Join Log in
Score:0
Nathaniel Cutajar avatar Server

NGINX reverse proxy upstream not connecting to specific port

co flag
Nathaniel Cutajar

I am trying to get to one of the backend servers, but I am getting this error:

27#27: *21653 connect() failed (111: Connection refused) while connecting to upstream, client: 84.255.55.25, server: premium.maltacraft.net, request: "GET / HTTP/1.1", upstream: "http://172.28.0.3:37200/", host: "premium.maltacraft.net"

I have a docker-compose stack, as seen below (redacted some services for simplicity):

services:
  nginx-ingress:
    image: nginx:latest
    logging:
      driver: "json-file"
      options:
        max-size: "50m"
        max-file: "10"
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "./nginx-ingress/nginx.conf:/etc/nginx/nginx.conf:ro"
      - "./nginx-ingress/dhparam.pem:/etc/ssl/dhparam.pem:ro"
      - "./nginx-ingress/sites-available:/etc/nginx/sites-available:ro"
      - "./nginx-ingress/sites-enabled:/etc/nginx/sites-enabled:ro"
      - "./nginx-ingress/webroot:/var/www"
      - "/etc/letsencrypt:/etc/letsencrypt:ro"
    networks:
      - multicraft
      - wp_maltacraft

networks:
  multicraft:
  wp_maltacraft:

This is my nginx.conf file (pretty basic):

user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/sites-enabled/*.conf;
}

Now, I have 2 sites that are connecting to an Apache server, called Vanilla and Premium. The Vanilla one works, and you can see it working here: https://vanilla.maltacraft.net/

but the Premium one doesn't, as seen here: https://premium.maltacraft.net/

vanilla.maltacraft.net.conf:


upstream vanilla {
    server multicraft:38200;
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name vanilla.maltacraft.net;
    server_tokens off;
    ssl_certificate /etc/letsencrypt/live/vanilla.maltacraft.net/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/vanilla.maltacraft.net/privkey.pem;

    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POL>

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_session_timeout  5m;
    add_header Strict-Transport-Security "max-age=63072000";
    add_header 'X-Frame-Options' 'SAMEORIGIN';
    add_header 'X-XSS-Protection' '1; mode=block';
    add_header 'X-Content-Type-Options' 'nosniff';
    add_header 'Referrer-Policy' 'no-referrer';
    ssl_dhparam /etc/ssl/dhparam.pem;

    location / {
        proxy_read_timeout 3600;
        proxy_pass http://vanilla;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Ssl on;
    }
}

premium.maltacraft.net.conf:


upstream premium {
    server multicraft:37200;
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name premium.maltacraft.net;
    server_tokens off;
    ssl_certificate /etc/letsencrypt/live/premium.maltacraft.net/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/premium.maltacraft.net/privkey.pem;

    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POL>

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_session_timeout  5m;
    add_header Strict-Transport-Security "max-age=63072000";
    add_header 'X-Frame-Options' 'SAMEORIGIN';
    add_header 'X-XSS-Protection' '1; mode=block';
    add_header 'X-Content-Type-Options' 'nosniff';
    add_header 'Referrer-Policy' 'no-referrer';
    ssl_dhparam /etc/ssl/dhparam.pem;

    location / {
        proxy_read_timeout 3600;
        proxy_pass http://premium;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Ssl on;
    }
}

If I change the upstream port of the Premium one (37200) to the Vanilla one (38200), it works fine and it shows me the website for Vanilla. But I want it to show the Premium website.

Both websites have their SSL certificates generated and working, and their simbolic link has been generated for both of them (as they both appear with the same configuration in the sites-enabled folder)

Any idea what can be done to fix this issue? Or maybe to debug

31
0 + 0
Score:0
Nathaniel Cutajar avatar Server
co flag
Nathaniel Cutajar

The problem was that the backend server was trying to listen to localhost (127.0.0.1) rather than 0.0.0.0. Changed it and it now works

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.