Wiki: NGINX Reverse Proxy (Test Proxy)

08.11.2025

wiki nginx infra

TL;DR

Flow: gateway -> test-proxy -> sidecar -> app.
Internal ports are loopback-only.
Rootless slirp requires 10.0.2.2 to reach host loopback.

Working Traffic Path

Internet
  -> Gateway :443 (host)
    -> 127.0.0.1:7777 (test-proxy container)
      -> 10.0.2.2:2001 (sidecar via host loopback)
        -> 127.0.0.1:4001 (app)

Health Endpoints

Test-proxy: GET /__nginx_ok on 7777
Sidecar: GET /__gw_ok on 2001
App: GET /__app_ok on 4001

Why It Works (Rootless)

App binds to container loopback only.
Sidecar shares the app netns (network_mode: service:app).
Test-proxy uses slirp with allow_host_loopback=true.
Host loopback is reachable at 10.0.2.2 from rootless containers.

Key Config Notes

Gateway proxies to http://127.0.0.1:7777.
Test-proxy proxies to http://10.0.2.2:2001.
Sidecar proxies to http://127.0.0.1:4001.

Minimal File Inventory

proxytest/
  docker-compose.yml
  nginx/nginx.conf
  nginx/sites-enabled/test-wildcard.conf

test/
  docker-compose.yml
  nginx.conf  # app
  gw.conf     # sidecar

gateway/
  nginx/sites-enabled/test-proxy-gateway.conf
  nginx/sites-enabled/00-blackhole.conf