How to Nginx Reverse Proxy with Docker Compose

While developing a web application, a common method of calling the application from a local machine is through http://localhost:x ports, which essentially means that we are required to expose several ports to access different modules of the application. In the article below, we will go through the method of using Reverse Proxy to call an application and the benefits of using it.

Why do we need Reverse Proxy?

The most prominent reason of using Reverse Proxy is to avoid changing ports everytime you try to access different modules of the application through the same URL. Through Reverse Proxy we can reach Frontend, Backend or other services without changing port through a single domain. Other important reasons of using Reverse Proxy is to mask services behind a proxy and avoid dealing with CORS issues.

# Without Reverse Proxy
# Domain Name: http://mydomain.com
# Mysql wordpress: http://mydomain.com:10088
# Angular app: http://mydomain.com:7787
# Backend: https://mydomain:9876

# With Reverse Proxy
# Domain Name: http://mydomain.com
# Mysql wordpress: http://mydomain.com/db
# Angular app: http://mydomain.com/ang
# Backend: https://mydomain/wp

Prerequisites

• Docker Compose on Linux
• iptables should be enabled. Note that Docker uses iptables to access incoming connections.

Building docker-compose.yml

For the reference of this article, let us create a WordPress-MySQL server with Nginx in one service. Start by creating the docker container, along with defining ports, base image, container name and service names.

version: '2'

services:
  whilefly_wp:
    container_name: production_wp
    image: nginx:latest
    volumes:
      - "/home/xx/Desktop/cust/xx/html:/var/www/html"
      - "/home/xx/Desktop/cust/xx/Docker/logs:/logs"
      - "/home/xx/Desktop/cust/xx/Docker/database:/docker-entrypoint-initdb.d"
      - "xx_db_data:/var/lib/mysql"
    user: root
    restart: always
    ports:
      - "8081:80"
    environment:
      MYSQL_ROOT_PASSWORD: 'xxxxx'
      MYSQL_DATABASE: 'production_db'
      MYSQL_USER: 'production_admin'
      MYSQL_PASSWORD: 'xxxxxx'
      
  nginx:
    image: nginx:latest
    container_name: production_nginx
    volumes:
      - /home/xx/Desktop/cust/xx/Docker/nginx/reverse_proxy.conf:/etc/nginx/conf.d/default.conf
      - /home/xx/Desktop/cust/xx/Docker/nginx/cert/star_xx_com.pem:/etc/nginx/cert/star_xx_com.pem
      - /home/xx/Desktop/cust/xx/Docker/nginx/cert/star_xx_com.key:/etc/nginx/cert/star_xx_com.key
      - /home/xx/Desktop/cust/xx/Docker/nginx/cert/star_xx_com.crt:/etc/nginx/cert/star_xx_com.crt
    ports:
      - 8080:8080
      - 443:443
    links:
     - whilefly_wp

volumes:
  xx_db_data:

Let’s explain the setup in steps.

1. services command defines the service you will build in Docker.

version: '2'

services:
  running_wp:   
  nginx:

2. As shown below, the running_wp service uses nginx:latest as the base image. You can also use your own custom image for MySQL and WordPress. Next is to assign a container name, for instance currently production_wp is used below. Copy the local files under volume section to the given directory while building this docker image. It is important to assign Ports which are to be used for accessibility within or outside of the application. As shown below, we have mapped 8081 host to 80 port for container.

version: '2'
services:
  running_wp:
    container_name: production_wp
    image: boraozkan/nginx:latest
    volumes:
      - "/home/xx/Desktop/cust/xx/html:/var/www/html"
      - "/home/xx/Desktop/cust/xx/Docker/logs:/logs"
      - "/home/xx/Desktop/cust/xx/Docker/database:/docker-entrypoint-initdb.d"
      - "xx_db_data:/var/lib/mysql"
    user: root
    restart: always
    ports:
      - "8081:80"
    environment:
      MYSQL_ROOT_PASSWORD: 'xxxxx'
      MYSQL_DATABASE: 'production_db'
      MYSQL_USER: 'production_admin'
      MYSQL_PASSWORD: 'xxxxxx'

3. Assign necessary access credentials with environment command.

environment:
      MYSQL_ROOT_PASSWORD: 'xxxxx'
      MYSQL_DATABASE: 'production_db'
      MYSQL_USER: 'production_admin'
      MYSQL_PASSWORD: 'xxxxxx'

4. Assign the base image and container name. Base image will create Nginx on the first run. You can also add encrypted SSL files through https://letsencrypt.org/, it is free.

version: '2'
  nginx:
    image: nginx:latest
    container_name: production_nginx
    volumes:
      - /home/xx/Desktop/cust/xx/Docker/nginx/reverse_proxy.conf:/etc/nginx/conf.d/default.conf
      - /home/xx/Desktop/cust/xx/Docker/nginx/cert/star_xx_com.pem:/etc/nginx/cert/star_xx_com.pem
      - /home/xx/Desktop/cust/xx/Docker/nginx/cert/star_xx_com.key:/etc/nginx/cert/star_xx_com.key
      - /home/xx/Desktop/cust/xx/Docker/nginx/cert/star_xx_com.crt:/etc/nginx/cert/star_xx_com.crt
    ports:
      - 8080:8080
      - 443:443
    links:
     - running_wp

volumes:
  xx_db_data:

5. Add Nginx configuration file under conf.d path – this is the default directory for virtual host descriptions.

/home/xx/Desktop/cust/xx/Docker/nginx/reverse_proxy.conf:/etc/nginx/conf.d/default.conf

6. As shown below there are two parts of this config file. First one shows the server side defining which port will be listened by the Nginx Container (8080 and 443). Secondly, the forward traffic would be directed to port 8081 – this is the port of production container for reaching.

