Saturday, October 6, 2018

Nginx web server in a container AKA Port Forwarding

While you can access the Nginx container from within the host, it is not accessible from outside.

To make container accessible from outside the host on port 80 you need to use port forwarding.
On Linux this is easily done with the IPtables utility.

For instance to forward host port :80 to container with IP 10.0.4.5 port 80 we would run the command below.
 
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to-destination 10.0.4.5:80
 
 
 
multiple container apps on port 80 you can only port forward to one 
container at a time. This is where using a reverse proxy like Nginx becomes useful. Some container platforms refer to this as an ingress controller
 but that is needless verbiage. It's just an Nginx reverse proxy or 
incase you want to load balance container application instances you 
would typically use either Nginx or Haproxy.
Reverse Proxies
You can configure Nginx to serve various container apps on your server or internal network. This way all the containers can continue to be in the private network and you need to only expose the Nginx container. You can of course run apps on other ports but often port 80/443 are usually required for most apps
This works not only on single hosts but also on internal networks. You can have a single Nginx container serving any number of apps from the internal network. So all your PHP, Python or Ruby apps etc can be served to the outside world by Nginx. You can also terminate SSL connections with Nginx.
Let's use a real world example to illustrate this. Suppose you have Wordpress, Minio and Redmine containers running on your host. You can simply configure an Nginx container instance to serve the 3 apps. A typical Nginx configuration to serve a Wordpress container instance for example would look like this.
 
upstream backend {
    server 10.0.4.100:80;
}

    server {
      listen 80;
      server_name mywordpress.org;
      access_log /var/log/Nginx/mywordpress.access.log;
      error_log /var/log/Nginx/mywordpress.error.log;

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header HOST $http_host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://backend;
    }
}
This assumes the Wordpress container IP is 10.0.4.100 and the URL you want to access the Wordpress app is mywordpress.org. You can replicate the config for each container app you want to serve simply changing the upstream server IP to your container IP and port, and the server_name.
This is not limited to containers within a single host. You can use Nginx to serve apps from across your internal network.
You can also use Nginx for SSL termination like below.
 
upstream backend {
    server 10.0.4.120:9402;
}

    server {
      listen 80;
      server_name: myminio.org;
      return 301 https://$host$request_uri;
    }

    server {
      listen 443 ssl;
      server_name myminio.org;
      ssl_certificate     myminio.org.cert;
      ssl_certificate_key myminio.org.key;
      ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
      ssl_ciphers         HIGH:!aNULL:!MD5;
      ssl_session_cache builtin:1000 shared:SSL:10m;

      access_log /var/log/Nginx/myminio.access.log;
      error_log /var/log/Nginx/myminio.error.log;
      
    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header HOST $http_host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}
This is assuming the Minio container IP is 10.0.4.120 and the URL you would like access the Minio app is myminio.org.
In below examples we used Nginx but You can also use Apache or any other web server.
Load Balancing
You can also configure an Nginx or Haproxy load balancer on the same principle to load balance multiple instances of apps across a cluster.
Below is a typical configuraton for an Nginx load balancer. This is serving 3 backend Redmine container instances defined in 'upstream backend'
upstream backend {
    server 10.0.4.140:3000;
    server 10.0.5.150:3000;
    server 10.0.7.170:3000;
}

    server {
      listen 80;
      server_name myredmine.org;
      access_log /var/log/nginx/myredmine.access.log;
      error_log /var/log/nginx/myredmine.error.log;

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header HOST $http_host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://backend;
    }
}

You can also use Haproxy to do the same.
 A typical Haproxy configuration would look like this.
 
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
nbproc 1
maxconn 4000
user haproxy
group haproxy
daemon
stats socket /var/lib/haproxy/stats
tune.ssl.default-dh-param 2048

defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000

frontend www-http
bind *:80
option forwardfor
stats enable
stats refresh 10s
stats uri /haproxy?stats
stats realm "haproxy stats"
stats auth admin:password
default_backend app

#resolvers flockport

#frontend www-https

backend app
balance roundrobin
server web01 10.0.4.140:3000 check
server web02 10.0.5.150:3000 check
server web03 10.0.7.170:3000 check

Flockport has this functionality built in and lets you deploy both Nginx and Haproxy instances to serve your container apps on a single host or across the network.
 

No comments:

Post a Comment

Thank you for your comment. Will try to react as soon as possible.

Regards,

Networ King