Understand a reverse proxy in combination with docker

I'm using a Nginx-proxy in a docker-container. And I have to run multiple applications on a server. I want to run them all in a docker container except one. I run Jira an Confluence in container. It took me a lot of time to configure the applications and the Nginx-config. Now I want to run Graylog2 on the Server aswell and I'm facing kind of the same problems like in Jira/Confluence. I guess it's maybe because I don't really understand how all this works. Thats why I made the following image:

Thats how I understand the reverse proxy. The nginx-conf looks like this:

upstream jenkins {
  server 43.3.34.333:8080 fail_timeout=0;
}

upstream docker-jira {
    server jira:8080;
}

upstream docker-conf {
        server conf:8090;
}

upstream docker-graylog {
    server graylog:9000;
}

server {
    listen 80 default_server;
    listen [::]:80 default_server;


    server_name mySite.de;
    return 301 https://mySite.de;
}


server {

    # SSL configuration

    listen 443 ssl http2 default_server;

    listen [::]:443 ssl http2 default_server;

    server_name mySite.de;

    include snippets/ssl-mySite.de;

    include snippets/ssl-params.conf;

    location /jenkins {
            proxy_set_header        Host $host:$server_port;
            proxy_set_header        X-Real-IP $remote_addr;
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header        X-Forwarded-Proto $scheme;
            proxy_pass              http://jenkins;
            proxy_redirect      http://jenkins $scheme://mySite.de;
            # Required for new HTTP-based CLI
            proxy_http_version 1.1;
            proxy_request_buffering off;
            proxy_buffering off; # Required for HTTP-based CLI to work over SSL
            # workaround for https://issues.jenkins-ci.org/browse/JENKINS-45651
            add_header 'X-SSH-Endpoint' 'jenkins.domain.tld:50022' always;
            client_max_body_size 2M;
    }

    location /graylog {
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Graylog-Server-URL http://$server_name/api;
        proxy_pass       http://docker-graylog/graylog;
    }

    location /jira {

        proxy_set_header X-Forwarded-Host $host;

        proxy_set_header X-Forwarded-Server $host;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_pass http://docker-jira/jira;

        client_max_body_size 100M;

        add_header X-Frame-Options ALLOW;

    }

    location /confluence {

        proxy_set_header X-Forwarded-Host $host;

        proxy_set_header X-Forwarded-Server $host;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_pass http://docker-conf/confluence;

        proxy_redirect http://docker-conf/confluence https://mySite.de;

        client_max_body_size 100M;

        add_header X-Frame-Options SAMEORIGIN;

    }

    location /synchrony {

        proxy_set_header X-Forwarded-Host $host;

        proxy_set_header X-Forwarded-Server $host;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_pass http://mySite.de:8091/synchrony;

        proxy_http_version 1.1;

        proxy_set_header Upgrade $http_upgrade;

        proxy_set_header Connection "Upgrade";

        client_max_body_size 100M;

    }

}

To run Graylog2 behind a proxy you have to set some settings(Graylog2 docu):

set web_listen_uri
set rest_listen_uri
set web_endpoint_uri

I did it like this:

rest_listen_uri = http://localhost:9000/api/
web_listen_uri = http://localhost:9000/graylog
GRAYLOG_WEB_ENDPOINT_URI: https://mySite.de/api

When I got to https://mySite.de/graylog I get a 502 Bad Gateway Error. Nginx-log:

connect() failed (111: Connection refused) while connecting to upstream, client: 33.11.102.157, server: mySite.de, request: "GET /graylog HTTP/2.0", upstream: "http://172.18.0.9:9000/graylog", host: "mySite.de"

My Network:

NETWORK ID          NAME                   DRIVER              SCOPE
6c9de2d6b0ac        MyNet                   bridge              local

I don't really get it.

Solution

Leave your 80–>443 redirect you have with NGINX doing the SSL termination, then sending to backend over http.

Change these to listen on the LAN IP or docker DNS name:

web_listen_uri = http://docker-graylog:9000/graylog
rest_listen_uri = http://docker-graylog:9000/api

Note: The problem with your current config is it is only listening on localhost, and a request coming in externally will never make it to the app, because it’s not listening for external connections. It’s only listening for connections within the graylog container. NGINX can’t reach graylog on localhost:9000 across the LAN.

The bad gateway indicates that your proxy is probably working, but no connections to app can be made.

More details on that: https://forums.docker.com/t/access-to-localhost-from-bridge-network/22948/2

This config is basically what you already have, but copied it from graylog documentation. Your current proxy config might work as is.

upstream docker-graylog {
server graylog:9000;
}

server
{
listen      443 ssl spdy;
server_name mySite.de;
# <- your SSL Settings here!

location /graylog
{
  proxy_set_header Host $http_host;
  proxy_set_header X-Forwarded-Host $host;
  proxy_set_header X-Forwarded-Server $host;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Graylog-Server-URL https://$server_name/api;
  proxy_pass       http://docker-graylog/graylog;
}
}