[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

1 hour ago, zyphermonkey said:

Okay so I got that part fixed. I have no idea how it happened but the "container ports" got changed to match the "host ports" and obviously nothing worked after that.

Now I'm trying to set up some subfolder services and the only way I can get them to work without getting a 500 error is to have the following with a lot of the default settings commented out. I don't think I should be doing this. Is there something I need to configure in proxy.conf to get the default way to work?

 


# first go into tautulli settings, under "Web Interface", click on show advanced, set the HTTP root to /tautulli and restart the tautulli container
# to enable password access, uncomment the two auth_basic lines

location /tautulli {
#    auth_basic "Restricted";
#    auth_basic_user_file /config/nginx/.htpasswd;
    include /config/nginx/proxy.conf;
#    resolver 127.0.0.11 valid=30s;
#    set $upstream_tautulli tautulli;
#    proxy_pass http://$upstream_tautulli:8181;
    proxy_pass http://192.168.1.10:8282;
}

 

 

Did you read and follow the readme in that folder? 

Link to comment

So I missed the section at the bottom that mentions making a new custom network and moving all your containers over to it. Is that really necessary or is it enough to just have them all on the same network?
All my dockers are on the same internal docker network (bridge). The issue appears to be with the resolver setting. If I disable it and set it statically in the .conf file it works fine. 
2018-07-20_10h47_30.png.c24ee684ad9d2f0764dc789c4c6497c8.png

location /tautulli {
    auth_basic "Restricted";
    auth_basic_user_file /config/nginx/.htpasswd;
    include /config/nginx/proxy.conf;
#    resolver 127.0.0.11 valid=30s;
    set $upstream_tautulli 172.17.0.14;
    proxy_pass http://$upstream_tautulli:8181;
#    proxy_pass http://192.168.1.10:8282;
}

I also can't resolve docker names from within the docker and there is nothing static in the hosts file except for local info. 

 

root@dcb925741e00:/$ nslookup tautulli
nslookup: can't resolve '(null)': Name does not resolve

nslookup: can't resolve 'tautulli': Name does not resolve


root@dcb925741e00:/$ cat /etc/hosts
127.0.0.1       localhost
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.2      dcb925741e00


root@dcb925741e00:/$ cat /etc/resolv.conf
# Generated DNSv4 entries:
nameserver 208.67.222.222
nameserver 192.168.1.1
# Generated DNSv6 entries:

 

Link to comment
8 hours ago, zyphermonkey said:

So I missed the section at the bottom that mentions making a new custom network and moving all your containers over to it. Is that really necessary or is it enough to just have them all on the same network?
All my dockers are on the same internal docker network (bridge). The issue appears to be with the resolver setting. If I disable it and set it statically in the .conf file it works fine. 
2018-07-20_10h47_30.png.c24ee684ad9d2f0764dc789c4c6497c8.png


location /tautulli {
    auth_basic "Restricted";
    auth_basic_user_file /config/nginx/.htpasswd;
    include /config/nginx/proxy.conf;
#    resolver 127.0.0.11 valid=30s;
    set $upstream_tautulli 172.17.0.14;
    proxy_pass http://$upstream_tautulli:8181;
#    proxy_pass http://192.168.1.10:8282;
}

I also can't resolve docker names from within the docker and there is nothing static in the hosts file except for local info. 

 


root@dcb925741e00:/$ nslookup tautulli
nslookup: can't resolve '(null)': Name does not resolve

nslookup: can't resolve 'tautulli': Name does not resolve


root@dcb925741e00:/$ cat /etc/hosts
127.0.0.1       localhost
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.2      dcb925741e00


root@dcb925741e00:/$ cat /etc/resolv.conf
# Generated DNSv4 entries:
nameserver 208.67.222.222
nameserver 192.168.1.1
# Generated DNSv6 entries:

 

 

Please read the manual. We put a lot of time and effort into them: https://github.com/linuxserver/docker-letsencrypt/blob/master/root/defaults/proxy-confs/_readme#L21

It needs to be a "user defined" bridge network, not the default

Link to comment
On 7/20/2018 at 7:36 PM, aptalca said:

 

Please read the manual. We put a lot of time and effort into them: https://github.com/linuxserver/docker-letsencrypt/blob/master/root/defaults/proxy-confs/_readme#L21

It needs to be a "user defined" bridge network, not the default


Gotcha. Doing that and reverting all my .conf's back to their default settings worked.
I feel like this should be in the 1st post on this thread. Everything else was straightforward for me without digging into any manuals except for this. Could just be me though.

