Nginx Reverse Proxy with Private Networking
I am trying to setup an nginx server to reverse proxy two other services backend & frontend, and expose it publicly via this nginx. I set port of both backend & frontend at 80, and both are not public, but I want to merge them such that / serves the frontend service and /api/ serves the backend service. But when I setup the nginx conf so and used the private networking address, it crashes and doesnt work. Please help
155 Replies
Project ID:
9960c53b-53ce-401e-8708-8404250e7ad99960c53b-53ce-401e-8708-8404250e7ad9
My nginx config
try adding
resolver fd12::10
in the server block
that's the dns resolver the containers use to resolve internal addresses, it seems nginx needs to be explicitly told that
untested thoughthanks, trying out now
also, it's preferable if you used a non privileged port like 8080 instead of 80
resolver doesn't accept ipv6 addresses?
Infact my backend was at 8000, and frontend at 3000. But then I set PORT in both the services to 80 hoping to get it working
maybe this is the syntax you need to use? I'm not too familiar with nginx myself
resolver [fd12::10]
I am using nginx alpine byw
shouldn't be a problem, I use alpine or distroless in all my apps
went back to the same old error now
and you're using this syntax now?
yes
interesting, well I'll do some messing around and get back to you!
let me know if you need anymore details,
will do
I tried with Caddy to see if it has to do with nginx, but same result
but caddy instead throws a 502 directly and doesnt crash
https://proxy-production-9e87.up.railway.app/
just let me refine the config a bit and ill send it over soon
youre are awesome, thank you ❤️
frontend: https://proxy-production-9e87.up.railway.app/
backend: https://proxy-production-9e87.up.railway.app/api/
nginx.conf:
i haven't tested this super extensively, but it does work
let me quickly plguin and check for mycase
i think i might make a template out of this, but use caddy instead, that nginx config is kinda bulky for what it does
since ive seen a good few request from people who have seprate frontend and backend services but want to serve them both from the same domain
I guess a little problem?
show me your dockerfile?
yes you should definetly make one, struggled for hours to find it online, and then came to discord
even though you have an nginx proxy, would you be interested in the caddy version of this?
yes, in our case, we need the backend to be at
/api or a sub-directory to use the server-side set cookies, I probably think there are a lot of such usecasesthis is my dockerfile
yes, caddy is nice, but nginx is what the internet will give you answers, so I went ahead and tried for nginx as I believed it probably had best support
yeah i agree, much more info about nginx than caddy, your choice makes complete sense
I see yu are updating the nginx.conf itself, guess it, seeing the
httpive just used that dockerfile for anything nginx related ive ever done
hmm pretty clean
no error now
but
https://arena-nginx-production.up.railway.app/api/healthz/
while actual service -> https://zivani-production.up.railway.app/api/healthz/
same for frontend too
is that supposed to be a 503
yeah is that okay? that has nothing to do with the proxy
also the config i gave you sets nginx to listen on port 3000
ahh, wait, it should be 80 / 443 right?
no
please keep it 3000
and expose the nginx via 3000 as PORT?
no
just set PORT = 3000 in the service variables
yea gotcha
https://arena-nginx-production.up.railway.app/api/healthz/
now we have an nginx page and error
so someting to do with my config
your backend is returning 503 though
you cant expect your proxy to work, if your backend alone isnt working
this is my backend url -> https://zivani-production.up.railway.app/api/healthz/
it works with its own public domain
oh you mean the error
you cant expect your proxy to work, if your backend alone isnt working
ok i need to do the migration and check then
but it should show this page instead right?
or does it only take 200?
no, nginx will not proxy a 503 through by default, same with caddys proxy
hmm got it, let me migrate and and check
proxy_intercept_errors off;oh this to disable those interception and take it to the page instead? dope
i think
https://arena-nginx-production.up.railway.app/api/healthz - but in the nginx output -> its still this
show me the error log for that request please
192.168.0.4 - - [25/Jul/2023:18:30:26 +0000] "GET /favicon.ico HTTP/1.1" 502 552 "https://arena-nginx-production.up.railway.app/api/healthz"; "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
makes sense
wild guess, is this a spring backend
nope, django
WSGI
way off
this is the command that runs backend (zivani)
-b [::]:$PORTand in service env, I set PORT = 8000
damn, is that it?
