location /opencve {
                include proxy_params;
                # opencve docker exposes its web interface on localhost:8000
                proxy_pass http://localhost:8000;
                proxy_set_header Host $http_host;
        }
}

I just added the last proxy_set_header Host $http_host; line with no effect... I'll have a deeper look at my conf since I let it alone for all these months as I couldn't have that https access...

When using nginx as a reverse proxy, my docker-compose.yml webserver section is:

services:
    webserver:
        <<: *opencve_defaults
        container_name: webserver
        build:
            context: .
            args:
                - OPENCVE_VERSION=${OPENCVE_VERSION}
                - HTTP_PROXY=${HTTP_PROXY:-}
                - HTTPS_PROXY=${HTTPS_PROXY:-}
            dockerfile: Dockerfile
        depends_on:
            - postgres
        command: webserver -b 0.0.0.0:8000
        networks:
            - backend
        ports:
            - 127.0.0.1:${OPENCVE_PORT:-8000}:8000

Also, the server_name in opencve.cfg is set to server_name = public.ip.addr/opencve when configuring the docker for https accesses from the reverse proxy.