Saturday, June 25, 2022

[FIXED] How to proxy_pass to a node docker container on port 80 with nginx container

      , , ,      No comments   

Issue

In short, I'm trying to set up an nginx container to proxy_pass to other containers on port 80.

I was following along with this tutorial: https://dev.to/domysee/setting-up-a-reverse-proxy-with-nginx-and-docker-compose-29jg

They describe having a docker compose file that looks something like:

version: '3'
services:
  nginx: 
    image: nginx:latest
    container_name: production_nginx
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf
      - ./nginx/error.log:/etc/nginx/error_log.log
      - ./nginx/cache/:/etc/nginx/cache
      - /etc/letsencrypt/:/etc/letsencrypt/
    ports:
      - 80:80
      - 443:443

  your_app_1:
    image: your_app_1_image:latest
    container_name: your_app_1
    expose:
      - "80"

  your_app_2:
    image: your_app_2_image:latest
    container_name: your_app_2
    expose:
      - "80"

  your_app_3:
    image: your_app_3_image:latest
    container_name: your_app_3
    expose:
      - "80"

Then in the nginx config they do a proxy_pass based on the path like this:

proxy_pass http://your_app_1:80;

This all makes sense to me, however when I was making a test node server to listen on port 80, I'm getting the error: Error: listen EACCES: permission denied 0.0.0.0:80. In my Dockerfile for the node server, I'm using a different user:

USER node

I know I'm getting this error because non root users are not supposed to be able to bind below port 1024 or something. And I know it's bad practice to run as root in a container... so how in the world is something like this possible? I feel like I'm missing something here. It would be nice to not have to remember some custom high port your server is running on every time you do a proxy_pass in nginx... or is that just a fact of life?


Solution

I see zero issues in doing an expose on the port,as long as we dont publish the port.

EXPOSE will not allow communication via the defined ports to containers outside of the same network or to the host machine. To allow this to happen you need to publish the ports.

But its doable at the cost of adding security holes by granting kernel capabilities using --add-cap flag on the Docker client or the Docker-Compose cap_add. NET_BIND_SERVICE is the capability that we should be adding.



Answered By - Shirine
Answer Checked By - Katrina (PHPFixing Volunteer)

0 Comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Total Pageviews

Featured Post

Why Learn PHP Programming

Why Learn PHP Programming A widely-used open source scripting language PHP is one of the most popular programming languages in the world. It...