Using host's web server to expose docker
by NotionCommotion from LinuxQuestions.org on (#5P5P1)
I am trying to expose api-platform as a docker using the host's httpd server, and am totally struggling and hoping someone can help. Note that this question has little to nothing to do with api-platform.
On a Centos 8 box, I have a virtual host using httpd and postgresql successfully running in their default mode with their default ports (i.e. 80, 443, and 5432).
I temporarily stopped both httpd and postgresql, and then per https://api-platform.com/docs/distri...on-recommended, I have a docker successfully running. If I access https://localhost from the servers local browser, all works, but when I access http://localhost, I get "Client sent an HTTP request to an HTTPS server". More on this later.
I then edited docker-compose.yml to change port 80 and 443 to 8080 and 8443 respectively. Note that I left caddy to use port 80.
Code:services:
...
caddy:
...
environment:
...
SERVER_NAME: ${SERVER_NAME:-localhost, caddy:80}
ports:
# HTTP
- target: 80
#published: 80
published: 8080
protocol: tcp
# HTTPS
- target: 443
#published: 443
published: 8443
protocol: tcp
# HTTP/3
- target: 443
#published: 443
published: 8443
protocol: udp
...I also edited docker-compose.override.yml to change postresql's port from 5432 to 5433.
Code:version: "3.4"
services:
...
database:
ports:
- target: 5432
#published: 5432
published: 5433
protocol: tcpI brought the docker down, started httpd and postgresql, and brought the docker back up and all works with https://localhost:8443
Then I created a new virtual host as follows:
/etc/httpd/conf.d/api-platform.beat-the-heat.net-le-ssl.conf
Code:<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName api-platform.beat-the-heat.net
ProxyPreserveHost On
#ProxyRequests off
ProxyPass / http://127.0.0.1:8443/
ProxyPassReverse / http://127.0.0.1:8443/
ErrorLog /var/log/httpd/api-platform.beat-the-heat.net-error.log
CustomLog /var/log/httpd/api-platform.beat-the-heat.net-access.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/testing.beat-the-heat.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/testing.beat-the-heat.net/privkey.pem
</VirtualHost>
</IfModule>/etc/httpd/conf.d/api-platform.beat-the-heat.net.conf
Code:<VirtualHost *:80>
ServerName api-platform.beat-the-heat.net
RewriteEngine on
RewriteCond %{SERVER_NAME} =api-platform.beat-the-heat.net
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>Opened the ports.
Code:sudo firewall-cmd --permanent --add-port=8080/tcp
sudo firewall-cmd --permanent --add-port=8443/tcp
sudo firewall-cmd --reloadNote that when I restart httpd, /var/log/httpd/error_log reports the following:
Code:[Sat Sep 04 08:46:15.771906 2021] [mpm_event:notice] [pid 16542:tid 139741656893760] AH00492: caught SIGWINCH, shutting down gracefully
[Sat Sep 04 08:46:16.873913 2021] [suexec:notice] [pid 17018:tid 140513388259648] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set the 'ServerName' directive globally to suppress this message
[Sat Sep 04 08:46:16.890961 2021] [lbmethod_heartbeat:notice] [pid 17018:tid 140513388259648] AH02282: No slotmem from mod_heartmonitor
[Sat Sep 04 08:46:16.895979 2021] [mpm_event:notice] [pid 17018:tid 140513388259648] AH00489: Apache/2.4.37 (centos) OpenSSL/1.1.1g mod_fcgid/2.3.9 configured -- resuming normal operations
[Sat Sep 04 08:46:16.896056 2021] [core:notice] [pid 17018:tid 140513388259648] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'Then from another client, tried to access https://api-platform.beat-the-heat.net and got "Client sent an HTTP request to an HTTPS server". Note that I had earlier tried this same approach with a simple docker running Node.js on port 80 and there were no errors when the host's httpd server was accessed on port 443, and think it might have something to do with the api-platform docker also using TLS. There doesn't appear to be any errors logged, but /var/log/httpd/api-platform.beat-the-heat.net-access.log reports the following:
Code:12.345.6.78 - - [04/Sep/2021:08:49:26 -0700] "GET / HTTP/1.1" 400 48 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36"So, then even though I have no idea what I am doing, I changed the 443 virtual host to use https instead of http.
/etc/httpd/conf.d/api-platform.beat-the-heat.net-le-ssl.conf
Code:<IfModule mod_ssl.c>
<VirtualHost *:443>
...
#ProxyPass / http://127.0.0.1:8443/
#ProxyPassReverse / http://127.0.0.1:8443/
SSLProxyEngine on
ProxyPass / https://127.0.0.1:8443/
ProxyPassReverse / https://127.0.0.1:8443/
...
</VirtualHost>
</IfModule>But now get a proxy error:
Code:Proxy Error
The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request
Reason: Error reading from remote serverAnd /var/log/httpd/api-platform.beat-the-heat.net-error.log shows:
Code:[Sat Sep 04 08:55:53.394023 2021] [proxy_http:error] [pid 22736:tid 140657335191296] (103)Software caused connection abort: [client 12.345.6.78:63516] AH01102: error reading status line from remote server 127.0.0.1:8443
[Sat Sep 04 08:55:53.394065 2021] [proxy:error] [pid 22736:tid 140657335191296] [client 12.345.6.78:63516] AH00898: Error reading from remote server returned by /My thoughts:
On a Centos 8 box, I have a virtual host using httpd and postgresql successfully running in their default mode with their default ports (i.e. 80, 443, and 5432).
