Question

Https refused to connect 301 - Nginx, certbot, docker-compose, nodejs

Posted May 7, 2021 79 views
NginxNode.jsDockerLet's Encrypt

I have a docker-compose running the whole stack. I have referred to this for nginx and certbot setup.

I am exposing my nodejs app on ports 4000(app) and 5000(prisma). The whole stack is part of a docker network. Only nginx is exposed to host 443:443 and 80:80.

App works fine on 80 but when trying to redirect to 443 it refuses to connect. I have enabled the firewall for both ports. (using ufw and DO firewall setting)

Here is the nginx conf:

server {
    listen 80;
    listen [::]:80;
    server_name a.example.com;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    location / {
       return 301 https://$server_name$request_uri;
    }
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name a.example.com;

    # ssl
    ssl_certificate /etc/letsencrypt/live/a.example.come/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/a.example.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location / {
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header Host $http_host;
      proxy_redirect off;
      proxy_pass http://app:4000;
    }

    location /prisma-studio/ {
      proxy_pass http://app:5000;
    }

    location ^~ /.well-known/acme-challenge/ {
        root /var/www/html;
    }
}

here is the docker-compose:

version: "3.8"

services:
    postgres_db:
        restart: unless-stopped
        image: postgres
        container_name: 'postgres'
        environment:
          - <cert env>
        expose:
            - 5432

    app:
        restart: unless-stopped
        image: node:14.16.1-alpine
        container_name: 'app'
        command: sh -c '<app launch cmd>'
        volumes:
            - .:/app
        expose:
            - 4000
            - 5000
        depends_on:
            - postgres_db

    nginx:
      container_name: nginx
      restart: unless-stopped
      image: nginx:1.19-alpine
      command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
      ports:
        - 80:80
        - 443:433
      volumes:
        - ./proxy/nginx:/etc/nginx/conf.d
        - ./proxy/data/certbot/conf:/etc/letsencrypt
        - ./proxy/data/certbot/www:/var/www/certbot
      depends_on:
        - app

    certbot:
      restart: unless-stopped
      image: certbot/certbot
      volumes:
        - ./proxy/data/certbot/conf:/etc/letsencrypt
        - ./proxy/data/certbot/www:/var/www/certbot
      entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"

both port 80 and 443 are open and listening.

What am I doing wrong?

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
1 answer

Hi @sr1,

When you type inside your droplet:

nestat -tulpen

Do you see the port 443 opened with Nginx listening to it? Additionally, when you configure the proxy to work on port 80, do you just add the following to the server block:

    location / {
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header Host $http_host;
      proxy_redirect off;
      proxy_pass http://app:4000;
    }

    location /prisma-studio/ {
      proxy_pass http://app:5000;
    }

    location ^~ /.well-known/acme-challenge/ {
        root /var/www/html;
    }

Or do you change it a bit(talking about when you use port 80 as you mentioned it’s working for you)?