 

1. Create new docker network

   a. docker network create my-bridge

2. Install letsencrypt-docker using new network
3. Move any dockers you want to proxy to new network. 

Edited by zyphermonkey
Link to comment
1 hour ago, zyphermonkey said:


Gotcha. Doing that and reverting all my .conf's back to their default settings worked.
I feel like this should be in the 1st post on this thread. Everything else was straightforward for me without digging into any manuals except for this. Could just be me though.

 

1. Create new docker network

   a. docker network create my-bridge

2. Install letsencrypt-docker using new network
3. Move any dockers you want to proxy to new network. 

 

You read it and still ignored it the first time. I doubt putting it in the first post would make a difference. 

Link to comment
7 minutes ago, aptalca said:

 

You read it and still ignored it the first time. I doubt putting it in the first post would make a difference. 

I didn't ignore it (but did ask a valid question about it) because it didn't make any sense to me at the time and honestly still doesn't. Why do docker names resolve via an internal docker dns server on a custom network, but not the default unraid bridge? There's no explanation as to why it's necessary to switch all your containers to a new network and the requirement to do so isn't listed on the 1st post or default landing page for docker hub or github where almost all other instructions and requirements are listed. I only made a suggestion to help improve the experience for others who might run into the same issue I had.


Everything else during the setup I expected, but this wasn't one of those.

 

I wasn't trying to criticize anyone's work and really appreciate the container.

Link to comment
51 minutes ago, zyphermonkey said:

I didn't ignore it (but did ask a valid question about it) because it didn't make any sense to me at the time and honestly still doesn't. Why do docker names resolve via an internal docker dns server on a custom network, but not the default unraid bridge? There's no explanation as to why it's necessary to switch all your containers to a new network and the requirement to do so isn't listed on the 1st post or default landing page for docker hub or github where almost all other instructions and requirements are listed. I only made a suggestion to help improve the experience for others who might run into the same issue I had.


Everything else during the setup I expected, but this wasn't one of those.

 

I wasn't trying to criticize anyone's work and really appreciate the container.

 

https://docs.docker.com/network/bridge/#differences-between-user-defined-bridges-and-the-default-bridge

And here: https://blog.linuxserver.io/2017/10/17/using-docker-networks-for-better-inter-container-communication/

 

Github page tells you to read the preset conf readme: https://github.com/linuxserver/docker-letsencrypt/blob/master/README.md#site-config-and-reverse-proxy

Edited by aptalca
Link to comment

I have been trying to get this all working right for a week now.  I'm a noob so it's all been baby steps.  Right now I have most things working but I am having an issue where accessing say https://myserver.com/radarr hangs for 30-45 seconds before loading the page.  This happens when accessing any of my apps but once the page loads and you try the same on again or any others right away they all load fast.  Wait a while and try one and you will usually (but not always) get the delay.

 

Here is my nginx/site-confs/default file:

 

## Version 2018/04/20 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/default

# listening on port 80 disabled by default, remove the "#" signs to enable
# redirect all traffic to https
#server {
#	listen 80;
#	server_name _;
#	return 301 https://$host$request_uri;
#}

	upstream netdata {
    server 192.168.1.42:19999;
    keepalive 64;
	}


# main server block
server {
	listen 443 ssl http2 default_server;
	listen 80;
	
	root /config/www;
	index index.html index.htm index.php;

	server_name myserver.com;

	# enable subfolder method reverse proxy confs
	include /config/nginx/proxy-confs/*.subfolder.conf;

	# all ssl related config moved to ssl.conf
	include /config/nginx/ssl.conf;

	client_max_body_size 0;

	location / {
		proxy_pass http://192.168.1.42:8282; #Organizr IP and Port
		include /config/nginx/proxy.conf;
	}

	location ~ \.php$ {
		fastcgi_split_path_info ^(.+\.php)(/.+)$;
		# With php7-cgi alone:
		fastcgi_pass 192.168.1.42:9000;
		# With php7-fpm:
		#fastcgi_pass unix:/var/run/php7-fpm.sock;
		fastcgi_index index.php;
		include /etc/nginx/fastcgi_params;
	}
	

	location = /netdata {
        return 301 /netdata/;
   }

   location ~ /netdata/(?<ndpath>.*) {
        proxy_redirect off;
        proxy_set_header Host $host;