yeah you need to bind to all interfaces, not just all ipv4 interfaces, since internal networking is ipv6 only
giving it a shot here
you really should be setting that start command in a railway.json file
it still went out to build the docker image 🤦♂️ , i was thinking to save time
uh yeah I've talked with railway about that, every little thing you do rebuilds from scratch
hmm, this repo doesnt have railway.json yet, we have our infra currently in EKS and manage it with Rancher, but thought we will offload a few things and tryout railway... so far, it looks very promising
yeah would have been great if I could literally give a docker image URL
gotcha
its afterall doing the same thing
...you can
building it all the time, just costs railway more $$$
oh can I? how? i missed it
We actually build and keep our images in ECR, then EKS picks it up from there, I can actually use those images
I assume you have your github repo linked to the service, you'd have to unlink the repo and then you'd see the button to add the image, but I don't think it would be applicable for you, it only supports public images and the docker and github image repositories
ah they need to support private images,
I'm sure they will, it is still beta after all
GHCR might support private, need to try and see
yeah but there's no way to give railway credentials to pull a private image
okay so what's the status with gunicorn
hmm, they should accept somehting like pull secret that k8s does, I have a wild guess they themselves are using k8s internally
192.168.0.2 - - [25/Jul/2023:18:45:20 +0000] "GET /api/healthz/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
https://arena-nginx-production.up.railway.app/api/healthz/
it just keeps loading now
->
gunicorn --timeout 30 --max-requests 1000 --max-requests-jitter 50 --workers 5 -b [::]:80 --log-level=error framework.wsgi is what I gave inthere is some k8s stuff, but it's being slowly removed
hmm
this says port 80
ah 🤦♂️
let me set it to 8000 everywhere now
every service gets a PORT = 8000 variable set, and every service that you can configure to listen on $PORT do so
https://zivah-production.up.railway.app/ - the frontend - again works with service's own public URL
but then https://arena-nginx-production.up.railway.app/ is a bad gateway
Traboda Arena
Unknown Server Error
slow your horses, one thing at a time
backend, now that it's listening on port 8000, show me a deploy logs screenshot please
2023/07/25 18:54:13 [error] 30#30: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.0.2, server: localhost, request: "GET /api/healthz/ HTTP/1.1", upstream: "http://[fd12:4f6a:612e::79:437e:9411]:80/healthz/", host: "arena-nginx-production.up.railway.app"
:8000 went missing
ok my bad, the dockerfile wasnt pushed since I made it to 8000 from 80
2023/07/25 18:56:59 [error] 31#31: *2 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.0.3, server: localhost, request: "GET /favicon.ico HTTP/1.1", upstream: "http://[fd12:4f6a:612e::ac:6c18:14fb]:3000/favicon.ico", host: "arena-nginx-production.up.railway.app", referrer: "https://arena-nginx-production.up.railway.app/api/healthz/";
ah well it goes to 3000
did I mess upsomething again?
https://arena-nginx-production.up.railway.app/api/healthz/ now returns 404
I know why
send as text please
frontend time
Youre awesome!
2023/07/25 19:04:15 [error] 30#30: *28 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.0.2, server: localhost, request: "GET /favicon.ico HTTP/1.1", upstream: "http://[fd12:4f6a:612e::ac:6c18:14fb]:3000/favicon.ico", host: "arena-nginx-production.up.railway.app", referrer: "https://arena-nginx-production.up.railway.app/api/healthz/";
https://zivah-production.up.railway.app/initialize - lets try this url
Traboda Arena
Admin Account Not Created
well first
2023/07/25 19:05:23 [error] 30#30: *32 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.0.3, server: localhost, request: "GET /favicon.ico HTTP/1.1", upstream: "http://[fd12:4f6a:612e::ac:6c18:14fb]:3000/favicon.ico", host: "arena-nginx-production.up.railway.app", referrer: "https://arena-nginx-production.up.railway.app/initialize";
what framework is that frontend
NextJS
what's your start command
let me get you the command that runs it, a sec
do we need that [::] ipv6 thing?
something like this?
awesome, let me try that now
make sure you have a service variable PORT = 3000
byw, this should be fine right? (like if I want to give a default)
nope
delete line 33, 34
how do I set a default?
^
yes I have 🫡 , but it wil take a while to get build with this new package.json
and what's your new start command
this,
being deployed
okay just checking, since you like to change things from what I say
service port is already set since a while
Works perfectly now!!!
❤️
I'm happy I could help
You did an amazing job at helping me
thank you
railways team themselves didnt bother much
Now, I can start migrating several of our core services into railway,
I mean they're right, it is better suited for discord
that's your aws costs?
Railway should probably get you something
bro they won't even give me a sticker
I've been asking for stickers for so long
ahhh!!! I thought initially you were from their support
I'm just a community member
I will mail them, as reply that you helped a lot. And once we hit some bills they probably should value it, (I subsricbed to pro, just to see if they will support)
they should recruit you as support
I'm too silly for them
ahh, dont tell so. Where are you from byw? what do you do for a living?
maple syrup land, and I help people in the railway server for a living
silly me had to google one that up!!! ❤️
I suggest you make a few templates and contribute them to railway, like the nginx and caddy ones
haha made you google
I have made a few templates, and I'll be adding the caddy template in the future
I currently have 2$
hmm...
I don't know how it works, but oh well
pretty damn clean with caddy
https://github.com/brody192/reverse-proxy
Sorry to necro this old thread btw