docker-fusiondirectory icon indicating copy to clipboard operation
docker-fusiondirectory copied to clipboard

Published 20 hours ago verified publisher icon tiredofit

Default instructions create unusable webserver

Open tareko opened this issue 3 years ago • 9 comments

Hello all,

I have the docker-compose.yml below. With it, I am able to successfully create the container, but nginx is not accessible externally or internally.

To simplify things, I am executing docker exec -it <container> bash, then wget 127.0.0.1 to test.

The error I get:

bash-4.4# wget 127.0.0.1
Connecting to 127.0.0.1 (127.0.0.1:80)
Connecting to 127.0.0.1 (127.0.0.1:443)
wget: can't connect to remote host (127.0.0.1): Connection refused

bash-4.4# telnet localhost 443
telnet: can't connect to remote host (127.0.0.1): Connection refused

As you can see, port 443 is not open. Port 80 is open, but seems to redirect to 443:

# curl -i localhost:80
HTTP/1.1 302 Found
Server: nginx/1.19.3
Date: Sun, 10 Jan 2021 23:58:13 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/7.2.33
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: deny
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: FusionDirectory=5de2d003838548e9605b6cf6e7055091; expires=Mon, 11-Jan-2021 23:58:13 GMT; Max-Age=86400; path=/
Content-Language: en-us
Location: https://localhost/

The docker-compose.yml:

$ cat docker-compose.yml
version: '3.7'
services:
  
  fusiondirectory-app:
    container_name: fusiondirectory-app
    image: tiredofit/fusiondirectory
    labels:
    - traefik.enable=true
    - traefik.frontend.rule=Host:x.y.z
    - traefik.port=80
    - traefik.docker.network=proxy
    - traefik.backend=fusiondirectory-app
    volumes:
    - ./logs:/www/logs
    #- ./custom:/assets/fusiondirectory
    #- ./plugins-custom:/assets/plugins-custom
    environment:
    - VIRTUAL_HOST=x.y.z
    - VIRTUAL_NETWORK=proxy
    - VIRTUAL_PORT=80
    - LETSENCRYPT_HOST=x.y.z
    - [email protected]

    - ZABBIX_HOSTNAME=fusiondirectory-app

    - ENABLE_ARGONAUT=FALSE
    - PLUGIN_AUDIT=TRUE
    - PLUGIN_DSA=TRUE
    - PLUGIN_LDAPDUMP=TRUE
    - PLUGIN_LDAPMANAGER=TRUE
    - PLUGIN_MAIL=TRUE
    - PLUGIN_PERSONAL=TRUE
    - PLUGIN_PPOLICY=TRUE
    - PLUGIN_SSH=TRUE
    - PLUGIN_SUDO=TRUE
    - PLUGIN_WEBSERVICE=TRUE

    - LDAP1_HOST=x.y.z
    - LDAP1_BASE_DN=x
    - LDAP1_ADMIN_DN=x
    - LDAP1_ADMIN_PASS=x
    - LDAP1_PORT=389
    - LDAP1_NAME=Production

    networks:
    - proxy
    - services
    restart: always

networks:
  proxy:
    external: true
  services:
    external: true

Any ideas what I should be doing differently here?

tarek : )

tareko avatar Jan 10 '21 23:01 tareko

You can try CONTAINER_LOG_LEVEL=DEBUG also head inside the container and verify if there is the nginx process. If not, try nginx -t to see if the configuration has broken.

tiredofit avatar Jan 11 '21 00:01 tiredofit

nginx -t gives me a normal result:

# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

As for the server logs, this might be it:

[cont-init.d] 10-nginx: executing... 
[DEBUG] ** [container] Container: Getting defaults for 10-nginx
[DEBUG] ** [container] Container: No functions available for 10-nginx
[NOTICE] ** [nginx] Disable Nginx FastCGI HTTPS Termination Support
[cont-init.d] 10-nginx: exited 0.

Though I'm not sure what to do with this...

tarek : )

tareko avatar Jan 11 '21 00:01 tareko

I looked at the config files in /etc/cont-init.d/ and found the following flag:

NGINX_ENABLE_FASTCGI_HTTPS

When enabled, a wget DOES work. I'm going to see if this gets things working, the put in a PR for an updated docker-compose.

tarek : )

tareko avatar Jan 11 '21 01:01 tareko

Everything almost works. I am not sure how to access the port for the server, and so I am forced to use the ports option in the docker-compose.yml, which is not optimal. Any suggestions on how to access the exposed port?

tareko avatar Jan 11 '21 01:01 tareko

You should put it in front of a reverse proxy server, like jwiler/nginx-proxy or traefik. That will give you SSL termination.

tiredofit avatar Jan 11 '21 01:01 tiredofit

I'm using nginx proxy. The difficulty is knowing where to point. With ports: 9800:80, it becomes:

   location / {
        proxy_pass http://localhost:9800;
        proxy_set_header Host $http_host;
    }

However, when I create a network with docker network create, I still get no open port 80 on either of the two networks (proxy and services from your example)

tareko avatar Jan 11 '21 01:01 tareko

Alright, with jwilder/nginx-proxy you would use the following as environment variables: VIRTUAL_HOST=your.fusiondirectory.domain.example VIRTUAL_PORT=80

But I am a bit confused by your example, it sounds like you are running a nginx proxy on baremetal, not through Docker - So in that case, I would expose

ports:
    - 127.0.0.1:9800:80

In your docker-compose.yml file which will expose the port 80 of the container only to localhost and your locally installed nginx will be able to proxy_pass to it.

tiredofit avatar Jan 11 '21 02:01 tiredofit

Excellent. Thank you! Indeed, I am running it on bare metal, though it seems like it's wiser to move to a container as I figure out how..

tareko avatar Jan 11 '21 06:01 tareko

Yes definitely - Dockerize everything :P

tiredofit avatar Jan 11 '21 06:01 tiredofit