Alright so after an agonizing amount of looking into things I discovered this amazing solution! Essentially running a secondary container inside your docker network that connects to the host network and leaving Home Assistant on the host. This allows me to connect to the host with Home Assistant and enjoy all of the benefits of being on the same network as the devices I am targeting for integrations while still establishing HTTPS security outside my local network! If anyone is struggling with this please let minnow and I’ll do my best to assist you with your setup.
opened 11:02PM - 05 Feb 18 UTC
When using nginx-proxy to try to proxy to a container running in host networking… mode, I assume I also have to run nginx-proxy in host network mode as well (although I've tried both ways without success) but I can't get it to work. Here's a sample compose file using the "web" image used in the test suite:
```
version: '2'
services:
nginx-proxy:
image: jwilder/nginx-proxy:test
network_mode: "host"
volumes:
- /var/run/docker.sock:/tmp/docker.sock:ro
- ./lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
web1:
image: web
expose:
- "81"
environment:
WEB_PORTS: 81
VIRTUAL_HOST: web1.nginx-proxy.local
web2:
image: web
expose:
- "82"
network_mode: "host"
environment:
WEB_PORTS: 82
VIRTUAL_HOST: web2.nginx-proxy.local
```
after running this with `docker-compose -f test_network_mode_host.yml up -d` I try to curl each:
```
$ curl localhost:80/port -H "Host: web1.nginx-proxy.local"
answer from port 81
$ curl localhost:80/port -H "Host: web2.nginx-proxy.local"
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.13.8</center>
</body>
</html>
```
I can, however get to web2 using localhost
```
curl 127.0.0.1:82/port
answer from port 82
```
The problem seems to be in the upstream section for web2, which just has `server 127.0.0.1 down;`
Here's the full /etc/nginx/conf.d/default.conf:
```
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
default $http_x_forwarded_proto;
'' $scheme;
}
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
# server port the client connected to
map $http_x_forwarded_port $proxy_x_forwarded_port {
default $http_x_forwarded_port;
'' $server_port;
}
# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
# Connection header that may have been passed to this server
map $http_upgrade $proxy_connection {
default upgrade;
'' close;
}
# Apply fix for very long server names
server_names_hash_bucket_size 128;
# Default dhparam
ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
# Set appropriate X-Forwarded-Ssl header
map $scheme $proxy_x_forwarded_ssl {
default off;
https on;
}
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost '$host $remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log off;
resolver 10.0.2.3;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";
server {
server_name _; # This is just an invalid value which will never trigger on a real hostname.
listen 80;
access_log /var/log/nginx/access.log vhost;
return 503;
}
# web1.nginx-proxy.local
upstream web1.nginx-proxy.local {
## Can be connect with "test_sneakernet" network
# test_web1_1
server 172.18.0.3:81;
}
server {
server_name web1.nginx-proxy.local;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
location / {
proxy_pass http://web1.nginx-proxy.local;
}
}
# web2.nginx-proxy.local
upstream web2.nginx-proxy.local {
## Can be connect with "host" network
# test_web2_1
server 127.0.0.1 down;
}
server {
server_name web2.nginx-proxy.local;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
location / {
proxy_pass http://web2.nginx-proxy.local;
}
}
```
Am I missing something in setting this up or is it just not working like it's supposed to?
This is the example I captured from GitHub thanks to the great user there who posted it. I’ve implemented some tweaks into the code for my personal use but this really did just work like a charm. I’ve decided not to delete this post even after resolving my own issues since I’ve not seen anything posted here on the community for this kind of issue; something I believe would be quite a common problem.
socat:
image: alpine/socat:latest
container_name: socat
entrypoint: "socat tcp-listen:8122,fork,reuseaddr tcp-connect:192.168.1.110:8123"
depends_on:
- nginx-proxy
environment:
- LETSENCRYPT_HOST=home.example.com
- [email protected]
- VIRTUAL_PORT=8122
- VIRTUAL_HOST=home.example.com
ports:
- 8122:8122
restart: unless-stopped
1 Like