Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Doorman docker + nginx configuration (502 Bad Gateway) #133

Open
newlog opened this issue Sep 25, 2017 · 1 comment
Open

Doorman docker + nginx configuration (502 Bad Gateway) #133

newlog opened this issue Sep 25, 2017 · 1 comment

Comments

@newlog
Copy link

newlog commented Sep 25, 2017
edited
Loading

Hi there,

I'm having trouble trying to make Doorman work with Docker and Nginx to be able to access it remotely. I'm new to docker so I might be doing something quite dumb. I hope it's not the case...

I run the Doorman docker container as:

# docker run -d -e DOORMAN_ENROLL_SECRET=<random_uuid_from_osquery_client> -e DOORMAN_SECRET_KEY=<invented_uuid> -e POSTGRES_USER=doorman -e POSTGRES_PASSWORD=<invented_pwd> -e POSTGRES_PORT=0.0.0.0:5432 -e POSTGRES_ENV_POSTGRES_PORT=<host_public_ip> -p 127.0.0.1:12345:5000 doorman
ef11e83e774fc39c778d1a67ee8132c640b8ef853c03259f872922d2d6b0f053

Container listed as:

# docker container ls
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                       NAMES
ef11e83e774f        doorman             "runsvdir /etc/ser..."   13 seconds ago      Up 10 seconds       127.0.0.1:12345->5000/tcp   elegant_mcclintock

Nginx configuration:

# cat doorman 
server {
	listen 4433;
	ssl on;
	ssl_certificate /opt/doorman_nginx/certs/osquery_certificate.crt;
	ssl_certificate_key /opt/doorman_nginx/certs/osquery_private.key;

	location / {
		proxy_pass https://127.0.0.1:12345;
		proxy_redirect off;
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $remote_addr;
		proxy_set_header X-Forwarded-Proto $scheme;
	}
}

When I access Doorman from the browser as https://ip:4433 I get a 502.

There are no errors in the error.log from nginx.

Just want to mention that when I run the container with the previous command, it's when I input for the first time both postgres password and doorman secret key. Is that all right?

Netstat shows me how port 5000 and 12345 are listening:

tcp        0      0 0.0.0.0:4433            0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 127.0.0.1:12345         0.0.0.0:*               LISTEN      off (0.00/0/0)

It looks like the server spend some time processing the request, but eventually it fails.

As I see it, nginx listens at 4433. It passes the request to the host port 12345, where docker is listening and where it sends it back to the docker container port 5000, where doorman should handle it. Am I mistaken?

Any ideas?
@newlog
Copy link
Author

newlog commented Sep 25, 2017
edited
Loading

It looks I cannot even access doorman from inside the container.

# docker exec -it 84b8 bash
bash-4.3# ls -l /var/log/*
/var/log/doorman:
total 0
-rw-r--r--    1 doorman  doorman          0 Sep 25 23:37 doorman.log
-rw-r--r--    1 doorman  doorman          0 Sep 25 23:37 result.log
-rw-r--r--    1 doorman  doorman          0 Sep 25 23:37 status.log

/var/log/redis:
total 4
-rw-r--r--    1 redis    redis         2751 Sep 25 23:46 redis.log
bash-4.3# ps axu
PID   USER     TIME   COMMAND
    1 root       0:00 runsvdir /etc/service
    6 root       0:00 runsv api
    7 root       0:00 runsv redis
    8 root       0:00 runsv celery
    9 doorman    0:10 {celery} /usr/bin/python2 /usr/bin/celery worker -A doorman.worker:celery -l INFO
   10 redis      0:01 redis-server /etc/redis.conf
   11 doorman    0:02 {gunicorn} /usr/bin/python2 /usr/bin/gunicorn --workers 4 --bind 0.0.0.0:5000 manage:app
   18 doorman    0:03 {gunicorn} /usr/bin/python2 /usr/bin/gunicorn --workers 4 --bind 0.0.0.0:5000 manage:app
   21 doorman    0:03 {gunicorn} /usr/bin/python2 /usr/bin/gunicorn --workers 4 --bind 0.0.0.0:5000 manage:app
   22 doorman    0:00 {celery} /usr/bin/python2 /usr/bin/celery worker -A doorman.worker:celery -l INFO
   23 doorman    0:00 {celery} /usr/bin/python2 /usr/bin/celery worker -A doorman.worker:celery -l INFO
   24 doorman    0:00 {celery} /usr/bin/python2 /usr/bin/celery worker -A doorman.worker:celery -l INFO
   25 doorman    0:00 {celery} /usr/bin/python2 /usr/bin/celery worker -A doorman.worker:celery -l INFO
   26 doorman    0:02 {gunicorn} /usr/bin/python2 /usr/bin/gunicorn --workers 4 --bind 0.0.0.0:5000 manage:app
   27 doorman    0:02 {gunicorn} /usr/bin/python2 /usr/bin/gunicorn --workers 4 --bind 0.0.0.0:5000 manage:app
   97 root       0:00 bash
  103 root       0:00 ps axu
bash-4.3# wget https://127.0.0.1:5000
Connecting to 127.0.0.1:5000 (127.0.0.1:5000)
wget: error getting response: Connection reset by peer

It takes some time before wget errors.

Interesting enough, I cannot see postgresql anywhere in the process list...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@newlog