        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_pass_request_headers on;
        proxy_set_header Connection "keep-alive";
        proxy_store off;
        proxy_pass http://netdata/$ndpath$is_args$args;

        gzip on;
        gzip_proxied any;
        gzip_types *;
    }
	
# sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp"
# notice this is within the same server block as the base
# don't forget to generate the .htpasswd file as described on docker hub
#	location ^~ /cp {
#		auth_basic "Restricted";
#		auth_basic_user_file /config/nginx/.htpasswd;
#		include /config/nginx/proxy.conf;
#		proxy_pass http://192.168.1.50:5050/cp;
#	}

}

# sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above
# notice this is a new server block, you need a new server block for each subdomain
#server {
#	listen 443 ssl;
#
#	root /config/www;
#	index index.html index.htm index.php;
#
#	server_name cp.*;
#
#	include /config/nginx/ssl.conf;
#
#	client_max_body_size 0;
#
#	location / {
#		auth_basic "Restricted";
#		auth_basic_user_file /config/nginx/.htpasswd;
#		include /config/nginx/proxy.conf;
#		proxy_pass http://192.168.1.50:5050;	
#	}
#}

# enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf;

 

Edited by RockDawg
Link to comment

I'm getting an error: 

Quote

container_linux.go:265: starting container process caused "exec: \"/init\": stat /init: no such file or directory"

Each time I try to launch the letsencrypt docker.

 

The docker was working the other day, but I had for force kill the docker daemon and container. Now, this is the only message I got when trying to start the container.

 

I've tried:

- Reinstalling the image

- Deleting the container folder

- Deleting the /mnt/user/appdata/letsencrypt folder

 

At this point I have no idea what to do, and its pretty frustrating. Can anyone help point me in the right direction?

Link to comment
4 hours ago, archerkg said:

I'm getting an error: 

Each time I try to launch the letsencrypt docker.

 

The docker was working the other day, but I had for force kill the docker daemon and container. Now, this is the only message I got when trying to start the container.

 

I've tried:

- Reinstalling the image

- Deleting the container folder

- Deleting the /mnt/user/appdata/letsencrypt folder 

 

At this point I have no idea what to do, and its pretty frustrating. Can anyone help point me in the right direction?

 

That to me looks like a docker engine error.  Things to try

 

1.  Reboot

2.  Delete docker.img and recreate it

 

Link to comment

They're is a ton of info in this docker but have not found my answer.

Quick background move houses new ISP seems new ISP blocks incoming port 80, ugh, need to renew my LE my only option is DNS but I used duckdns for my DDNS, love that service, so anyone else have this issue if so how did you resolve it.

My guess at this point I have to use one of my domains and setting a cloudflare for it so I can do the DNS validation.

Sent from my BND-L34 using Tapatalk

Link to comment
4 hours ago, ijuarez said:

They're is a ton of info in this docker but have not found my answer.

Quick background move houses new ISP seems new ISP blocks incoming port 80, ugh, need to renew my LE my only option is DNS but I used duckdns for my DDNS, love that service, so anyone else have this issue if so how did you resolve it.

My guess at this point I have to use one of my domains and setting a cloudflare for it so I can do the DNS validation.

Sent from my BND-L34 using Tapatalk
 

You've answered your own question :)

Link to comment
On 7/23/2018 at 4:28 PM, RockDawg said:

I have been trying to get this all working right for a week now.  I'm a noob so it's all been baby steps.  Right now I have most things working but I am having an issue where accessing say https://myserver.com/radarr hangs for 30-45 seconds before loading the page.  This happens when accessing any of my apps but once the page loads and you try the same on again or any others right away they all load fast.  Wait a while and try one and you will usually (but not always) get the delay.