I temporarily stopped both httpd and postgresql, and then per https://api-platform.com/docs/distri...on-recommended, I have a docker successfully running. If I access https://localhost from the servers local browser, all works, but when I access http://localhost, I get "Client sent an HTTP request to an HTTPS server". More on this later.
I then edited docker-compose.yml to change port 80 and 443 to 8080 and 8443 respectively. Note that I left caddy to use port 80.
Code:services:
...
caddy:
...
environment:
...
SERVER_NAME: ${SERVER_NAME:-localhost, caddy:80}
ports:
# HTTP
- target: 80
#published: 80
published: 8080
protocol: tcp
# HTTPS
- target: 443
#published: 443
published: 8443
protocol: tcp
# HTTP/3
- target: 443
#published: 443
published: 8443
protocol: udp
...I also edited docker-compose.override.yml to change postresql's port from 5432 to 5433.
Code:version: "3.4"
services:
...
database:
ports:
- target: 5432
#published: 5432
published: 5433
protocol: tcpI brought the docker down, started httpd and postgresql, and brought the docker back up and all works with https://localhost:8443
Then I created a new virtual host as follows:
/etc/httpd/conf.d/api-platform.beat-the-heat.net-le-ssl.conf
Code:<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName api-platform.beat-the-heat.net
ProxyPreserveHost On
#ProxyRequests off
ProxyPass / http://127.0.0.1:8443/
ProxyPassReverse / http://127.0.0.1:8443/
ErrorLog /var/log/httpd/api-platform.beat-the-heat.net-error.log
CustomLog /var/log/httpd/api-platform.beat-the-heat.net-access.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/testing.beat-the-heat.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/testing.beat-the-heat.net/privkey.pem
</VirtualHost>
</IfModule>/etc/httpd/conf.d/api-platform.beat-the-heat.net.conf
Code:<VirtualHost *:80>
ServerName api-platform.beat-the-heat.net
RewriteEngine on
RewriteCond %{SERVER_NAME} =api-platform.beat-the-heat.net
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>Opened the ports.
Code:sudo firewall-cmd --permanent --add-port=8080/tcp
sudo firewall-cmd --permanent --add-port=8443/tcp
sudo firewall-cmd --reloadNote that when I restart httpd, /var/log/httpd/error_log reports the following:
Code:[Sat Sep 04 08:46:15.771906 2021] [mpm_event:notice] [pid 16542:tid 139741656893760] AH00492: caught SIGWINCH, shutting down gracefully
[Sat Sep 04 08:46:16.873913 2021] [suexec:notice] [pid 17018:tid 140513388259648] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set the 'ServerName' directive globally to suppress this message
[Sat Sep 04 08:46:16.890961 2021] [lbmethod_heartbeat:notice] [pid 17018:tid 140513388259648] AH02282: No slotmem from mod_heartmonitor
[Sat Sep 04 08:46:16.895979 2021] [mpm_event:notice] [pid 17018:tid 140513388259648] AH00489: Apache/2.4.37 (centos) OpenSSL/1.1.1g mod_fcgid/2.3.9 configured -- resuming normal operations
[Sat Sep 04 08:46:16.896056 2021] [core:notice] [pid 17018:tid 140513388259648] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'Then from another client, tried to access https://api-platform.beat-the-heat.net and got "Client sent an HTTP request to an HTTPS server". Note that I had earlier tried this same approach with a simple docker running Node.js on port 80 and there were no errors when the host's httpd server was accessed on port 443, and think it might have something to do with the api-platform docker also using TLS. There doesn't appear to be any errors logged, but /var/log/httpd/api-platform.beat-the-heat.net-access.log reports the following:
Code:12.345.6.78 - - [04/Sep/2021:08:49:26 -0700] "GET / HTTP/1.1" 400 48 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36"So, then even though I have no idea what I am doing, I changed the 443 virtual host to use https instead of http.
/etc/httpd/conf.d/api-platform.beat-the-heat.net-le-ssl.conf
Code:<IfModule mod_ssl.c>
<VirtualHost *:443>
...
#ProxyPass / http://127.0.0.1:8443/
#ProxyPassReverse / http://127.0.0.1:8443/
SSLProxyEngine on
ProxyPass / https://127.0.0.1:8443/
ProxyPassReverse / https://127.0.0.1:8443/
...
</VirtualHost>
</IfModule>But now get a proxy error:
Code:Proxy Error
The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request
Reason: Error reading from remote serverAnd /var/log/httpd/api-platform.beat-the-heat.net-error.log shows:
Code:[Sat Sep 04 08:55:53.394023 2021] [proxy_http:error] [pid 22736:tid 140657335191296] (103)Software caused connection abort: [client 12.345.6.78:63516] AH01102: error reading status line from remote server 127.0.0.1:8443
[Sat Sep 04 08:55:53.394065 2021] [proxy:error] [pid 22736:tid 140657335191296] [client 12.345.6.78:63516] AH00898: Error reading from remote server returned by /My thoughts:
- When trying to access the docker from a local browser, Chrome initially complains that it is not secure and I need to manually tell it that I understand. Maybe I need to create a self-signed certificate for localhost?
- httpd not being able to reliably determine the server's fully qualified domain name using localhost.localdomain might be the culprit.
- I don't really know what I am doing when using SSLProxyEngine in the last virtual host and might be doing it wrong.
- When looking for examples of virtual hosts and using ProxyPass, they don't show the ServerName like I am doing and this could be wrong.
- I should not be attempting to expose a docker to the host's httpd server this way and should do it differently.