wrolpi icon indicating copy to clipboard operation
wrolpi copied to clipboard
verified publisher icon lrnselfreliance

HTTPS proxy containers use incorrect upstream (localhost) instead of backend service (zim/map)

Open iwannet opened this issue 4 months ago • 2 comments

Summary

The HTTPS wrapper containers for Kiwix (zim_https) and Maps (map_https) return 502 errors because their bundled nginx.conf files proxy to http://localhost:80. In Docker, localhost inside the proxy container is not the backend service container, so nginx cannot reach the upstream.

Impact

  • Kiwix HTTPS (port 8085) → Browser shows “Failed to fetch Zim service.”
  • Maps HTTPS (port 8084) → Browser shows “Failed to fetch Map service.”
  • Logs show: connect() failed (111: Connection refused) while connecting to upstream "http://127.0.0.1:80/".

Root Cause (Why & How)

  • Each *_https image embeds an nginx.conf with: proxy_pass http://localhost:80;
  • The actual backend processes (Kiwix server and tile server) run in separate containers (zim, map).
  • Docker’s default network isolation means 127.0.0.1 only resolves to the current container namespace.
  • Therefore nginx repeatedly attempts to connect to a non-listening socket → 111 (Connection refused) → 502 to clients.

What I did (Hotfix Applied Manually)

  • Patched nginx.conf live inside running containers:
    • Kiwix: docker compose exec zim_https sh -lc "sed -i 's#http://localhost:80#http://zim:80#g' /etc/nginx/nginx.conf && nginx -t && nginx -s reload"
    • Maps: docker compose exec map_https sh -lc "sed -i 's#http://localhost:80#http://map:80#g' /etc/nginx/nginx.conf && nginx -t && nginx -s reload"
  • After reload, both endpoints served content (accepted self‑signed certs once).
  • No compose overrides or extra volumes required for the hotfix.

Recommended Permanent Fix (In Images)

  1. Edit nginx.conf inside:
    • wrolpi-zim_https → proxy_pass http://zim:80;
    • wrolpi-map_https → proxy_pass http://map:80;
  2. Rebuild & push images.
  3. (Optional Enhancement) Replace hardcoded upstream with env-based template:
    • Add nginx.conf.template: proxy_pass http://$UPSTREAM_HOST:$UPSTREAM_PORT;
    • Entrypoint snippet: envsubst < /etc/nginx/nginx.conf.template > /etc/nginx/nginx.conf exec nginx -g 'daemon off;'
    • Set defaults: UPSTREAM_HOST=zim / map, UPSTREAM_PORT=80
    • This prevents future regressions if service names or ports change.

Fixing this in the images removes friction for new users and avoids hidden sed hacks.

iwannet avatar Aug 16 '25 21:08 iwannet

Thank you for the great issue.

I created a PR with your optional enhancement, what do you think? #324

lrnselfreliance avatar Aug 17 '25 17:08 lrnselfreliance

i think it would work, but i dont have time right now to compile and test it

iwannet avatar Aug 18 '25 14:08 iwannet