 

Here is my nginx/site-confs/default file:

 


## Version 2018/04/20 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/default

# listening on port 80 disabled by default, remove the "#" signs to enable
# redirect all traffic to https
#server {
#	listen 80;
#	server_name _;
#	return 301 https://$host$request_uri;
#}

	upstream netdata {
    server 192.168.1.42:19999;
    keepalive 64;
	}


# main server block
server {
	listen 443 ssl http2 default_server;
	listen 80;
	
	root /config/www;
	index index.html index.htm index.php;

	server_name myserver.com;

	# enable subfolder method reverse proxy confs
	include /config/nginx/proxy-confs/*.subfolder.conf;

	# all ssl related config moved to ssl.conf
	include /config/nginx/ssl.conf;

	client_max_body_size 0;

	location / {
		proxy_pass http://192.168.1.42:8282; #Organizr IP and Port
		include /config/nginx/proxy.conf;
	}

	location ~ \.php$ {
		fastcgi_split_path_info ^(.+\.php)(/.+)$;
		# With php7-cgi alone:
		fastcgi_pass 192.168.1.42:9000;
		# With php7-fpm:
		#fastcgi_pass unix:/var/run/php7-fpm.sock;
		fastcgi_index index.php;
		include /etc/nginx/fastcgi_params;
	}
	

	location = /netdata {
        return 301 /netdata/;
   }

   location ~ /netdata/(?<ndpath>.*) {
        proxy_redirect off;
        proxy_set_header Host $host;

        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_pass_request_headers on;
        proxy_set_header Connection "keep-alive";
        proxy_store off;
        proxy_pass http://netdata/$ndpath$is_args$args;

        gzip on;
        gzip_proxied any;
        gzip_types *;
    }
	
# sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp"
# notice this is within the same server block as the base
# don't forget to generate the .htpasswd file as described on docker hub
#	location ^~ /cp {
#		auth_basic "Restricted";
#		auth_basic_user_file /config/nginx/.htpasswd;
#		include /config/nginx/proxy.conf;
#		proxy_pass http://192.168.1.50:5050/cp;
#	}

}

# sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above
# notice this is a new server block, you need a new server block for each subdomain
#server {
#	listen 443 ssl;
#
#	root /config/www;
#	index index.html index.htm index.php;
#
#	server_name cp.*;
#
#	include /config/nginx/ssl.conf;
#
#	client_max_body_size 0;
#
#	location / {
#		auth_basic "Restricted";
#		auth_basic_user_file /config/nginx/.htpasswd;
#		include /config/nginx/proxy.conf;
#		proxy_pass http://192.168.1.50:5050;	
#	}
#}

# enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf;

 

 

 

Anyone have any ideas why I am getting delays before pages load?  Or how to begin to troubleshoot?

Link to comment

I just did that and there's nothing I can see.  I just had about a minute delay accessing from my cellular network and the access log showed nothing during the delay.  As soon as the page began loading it showed a bunch of lines like the following (I changesd IP to 0.0.0.0):

 

