I am building a flask-socketio service that is deployed in an Azure container group. The problem that I am encountering is a Mixed Content error since the client providing the page (HTTPS) needs to connect to our service using web sockets (HTTP).
I found a guide showing how you can create a TLS endpoint in a sidecar container here, however, I suspect the nginx configuration is not working as I receive a net::ERR_CERT_AUTHORITY_INVALID
client-side error when trying to connect to the web socket.
I am very new to nginx and its configuration files; it would be much appreciated if something wrong in my config can be pointed out. I have tried changing the proxy_pass
value to localhost
, yet, nothing changes.
nginx.config
# nginx Configuration File
# https://wiki.nginx.org/Configuration
# Run as a less privileged user for security reasons.
user nginx;
worker_processes auto;
events {
worker_connections 1024;
}
pid /var/run/nginx.pid;
http {
#Redirect to https, using 307 instead of 301 to preserve post data
server {
listen [::]:443 ssl;
listen 443 ssl;
server_name askme.eastus.azurecontainer.io;
# Protect against the BEAST attack by not using SSLv3 at all. If you need to support older browsers (IE6) you may need to add
# SSLv3 to the list of protocols below.
ssl_protocols TLSv1.2;
# Ciphers set to best allow protection from Beast, while providing forwarding secrecy, as defined by Mozilla - https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;
ssl_prefer_server_ciphers on;
# Optimize TLS/SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive TLS/SSL handshakes.
# The handshake is the most CPU-intensive operation, and by default it is re-negotiated on every new/parallel connection.
# By enabling a cache (of type "shared between all Nginx workers"), we tell the client to re-use the already negotiated state.
# Further optimization can be achieved by raising keepalive_timeout, but that shouldn't be done unless you serve primarily HTTPS.
ssl_session_cache shared:SSL:10m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions
ssl_session_timeout 24h;
# Use a higher keepalive timeout to reduce the need for repeated handshakes
keepalive_timeout 300; # up from 75 secs default
# remember the certificate for a year and automatically connect to HTTPS
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains';
ssl_certificate /etc/nginx/ssl.crt;
ssl_certificate_key /etc/nginx/ssl.key;
location / {
proxy_pass http://askme.eastus.azurecontainer.io:80; # TODO: replace port if app listens on port other than 80
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
}
}
}
aci-deploy.yml
apiVersion: '2019-12-01'
location: eastus
name: containergroup
type: Microsoft.ContainerInstance/containerGroups
properties:
osType: Linux
ipAddress:
type: Public
dnsNameLabel: askme
ports:
- protocol: tcp
port: 22
- protocol: tcp
port: 443
containers:
- name: nginx-with-ssl
properties:
image: mcr.microsoft.com/oss/nginx/nginx:1.15.5-alpine
ports:
- port: 443
protocol: tcp
resources:
requests:
cpu: 2.0
memoryInGB: 1.5
volumeMounts:
- name: nginx-config
mountPath: /etc/nginx
- name: flask-app
properties:
image: containerregistry.azurecr.io/flask-app:1.0
resources:
requests:
memoryInGb: 2.0
cpu: 1.0
ports:
- protocol: tcp
port: 80
volumeMounts:
- name: shared-data
mountPath: /my-app/uploaded_files
- name: sftp
properties:
image: containerregistry.azurecr.io/atmoz/sftp:latest
resources:
requests:
memoryInGb: 1.5
cpu: 1.0
ports:
- protocol: tcp
port: 22
environmentVariables:
- name: SFTP_USERS
value: XX:XX:::sftp_files
volumeMounts:
- name: shared-data
mountPath: /home/myuser/sftp_files
imageRegistryCredentials:
- server: containerregistry.azurecr.io
username: ...
password: ...
volumes:
- name: shared-data
azureFile:
shareName: ...
storageAccountName: ...
storageAccountKey: ...
- secret:
ssl.crt: ...
ssl.key: ...
nginx.conf: ...
name: nginx-config