Timeout when visiting https website inside docker container

Liso

Hi, I tried to ask on SO but no one has answered— I'm kind of desperate so I'll just ask here. Also bear with me because I'm very new with docker.

So my website keep timing out inside docker container, this only happen if I setup https on the website virtualhost (I'm using apache2), if I remove ssl reference in vhost and go with http only. It will load up just fine. Below is the output of curl to my website (original domain name redacted).

...
...
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=docker-mydomain.xyz
*  start date: Jan 26 07:12:47 2023 GMT
*  expire date: Apr 26 07:12:46 2023 GMT
*  subjectAltName: host "docker-mydomain.xyz" matched cert's "docker-mydomain.xyz"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
> GET / HTTP/1.1
> Host: docker-mydomain.xyz
> User-Agent: curl/7.81.0
> Accept: */*
>

Do you have any idea what could be the problem ? The image contain only base ubuntu image, I installed apache and php inside the image.

In case anyone ask why didn't you pick php+apache bundle image, this is because I installed old php version (5.5) and apparently the official image don't have that.

mgcAna

Your setup is not clear but I think you need to make sure port 443 (ssl) is also being forwarded to host.

Post output of docker ps

Liso

@mgcAna said:
Post output of docker ps

Output of docker ps.

CONTAINER ID   IMAGE             COMMAND                  CREATED       STATUS       PORTS                      NAMES
150f5a5c08c4   liso/testdocker   "/usr/local/bin/dock…"   6 hours ago   Up 6 hours   127.0.0.1:8080->8080/tcp   testdocker

Virtualhost on host (changed original domain name).

<VirtualHost *:80>
    ServerName docker-mydomain.xyz
    Redirect permanent / https://docker-mydomain.xyz/
</VirtualHost>

<VirtualHost *:443>
    ServerName docker-mydomain.xyz    
    ProxyRequests Off    
    <Location />
        ProxyPreserveHost On
        ProxyPass http://127.0.0.1:8080/
        ProxyPassReverse http://127.0.0.1:8080/
    </Location>
    # SSL Location
    SSLEngine on
    SSLCertificateFile /etc/le/docker-mydomain.xyz/cert.pem
    SSLCertificateKeyFile /etc/le/docker-mydomain.xyz/site.key
    SSLCertificateChainFile /etc/le/docker-mydomain.xyz/fullchain.cer
</VirtualHost>

Virtualhost inside docker container.

<VirtualHost *:8080>
    DocumentRoot /var/www/testdocker
    <Directory /var/www/testdocker/>
         Options FollowSymLinks MultiViews
         AllowOverride None
         Require all granted
    </Directory>
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

N.B. apache is listening to 8080 port.

Your setup is not clear but I think you need to make sure port 443 (ssl) is also being forwarded to host.

Is this some issue with firewall ? But that shouldn't be because I allow both 80 and 443 from anywhere in ufw, there some issues with mysql not connecting but I already whitelist docker IP and it works now.

jmgcaguicla

@mgcAna said:
Your setup is not clear but I think you need to make sure port 443 (ssl) is also being forwarded to host.

Post output of docker ps

Doesn't need to, there's an apache instance running on the host reverse proxying (also does the tls termination) into 127.0.0.1:8080 which is mapped to the container.

@Liso said:
Is this some issue with firewall ? But that shouldn't be because I allow both 80 and 443 from anywhere in ufw, there some issues with mysql not connecting but I already whitelist docker IP and it works now.

You neeed to know where it breaks, watch the request logs on both the host and the container so you can narrow down the area you need to check.

Considering plain http works means it can successfully proxy into the container, I highly suspect it has to do with the ssl configuration of the apache instance on the host.

Pilzbaum

Some things I noticed:

Does the "Redirect Permanent" also catch any subsequent requests to subdirectories as well? I'm not sure if that's implemented correctly.

Additionally, I believe you're only proxying for the "/" location, but not for subdirectories.

I'm not sure if any of these assumptions are correct on my end, but the rest of the config looks fine imo

mgcAna

@Liso now I can see your setup, so as @jmgcaguicla said, you don't need any other port opened on docker ct as your apache instance on host is handling the ssl. Just check the logs both at host and inside docker ct, start with checking access log, is request actually coming, if yes then whats the status, you may also share logs here.

Liso

Suddenly it's working now, I don't know why, yesterday I'm 100% sure the logs doesn't output any https log. How weird.

192.168.0.1 - - [04/Feb/2023:00:34:34 +0000] "GET /assets/img/about/img-1.png HTTP/1.1" 404 529 "https://docker-mydomain.xyz/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"

Anyway after enabling SSL, the site seems to be broken, I get tons of mixed content and the css not properly loaded.

@Pilzbaum said:
Some things I noticed:

Does the "Redirect Permanent" also catch any subsequent requests to subdirectories as well? I'm not sure if that's implemented correctly.

Additionally, I believe you're only proxying for the "/" location, but not for subdirectories.

I'm not sure if any of these assumptions are correct on my end, but the rest of the config looks fine imo

It should be, because I have done the same with https://github.com/solidnerd/docker-bookstack— it also uses apache2 inside the container, I can redirect http->https with this Redirect permanent method without problem.

Liso

Just solved the mixed content error, looks like I had to manually declare that I'm in https from apache2 vhost, then append new https check in my CI config.php (ref: https://stackoverflow.com/a/16076965/12289283).

if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') {
    $config['base_url'] = 'https';
}
elseif (!empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https' || !empty($_SERVER['HTTP_X_FORWAR$
    $config['base_url'] = 'https';
}
$config['base_url'] .= "://" . $_SERVER['HTTP_HOST'];
$config['base_url'] .= str_replace(basename($_SERVER['SCRIPT_NAME']), "", $_SERVER['SCRIPT_NAME']);

And in apache2 vhost inside docker container.

<VirtualHost *:8080>
    DocumentRoot /var/www/testdocker
    <Directory /var/www/testdocker/>
         Options FollowSymLinks MultiViews
         AllowOverride None
         Require all granted
    </Directory>
    RequestHeader set X-FORWARDED-PROTOCOL https
    RequestHeader set X-Forwarded-Ssl on
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

However this problem did not occur if I host the site directly on host system, oh well it's working now.

Liso

What the hell, this problem occurred again on newly created container, I'm using 1:1 configuration from my old container and still-- access via https always timeout.

@mgcAna said: @Liso now I can see your setup, so as @jmgcaguicla said, you don't need any other port opened on docker ct as your apache instance on host is handling the ssl. Just check the logs both at host and inside docker ct, start with checking access log, is request actually coming, if yes then whats the status, you may also share logs here.

I watch the log files inside docker container, there was no traffic at all. If I switch to port 80, then I can see the traffic.

Liso

Looks like a firewall issue, I disabled firewall and I can access the sites fine, huh