1

I have two identiacal docker containers running on different ports on CentOS7 server. Older version runs on port 81, newer one on port 8080 (82,83 were checked as well).

When I'm trying to proxy second container and change port from 81 to 8080 I receive nginx error message (HTTP/1.1 502 Bad Gateway).

Nginx is not in a container. I just have it installed on the server.

Here is my proxy_pass setting:

location / {
         proxy_pass http://0.0.0.0:8080/;
        }

And some additional information:

nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

If I try to access containers directly via their ports everything works fine.

curl  0.0.0.0:81
{"msg":"Phone Masks service"}
curl  0.0.0.0:8080
{"msg":"Phone Masks service"}

nginx version: nginx/1.16.1

Docker version 19.03.4, build 9013bf583a

Full server config is pretty standard, I didn't change anything except proxy_pass setting

server {
       listen       80 default_server;
       listen       [::]:80 default_server;
       server_name  _;
       root         /usr/share/nginx/html;

       # Load configuration files for the default server block.
       include /etc/nginx/default.d/*.conf;

       location / {
        proxy_pass http://0.0.0.0:8080/;
       }

       error_page 404 /404.html;
           location = /40x.html {
       }

       error_page 500 502 503 504 /50x.html;
           location = /50x.html {
       }
   }

The command I use to start the container:

sudo docker run --rm -it -p 8080:8080 -e PORT="8080" api
sudo docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS                            NAMES
47ef127e3e49        api                 "/start.sh"         26 minutes ago      Up 26 minutes       80/tcp, 0.0.0.0:8080->8080/tcp   infallible_borg
5d5fe891ba30        api                 "/start.sh"         7 hours ago         Up 7 hours          80/tcp, 0.0.0.0:81->81/tcp       hopeful_cerf
5
  • Since 0.0.0.0 means itself, how's this container supposed to talk to the other one? You're supposed to pass traffic to another container (using its ip / container name). Commented Nov 8, 2019 at 14:35
  • @emix containers don't interact with each other, they just run on different ports Commented Nov 8, 2019 at 14:37
  • Nginx is not in a container. Two containers are supposed to be different versions of a service, but for the test reasons I've started second identical container and nginx can't proxy the new one on a different port Commented Nov 8, 2019 at 14:41
  • I see, are those containers running in the same network? How about setsebool -P httpd_can_network_connect true It could be selinux related, most probably. Did you check the logs? Commented Nov 8, 2019 at 14:44
  • @emix error was [crit] 9478#0: *5 connect() to 0.0.0.0:8080 failed (13: Permission denied) while connecting to upstream and setsebool -P httpd_can_network_connect true has helped me! thank you a lot! Now I'm curious why the first container was fine. Could you please add it as an answer, so I can accept it? Commented Nov 8, 2019 at 14:55

1 Answer 1

3

This is SElinux related:

setsebool -P httpd_can_network_connect true

According to this thread:

The second one [httpd_can_network_connect] allows httpd modules and scripts to make outgoing connections to ports which are associated with the httpd service. To see a list of those ports run semanage port -l | grep -w http_port_t

Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.