# re-route everything to production_wp
 server {
  listen 8080;
  server_name production_wp;
  
  error_page 497 http://$host:80$request_uri;

  ssl on;
  ssl_certificate /etc/nginx/cert/star_xx_com.crt;
  ssl_certificate_key /etc/nginx/cert/star_xx_com.key;

  location /wp {
    proxy_pass          http://localhost:8081/wp;
     rewrite /wp(.*) /origin-d$1
            proxy_pass http://localhost:8081;
            proxy_redirect / /wp;
            sub_filter 'href="/' 'href="/wp'
    
  }  
}

# wordpress container via production_wp
 server {
  listen 443;
  server_name production_wp;

  error_page 497 http://$host:80$request_uri;

7. Enable secure HTTP with the ssl on command.

ssl on;
  ssl_certificate /etc/nginx/cert/star_xx_com.crt;
  ssl_certificate_key /etc/nginx/cert/star_xx_com.key;

8. To prefix headers for proxy connections, we can use the proxy_set_header directive which helps in redefining or appending fields to the request header passed through the proxied server.

proxy_set_header    X-Forwarded-Host   $host;
proxy_set_header    X-Forwarded-Server $host;
proxy_set_header    X-Forwarded-For    $proxy_add_x_forwarded_for;
proxy_set_header    X-Forwarded-Proto  $scheme;
proxy_set_header    X-Real-IP          $remote_addr;
proxy_set_header    Host               $host;

9. For Reverse Proxy as mentioned in the beginning, we will give a path for the WordPress container in Nginx conf. Let us say it is using e.g, http://localhost/wp to http://localhost:8081 which is asymmetric path.

location /wp {proxy_pass          http://localhost:8081/wp;rewrite /wp(.*) /origin-d$1proxy_pass http://localhost:8081;proxy_redirect / /wp;sub_filter 'href="/' 'href="/wp'
}

10. Now we can start our containers with the command below. Remember to be in same path with docker-compose.yaml while starting containers.

docker-compose up -d 

11. The docker-compose up command is a shorthand form of docker-compose build and docker-compose run.

#docker-compose up -d
Pulling nginx (nginx:latest)...
2.1: Pulling from nginx:latest
b8f262c62ec6: Pulling fs layer
a98660e7def6: Pulling fs layer
4d75689ceb37: Pulling fs layer
639eb0368afa: Waiting
99e337926e9c: Waiting
431d44b3ce98: Waiting
beb665ea0e0e: Pulling fs layer
c98a22d85c62: Waiting
bf70d116f1d7: Waiting
97f2d71621e0: Waiting
ea02a46a87c8: Waiting
78fff17c3a50: Waiting

12. When complete, we should have two containers deployed, one of which we cannot access directly:

$ docker ps
CONTAINER ID        IMAGE                    COMMAND                  CREATED             STATUS              PORTS                                      NAMES
9c327bb01a85       nginx:latest             "nginx -g 'daemon of…"   8 minutes ago       Up 8 minutes        0.0.0.0:8080->8080/tcp, 0.0.0.0:443->443/tcp   production_nginx
3823ce1f25d8        boraozkan/nginx:latest   "/usr/bin/supervisord"   8 minutes ago       Up 8 minutes        3306/tcp, 0.0.0.0:8081->80/tcp             production_wp

13. We can check our applications (one with Nginx and the other one with Apache).
    Navigate to http://localhost:8080, and this will hit Nginx Reverse Proxy which will in turn will load the Nginx web application:

14. Also check with navigating to http://localhost:8081 or http://localhost/wp, through the Nginx Reverse Proxy asymmetric path and the Apache web application will be loaded:

Troubleshooting

Once the services are up, try to connect your web application to the localhost link. If it is not answered, check your iptables table for correctness.

By default Docker containers can make connections to the outside world, but the outside world cannot connect to containers. Each outgoing connection will appear to originate from one of the host machine’s own IP addresses thanks to an iptables masquerading rule on the host machine that the Docker server creates when it starts:

$ sudo iptables -t nat -L -n

...
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  172.17.0.0/16       0.0.0.0/0

Conclusion

This article is aimed to show how you can use Nginx with docker-compose easily. It also shows setting of Reverse Proxy configuration on containers. Using this will give you additional flexibility during deployment of a web application.