Connection to remote aggent with reverse proxy in front does not work
pandel opened this issue Β· comments
β οΈ Please verify that this bug has NOT been reported before.
- I checked and didn't find similar issue
π‘οΈ Security Policy
- I agree to have read this project Security Policy
Description
I setup all my Dockge instances to be served by a Nginx reverse proxy and wanted to connect them to my main Dockge instance. but that does not work.
π Reproduction steps
Setup like this:
compose.yaml
version: "3.8"
services:
dockge:
image: louislam/dockge:1
container_name: dockge
restart: unless-stopped
expose:
- 5001
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./data:/app/data
- /opt/docker:/opt/docker
environment:
- DOCKGE_STACKS_DIR=/opt/docker
nginx:
image: nginx:latest
container_name: nginx-proxy
ports:
- "5001:443"
volumes:
- ./nginx.conf:/etc/nginx/conf.d/default.conf
- ./certs:/etc/nginx/certs
nginx.conf
server {
listen 443 ssl http2;
# Remove '#' in the next line to enable IPv6
# listen [::]:443 ssl http2;
server_name server.name.redacted;
ssl_certificate /etc/nginx/certs/server.name.redacted.crt;
ssl_certificate_key /etc/nginx/certs/server.name.redacted.key;
# *See "With SSL (Certbot)" below for details on automating ssl certificates
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass http://dockge:5001/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
π Expected behavior
Agent connection established.
π Actual Behavior
Sadly, if I try to connect an instance as agent to my main instance I get "Unable to connect to the Dockge instance."
Dockge Version
1.4.2
π» Operating System and Arch
Debian 11
π Browser
Firefox
π Docker Version
25.0.3
π© NodeJS Version
N/A
π Relevant log output
No log output writte regarding this error.
I had a similar problem - although my setup is a bit different. The problem is most likely that your certifcate used by the reverse proxy is not signed by a "trusted" CA...
I use a self-signed CA to host my services not exposed via a reverse proxy. Dockge actually allows you to enable SSL by mounting the cert and key to the container as a volume and then adding the following two environments:
- DOCKGE_SSL_KEY=/certs/server.key
- DOCKGE_SSL_CERT=/certs/server.crt
After downing and upping the container the exposed port will be reachable via ssl.
After this you need mount the CA-Cert in similar fashion to the "master-Dockge" and add the following environment to the container:
- NODE_EXTRA_CA_CERTS=/HOMELAB.crt
I would assume just adding the NODE-EXTRA_CA_CERTS to the "master-dockge" and leaving your nginx be should also work...
Hope this solves your problem.
@crunchiersa MANY MANY THANKS! Adding the CA to the master dockge container did the job!
But why is there no documentation regarding this here anywhere? I was able to find something about the DOCKGE_SSL_* env vars in the code, but did not find NODE_EXTRA_CA_CERTS anywhere. Where did you get the information about it?
@pandel I also use louislam/uptime-kuma and had a "similar" problem - due to the self-signed CA I had to enable "ignore ssl error/warnings" and found the documentation for louislam/uptime-kuma-environments in the wiki (https://github.com/louislam/uptime-kuma/wiki/Environment-Variables). I figured same dev - similar look ... might be that the envrionment variables are the same too...
Ah ok, many thanks! Yes, for some points the documentation here says "go to Kuma wiki", but I would not have thought about that in this special case. Again, many thanks! The dev should really spice up its documentation a little bit though... :D