I'm trying to deploy my nginx on docker container with Cloudflare.
docker-compose.yml
version: "3.5"
services:
nginx:
image: xxx/panel-nginx:VERSION
volumes:
- type: volume
source: panel_nginx_certs
target: /etc/nginx/certs
ports:
- target: 443
published: 443
protocol: tcp
mode: host
networks:
- panel_nginx
stop_grace_period: 1m
deploy:
replicas: 1
update_config:
parallelism: 1
delay: 180s
restart_policy:
condition: on-failure
networks:
panel_nginx:
external: true
volumes:
panel_nginx_certs:
external: true
nginx.conf
upstream panel-uwsgi {
server panel_app:8000;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name panel.xxx.com;
ssl_certificate /etc/nginx/certs/panel.pem;
ssl_certificate_key /etc/nginx/certs/panel.key;
location / {
include uwsgi_params;
uwsgi_pass panel-uwsgi;
}
# location /media/ {
# root /usr/share/nginx/html;
# try_files $uri $uri/;
# access_log off;
# expires 30d;
# }
location /static/ {
access_log off;
expires 30d;
}
location = /favicon.ico {
return 204;
access_log off;
log_not_found off;
}
# error_page 404 /404.html;
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# root /usr/share/nginx/html;
# }
}
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305";
ssl_ecdh_curve secp384r1;
ssl_dhparam /etc/nginx/certs/dhparam.pem;
ssl_session_timeout 24h;
ssl_session_cache shared:SSL:12m;
ssl_session_tickets off;
ssl_stapling on;
ssl_trusted_certificate /etc/nginx/certs/cloudflare_origin_ecc.pem;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
server_names_hash_bucket_size 64;
ssl_client_certificate /etc/nginx/certs/cloudflare.crt;
ssl_verify_client on;
server_tokens off;
charset utf-8;
add_header X-Robots-Tag none;
add_header Warning 'This computer system including all related equipment, network devices (specifically including Internet access), are provided only for authorized use. Unauthorized use may subject you to criminal prosecution. By accessing this system, you have agreed to the term and condition of use and your actions will be monitored and recorded.';
Deploying with this config cause 525 Error: SSL handshake failed. I have dedicated IP and NSI. I'm using chacha-poly ciphers. I'm publishing 443 port.
Any thoughts why i'm getting this error?
Thanks
Disclaimer: Stackoverflow, please remove the warning about too much code and not enough text. Thanks
