443: Connection refused. default.conf looks ok. HTTP - OK, HTTPS: NOT OK

[murbanowicz]

Hi,
I was trying to dig it from other issues but I can't find solution.

I am using 3 containers method with docker-compose.
Here is my docker-compose:

version: '2' 

services: 
  nginx:
    image: nginx
    container_name: nginx
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "/etc/nginx/conf.d"
      - "/etc/nginx/vhost.d"
      - "/usr/share/nginx/html"
      - "../../../volumes/proxy/certs:/etc/nginx/certs:ro"
    networks:
      - nginxproxy
  nginx-gen:
    image: jwilder/docker-gen
    container_name: nginx-gen
    depends_on:
      - letsencrypt-nginx-proxy-companion
      - nginx
    volumes:
      - "/var/run/docker.sock:/tmp/docker.sock:ro"
      - "/etc/docker-gen/templates:/etc/docker-gen/templates:ro"
    volumes_from:
      - nginx
    entrypoint: /bin/sh -c
    command: ["/usr/local/bin/docker-gen -notify-sighup nginx -only-exposed -watch -wait 30s:60s /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf"]

  letsencrypt-nginx-proxy-companion:
    image: jrcs/letsencrypt-nginx-proxy-companion
    container_name: letsencrypt-nginx-proxy-companion
    volumes_from:
      - nginx
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "../../../volumes/proxy/certs:/etc/nginx/certs:rw"
    environment:
      - NGINX_DOCKER_GEN_CONTAINER=nginx-gen

networks: 
  nginxproxy:
    external:
      name: nginxproxy

It is running and my host with wordpress site is working ok with http, but not working at all with https.

docker exec -it nginx cat /etc/nginx/conf.d/default.conf is giving following output:

# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
  default $http_x_forwarded_proto;
  ''      $scheme;
}
# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
# Connection header that may have been passed to this server
map $http_upgrade $proxy_connection {
  default upgrade;
  '' close;
}
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost '$host $remote_addr - $remote_user [$time_local] '
                 '"$request" $status $body_bytes_sent '
                 '"$http_referer" "$http_user_agent"';
access_log off;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
server {
    server_name _; # This is just an invalid value which will never trigger on a real hostname.
    listen 80;
    access_log /var/log/nginx/access.log vhost;
    return 503;
}
upstream mydomain.com {
           # neopolis_wordpress_1
           server :80;
}
server {
    server_name mydomain.com;
    listen 80 ;
    access_log /var/log/nginx/access.log vhost;
    return 301 https://$host$request_uri;
}
server {
    server_name mydomain.com;
    listen 443 ssl http2 ;
    access_log /var/log/nginx/access.log vhost;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
    ssl_prefer_server_ciphers on;
    ssl_session_timeout 5m;
    ssl_session_cache shared:SSL:50m;
    ssl_certificate /etc/nginx/certs/mydomain.com.crt;
    ssl_certificate_key /etc/nginx/certs/mydomain.com.key;
    ssl_dhparam /etc/nginx/certs/mydomain.com.dhparam.pem;
    add_header Strict-Transport-Security "max-age=31536000";
    include /etc/nginx/vhost.d/default;
    location / {
        proxy_pass http://mydomain.com;
    }
}

I've checked logs of companion and looks like certs are ok ('...are valid and no need to renew... sleep ...').

Based on config visible above, in my understanding it should automatically redirect from http to https but it does not. Also, caling https directly gives CONNECTION REFUSED all the time.

Any idea?

[fatk]

There's an issue in the following block:

upstream mydomain.com {
           # neopolis_wordpress_1
           server :80;
}

It lacks the IP for the upstream server.

The docker-compose.yml file in this repo is outdated, i'm in the process of changing that, in the meantime, you should remove the -only-exposed

from this line:

command: ["/usr/local/bin/docker-gen -notify-sighup nginx -only-exposed -watch -wait 30s:60s /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf"]

If you want a more up-to-date example, check this one out: https://github.com/pixelfordinner/pixelcloud-docker-apps/blob/master/nginx-proxy/docker-compose.yml

In a week or two i should be able to update this repo with more general and up-to-date examples.

Hope this helps.

[1beb]

I was able to get this simple website working. But trying wordprss didn't work out so well. I did find this repo, which after downgrading to v1.3 or lets encrypt companion worked well for me.

https://github.com/gilyes/docker-nginx-letsencrypt-sample

It's kind of the same as yours but a little different. Maybe some collaboration is in order with JRCS to point to the one or multiple sets of examples that work.