0.0.0.0 - - [25/Jul/2018:18:01:39 -0400] "GET / HTTP/1.1" 302 5 "-" "Mozilla/5.0 (Linux; Android 8.0.0; SM-G950U Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Mobile Safari/537.36"
0.0.0.0 - - [25/Jul/2018:18:01:39 -0400] "GET /web/index.html HTTP/1.1" 200 1012 "-" "Mozilla/5.0 (Linux; Android 8.0.0; SM-G950U Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Mobile Safari/537.36"
0.0.0.0 - - [25/Jul/2018:18:01:39 -0400] "GET /web/scripts/apploader.js?v=3.5.0.0 HTTP/1.1" 304 0 "https://emby.myserver.com/web/index.html" "Mozilla/5.0 (Linux; Android 8.0.0; SM-G950U Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Mobile Safari/537.36"
0.0.0.0 - - [25/Jul/2018:18:01:39 -0400] "GET /web/bower_components/alameda/alameda.js?v=3.5.0.0 HTTP/1.1" 200 5503 "https://emby.myserver.com/web/index.html" "Mozilla/5.0 (Linux; Android 8.0.0; SM-G950U Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Mobile Safari/537.36"
0.0.0.0 - - [25/Jul/2018:18:01:39 -0400] "GET /web/scripts/site.js?v=3.5.0.0 HTTP/1.1" 200 13043 "https://emby.myserver.com/web/index.html" "Mozilla/5.0 (Linux; Android 8.0.0; SM-G950U Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Mobile Safari/537.36"
0.0.0.0 - - [25/Jul/2018:18:01:40 -0400] "GET /web/bower_components/emby-webcomponents/require/requirecss.js?v=3.5.0.0 HTTP/1.1" 200 562 "https://emby.myserver.com/web/index.html" "Mozilla/5.0 (Linux; Android 8.0.0; SM-G950U Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Mobile Safari/537.36"
0.0.0.0 - - [25/Jul/2018:18:01:40 -0400] "GET /web/bower_components/emby-webcomponents/browser.js?v=3.5.0.0 HTTP/1.1" 200 1644 "https://emby.myserver.com/web/index.html" "Mozilla/5.0 (Linux; Android 8.0.0; SM-G950U Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Mobile Safari/537.36"
0.0.0.0 - - [25/Jul/2018:18:01:40 -0400] "GET /web/bower_components/emby-apiclient/connectionmanager.js?v=3.5.0.0 HTTP/1.1" 200 6764 "https://emby.myserver.com/web/index.html" "Mozilla/5.0 (Linux; Android 8.0.0; SM-G950U Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Mobile Safari/537.36"
0.0.0.0 - - [25/Jul/2018:18:01:40 -0400] "GET /web/css/site.css?v=3.5.0.0 HTTP/1.1" 200 803 "https://emby.myserver.com/web/index.html" "Mozilla/5.0 (Linux; Android 8.0.0; SM-G950U Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Mobile Safari/537.36"
0.0.0.0 - - [25/Jul/2018:18:01:40 -0400] "GET /web/bower_components/emby-apiclient/events.js?v=3.5.0.0 HTTP/1.1" 304 0 "https://emby.myserver.com/web/index.html" "Mozilla/5.0 (Linux; Android 8.0.0; SM-G950U Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Mobile Safari/537.36"
0.0.0.0 - - [25/Jul/2018:18:01:40 -0400] "GET /web/bower_components/emby-webcomponents/usersettings/usersettings.js?v=3.5.0.0 HTTP/1.1" 304 0 "https://emby.myserver.com/web/index.html" "Mozilla/5.0 (Linux; Android 8.0.0; SM-G950U Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Mobile Safari/537.36"
0.0.0.0 - - [25/Jul/2018:18:01:40 -0400] "GET /web/components/apphost.js?v=3.5.0.0 HTTP/1.1" 200 2997 "https://emby.myserver.com/web/index.html" "Mozilla/5.0 (Linux; Android 8.0.0; SM-G950U Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Mobile Safari/537.36"
0.0.0.0 - - [25/Jul/2018:18:01:40 -0400] "GET /web/bower_components/emby-apiclient/credentials.js?v=3.5.0.0 HTTP/1.1" 200 690 "https://emby.myserver.com/web/index.html" "Mozilla/5.0 (Linux; Android 8.0.0; SM-G950U Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Mobile Safari/537.36"
0.0.0.0 - - [25/Jul/2018:18:01:40 -0400] "GET /web/bower_components/emby-webcomponents/usersettings/usersettingsbuilder.js?v=3.5.0.0 HTTP/1.1" 200 1297 "https://emby.myserver.com/web/index.html" "Mozilla/5.0 (Linux; Android 8.0.0; SM-G950U Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Mobile Safari/537.36"
0.0.0.0 - - [25/Jul/2018:18:01:40 -0400] "GET /web/bower_components/emby-apiclient/apiclient.js?v=3.5.0.0 HTTP/1.1" 200 10395 "https://emby.myserver.com/web/index.html" "Mozilla/5.0 (Linux; Android 8.0.0; SM-G950U Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Mobile Safari/537.36"

 

Does anyone see anything amiss?  The delays are making everything unusable.

Link to comment

So I have still been trying to fix this delay issue with no luck.  A user over on the Emby forums spent quite a bit of time trying to help me last night and we still haven't figured it out.  He ended up sending me this link about someone finding that nginx was slower in a Docker container than run standalone.  There was a couple replies that it ran better with a "host" network connection rather than "bridge".  Has anyone else tried this?  How would I even get that to work just to test it?  I tried changing the mode to "host" but then I couldn;t connect to any of my sites.

 

Here is a link to the post:  https://stackoverflow.com/questions/49023800/performance-issues-running-nginx-in-a-docker-container

 

I just cannot eliminate this 20-30 delay when access sites.  Has anyone else experienced this??

 

Here is an excerpt that was posted straight from Docker's site:

 

Quote

NETWORK: HOST

Compared to the default bridge mode, the host mode gives significantly better networking performance since it uses the host’s native networking stack whereas the bridge has to go through one level of virtualization through the docker daemon.

It is recommended to run containers in this mode when their networking performance is critical, for example, a production Load Balancer or a High Performance Web Server.

