docker nginx ssl proxy pass to another container

Question

I have a docker-compose file that right now runs two containers:

version: '3'

services:
  nginx-certbot-container:
    build: nginx-certbot
    restart: always
    links:
      - ghost-container:ghost-container
    ports:
      - 80:80
      - 443:443
    tty: true

  ghost-container:
    image: ghost
    restart: always
    ports:
      - 2368:2368

I have four websites, l.com, t1.l.com, t2.l.com, t3.l.com, all with ssl certificates done by letsencrypt, and working by that on the URL I can see the green lock etc...

for t2.l.com, I would like that to be a blog from ghost, but with the following nginx conf,

upstream ghost-container {
    server ghost-container:2368;
}

server {
    server_name t2.l.com;

    location / {
        proxy_pass https://ghost-container;
        proxy_ssl_certificate /etc/letsencrypt/live/l.com/fullchain.pem;
        proxy_ssl_certificate_key /etc/letsencrypt/live/l.com/privkey.pem;
        proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        proxy_ssl_ciphers "ECDHE-ECD ... BC3-SHA:!DSS";
        proxy_ssl_session_reuse on;
    }

    listen 443 ssl;
    ssl_certificate /etc/letsencrypt/live/l.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/l.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
}

server {
    listen       80;
    listen [::]:80;
    server_name  t2.l.com;

    include /etc/nginx/snippets/letsencrypt.conf;

    location / {
        return 301 https://t2.l.com$request_uri;
        #proxy_pass http://ghost-container;
    }
}

If I comment out the return 301, and just keep the proxy_pass, I get redirected to the ghost blog no problem, except its not via ssl, But if i comment out the proxy pass, like above, and return 301, the server returns a 502 bad gateway.

Is there something I'm missing? from other peoples code it seems just having proxy certs is enough...

Edit

Well, I just did something that I was sure would not work, and set the proxy pass in the ssl part to http: instead of https:, and it all worked fine, so if anyone can explain the mechanics or logic behind why this is so, I would be very interested, it doesnt make sense in my mind.

Answer 1

You have to distinguish the connection from a client to nginx (your reverse proxy here) and the connection from nginx to your ghost container.

1. The connection from a client to the nginx server can be encrypted (https, port 443) or unencrypted (http, 80). In your config file, there is one server block for each. If the client connects via https (after a redirect or directly), nginx will use the key at /etc/letsencrypt/live/l.com/* to encrypt the content of this connection. The content could be served from the file system inside the nginx-certbot-container container or from an upstream server (thus reverse proxy).

2. For t2.l.com you would like to use the upstream server. Nginx will open a connection to the upstream server. It depends on the server running inside ghost-container whether it expects http or https connection on port 2368. From the information you provided I deduce that it accepts http connections. Otherwise you would need SSL certificates also for the ghost container, or create self-signed certificates and make nginx trust the self-signed upstream connection. This means your proxy_pass should use http. Since the packages of this connection will never leave your computer, I think it is fairly safe to use http for the upstream server in this case.

(If this is not what you intended, you can also create the SSL endpoint in the ghost-container. In this case, nginx has to use SNI to determine the destination host because it only sees encrypted packages. Search for nginx reverse proxy ssl or so.)

Note: Please be careful with the ports property. The above docker-compose file publishes port 2368. So the ghost server can be reached via http://t2.l.com:2368. To avoid this, replace it with expose: [2368].