Join Log in
Score:1
avatar Server

nginx local reverse proxy with firewalld

sa flag
Fylax

I am running a service on a docker container. The service is exposed on a given port (eg. 12345).

On top of it I added a nginx reverse proxy to get extra functionality like HTTPS and HTTP/2.

nginx configuration is the following:

worker_processes auto;

http {
    sendfile        on;

    gzip  on;

    server {
        listen 443 ssl http2;
        listen [::]:443 ssl ipv6only=on http2;
        
        server_name example.com

        ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot        

        location / {
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $host;

            proxy_pass http://localhost:12345/;

            proxy_buffering off;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
        }
    }
}

Without any firewall, it works properly (I can access the service on LAN both on port 443 and on port 12345).

I have firewalld with nftables backend configured as following:

docker (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: br-06ceff0ffa49 docker0
  sources: 
  services: 
  ports: 12345/tcp 12345/udp
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0 wlan0
  sources: 
  services: http https ssh
  ports: 12345/tcp
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: lo
  sources: 
  services: 
  ports: 12345/tcp
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

When I try to access the service from a PC on LAN with this configuration, I can access it directly through port 12345, but if I try accessing it via nginx I get a timeout.

My feeling is that firewalld is preventing nginx from exchanging data with the container, but I have no clue what am I missing to make it work.

What may I be missing?

43
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.