Jwilder/nginx-proxy with cloudflare SSL FULL doesnt working

I’m having problem with using jwilder/nginx-proxy with cloudflare ssl (origin key, FULL type SSL).

Everything is working fine (in http) until I activate DNS Proxy of Cloudflare. With the server returning 521 (Web Server Down).

Here’s my docker-compose.yaml

version: "2"

    image: jwilder/nginx-proxy:alpine
      - 80:80
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - ./certs:/etc/nginx/certs
    network_mode: bridge

    image: asia.gcr.io/ordent-production/ordent/saraswati-global
      - 3000:3000
      - VIRTUAL_HOST=beta.saraswati.global
      - VIRTUAL_PORT=3000
      - VIRTUAL_PROTO=https
    network_mode: bridge

    image: asia.gcr.io/ordent-production/ordent/api.healed.id
      - 4001:4001
      - VIRTUAL_HOST=dev.healed.id
      - VIRTUAL_PORT=4001
      - VIRTUAL_PROTO=https
    network_mode: bridge

Maybe you guys could help me with the configuration -

Here’s the nginx configuration created by above config :

# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
  default $http_x_forwarded_proto;
  ''      $scheme;
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
# server port the client connected to
map $http_x_forwarded_port $proxy_x_forwarded_port {
  default $http_x_forwarded_port;
  ''      $server_port;
# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
# Connection header that may have been passed to this server
map $http_upgrade $proxy_connection {
  default upgrade;
  '' close;
# Apply fix for very long server names
server_names_hash_bucket_size 128;
# Default dhparam
ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
# Set appropriate X-Forwarded-Ssl header
map $scheme $proxy_x_forwarded_ssl {
  default off;
  https on;
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost '$host $remote_addr - $remote_user [$time_local] '
                 '"$request" $status $body_bytes_sent '
                 '"$http_referer" "$http_user_agent"';
access_log off;
                ssl_protocols TLSv1.2 TLSv1.3;
                ssl_prefer_server_ciphers off;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";
server {
        server_name _; # This is just an invalid value which will never trigger on a real hostname.
        listen 80;
        access_log /var/log/nginx/access.log vhost;
        return 503;
# beta.saraswati.global
upstream beta.saraswati.global {
                                ## Can be connected with "bridge" network
                        # ordent-production-host_saraswati-global_1
server {
        server_name beta.saraswati.global;
        listen 80 ;
        access_log /var/log/nginx/access.log vhost;
        location / {
                proxy_pass https://beta.saraswati.global;
# dev.healed.id
upstream dev.healed.id {
                                ## Can be connected with "bridge" network
                        # ordent-production-host_api-healed-id_1
server {
        server_name dev.healed.id;
        listen 80 ;
        access_log /var/log/nginx/access.log vhost;
        location / {
                proxy_pass https://dev.healed.id;

If you’re using Full that means CF will access your origin via port 443, not 80. You’ll need to use an nginx configuration that listens on the SSL port 443.

1 Like

Hi Judge,

Thank you for the support but I seems cant make it work properly.
I think right now the site already served with HTTPS connection by nginx but it seems can’t connect to the other container and resulting in 502.
The configuration works without the SSL so i really confused about what to do.

Thank you.

This topic was automatically closed after 30 days. New replies are no longer allowed.