Question about RANCHER_URL and certificate subject

[ltutar]

Rancher is listening on localhost and therefore I do not supply RANCHER_URL (default: localhost) when starting the codedevote/nginx-ssl-proxy-rancher.
Nginx is then running on https://192.168.120.10

But the Rancher agents on other hosts can not register themselves to Rancher server.
Since the subject of the certificate is localhost. See https://github.com/codedevote/docker-nginx-ssl-proxy-rancher/blob/master/entrypoint.sh#L35

root@d40f97011bf9:/# curl https://192.168.120.10/v1
curl: (51) SSL: certificate subject name (localhost) does not match target host name '192.168.120.10'
root@d40f97011bf9:/# [root@agent-1 lib]# Connection to 127.0.0.1 closed by remote host.
Connection to 127.0.0.1 closed.
Levents-MacBook-Pro-3:multi ltutar$

Shouldn't it be better if the certificate subject is related to NGINX_URL instead of RANCHER_URL?

[codedevote]

You are right. From looking at the configs I think the name RANCHER_URL could be actually confusing. It is effectively the url you want your https set up. Since nginx proxies to the rancher server on the docker network, you should pass the url of your nginx as RANCHER_URL.

Imagine the following example:
You have a vm running rancher server in container and nginx on the same machine. Nginx proxies to rancher server on docker network, and nginx listens on 80/443 on the machine. If you want your rancher to be reachable through https://rancher.mycompany.com you should pass this url as RANCHER_URL parameter. You will then need a DNS entry for this URL and machine (e.g. an A entry in this example) and configure your firewall accordingly.

From your example, I think you should pass https://192.168.120.10 as RANCHER_URL.

Does this help?

[ltutar]

Yes. It does help. That is also what I am doing now. The name is just confusing as you stated.

[codedevote]

I am open for a better name :-) Do you have any suggestion? How about NGINX_URL or HTTPS_URL? What wouldn't have confused you?

[ltutar]

HTTPS_URL wouldn't confuse.

…

Sent from my iPhone On 13 Jul 2017, at 11:01, Florian Fordermaier <notifications@github.com<mailto:notifications@github.com>> wrote: I am open for a better name :-) Do you have any suggestion? How about NGINX_URL or HTTPS_URL? What wouldn't have confused you? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<#3 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AG5t1upuh-uB-BglQi69xH3gnCU9nI2iks5sNdzYgaJpZM4OVrmd>.

[codedevote]

Ok, I'll fix that in the next days. You can track the issue here: #4