 

Link to comment
So I have still been trying to fix this delay issue with no luck.  A user over on the Emby forums spent quite a bit of time trying to help me last night and we still haven't figured it out.  He ended up sending me this link about someone finding that nginx was slower in a Docker container than run standalone.  There was a couple replies that it ran better with a "host" network connection rather than "bridge".  Has anyone else tried this?  How would I even get that to work just to test it?  I tried changing the mode to "host" but then I couldn;t connect to any of my sites.

 

Here is a link to the post:  https://stackoverflow.com/questions/49023800/performance-issues-running-nginx-in-a-docker-container

 

I just cannot eliminate this 20-30 delay when access sites.  Has anyone else experienced this??

 

Here is an excerpt that was posted straight from Docker's site:

 

NETWORK: HOST

Compared to the default bridge mode, the host mode gives significantly better networking performance since it uses the host’s native networking stack whereas the bridge has to go through one level of virtualization through the docker daemon.

It is recommended to run containers in this mode when their networking performance is critical, for example, a production Load Balancer or a High Performance Web Server.

 

I can see an extra network layer adding delays on a resource intensive application but this is not it. Not for 20-30 seconds. It seems it takes time to reach the app.

 

What about address resolution/DNS any chance your primary DNS server is on the fritz and it's timing out?

 

Sent from my SM-G930W8 using Tapatalk

 

 

Edit: typo

Link to comment

I really don't know a lot about all this.  In my router the primary DNS is set to Google 8.8.8.8.  The delay is such that when you type the address and hit enter, nothing happens in the browser at all except the spinning activity indicator.  The current page doesn't change at all.  The moment the page chnges at all, it loads as quickly as I would expect.  So yeah, it's acting like it can't get through for that time.  Once it loads, I can usually go to any of my sites without any delay.  However, if you wait a few minutes you will usually get the delay again.

Link to comment
2 hours ago, RockDawg said:

I really don't know a lot about all this.  In my router the primary DNS is set to Google 8.8.8.8.  The delay is such that when you type the address and hit enter, nothing happens in the browser at all except the spinning activity indicator.  The current page doesn't change at all.  The moment the page chnges at all, it loads as quickly as I would expect.  So yeah, it's acting like it can't get through for that time.  Once it loads, I can usually go to any of my sites without any delay.  However, if you wait a few minutes you will usually get the delay again.

 

Did you try restarting your router? 

 

Is the delay present even when you connect from outside your lan, ie. on your phone using the cell data? 

 

To me it sounds like it's a lan related issue rather than nginx or docker

Link to comment
2 hours ago, RockDawg said:

So I have still been trying to fix this delay issue with no luck.  A user over on the Emby forums spent quite a bit of time trying to help me last night and we still haven't figured it out.  He ended up sending me this link about someone finding that nginx was slower in a Docker container than run standalone.  There was a couple replies that it ran better with a "host" network connection rather than "bridge".  Has anyone else tried this?  How would I even get that to work just to test it?  I tried changing the mode to "host" but then I couldn;t connect to any of my sites.

 

Here is a link to the post:  https://stackoverflow.com/questions/49023800/performance-issues-running-nginx-in-a-docker-container

 

I just cannot eliminate this 20-30 delay when access sites.  Has anyone else experienced this??

 

Here is an excerpt that was posted straight from Docker's site:

 

 

 

I host production websites on vps via this docker. Any delay the docker network may add is not noticeable

Link to comment
44 minutes ago, aptalca said:

 

Did you try restarting your router? 

 

Is the delay present even when you connect from outside your lan, ie. on your phone using the cell data? 

 

To me it sounds like it's a lan related issue rather than nginx or docker

 

 

Okay I could swear that I had rebooted the router but I just did it and everything does seem to be working now.  I will withhold judgement because, even before, sometimes it would work fine and then the delay would appear.  I have tried both internally with my desktop and externally with my cell phone on the cellular network and both loaded quickly.  I'll report back once I am more confident.

Link to comment
Nope.  It's still there.  I have been hopping around my sites and it seems about 1 out of 5 tries yields the delay.  Damn this is frustrating!
Same behavior in and out of your LAN? When in the LAN, do you use the IP or the domain name? How does it resolve your domain from inside the LAN?

Sent from my SM-G930W8 using Tapatalk

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.