Fix nginx stale DNS caching causing backend to appear down after restarts

Use Docker's embedded DNS resolver (127.0.0.11) with nginx variables in proxy_pass directives so upstream hostnames are re-resolved at runtime instead of being cached forever at startup. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-15 16:29:42 +01:00
parent 3d97ccf38c
commit 00364aca23
2 changed files with 73 additions and 31 deletions
--- a/nginx/nginx_dev.conf.template
+++ b/nginx/nginx_dev.conf.template
@@ -9,6 +9,8 @@ http {
    server_tokens off;
    charset utf-8;

+    resolver 127.0.0.11 valid=10s;
+
    client_max_body_size 50M;

    limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m;
@@ -44,6 +46,13 @@ http {
        listen 80;
        server_name $DOMAIN www.$DOMAIN;

+        set $upstream_backend http://$BACKEND_HOST:$BACKEND_PORT;
+        set $upstream_icecast http://$ICECAST_HOST:$ICECAST_PORT;
+        set $upstream_gitea http://$GITEA_HOST:$GITEA_PORT;
+        set $upstream_hasura http://$HASURA_HOST:$HASURA_PORT;
+        set $upstream_quartz http://$QUARTZ_HOST:$QUARTZ_PORT;
+        set $upstream_searxng http://$SEARXNG_HOST:$SEARXNG_PORT;
+
        location /uploads/ {
            alias /uploads/;
            add_header X-Content-Type-Options nosniff always;
@@ -65,7 +74,7 @@ http {

        location $BACKEND_ENDPOINT/ws {
            rewrite ^$BACKEND_ENDPOINT/(.*)$ /$1 break;
-            proxy_pass http://$BACKEND_HOST:$BACKEND_PORT/;
+            proxy_pass $upstream_backend;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
@@ -78,7 +87,7 @@ http {
        location $BACKEND_ENDPOINT/auth/login {
            limit_req zone=login burst=3 nodelay;
            rewrite ^$BACKEND_ENDPOINT/(.*)$ /$1 break;
-            proxy_pass http://$BACKEND_HOST:$BACKEND_PORT/;
+            proxy_pass $upstream_backend;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -88,7 +97,7 @@ http {
        location $BACKEND_ENDPOINT/messages/upload {
            limit_req zone=upload burst=3 nodelay;
            rewrite ^$BACKEND_ENDPOINT/(.*)$ /$1 break;
-            proxy_pass http://$BACKEND_HOST:$BACKEND_PORT/;
+            proxy_pass $upstream_backend;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -98,7 +107,7 @@ http {
        location $BACKEND_ENDPOINT/ {
            limit_req zone=api burst=20 nodelay;
            rewrite ^$BACKEND_ENDPOINT/(.*)$ /$1 break;
-            proxy_pass http://$BACKEND_HOST:$BACKEND_PORT/;
+            proxy_pass $upstream_backend;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -110,7 +119,8 @@ http {
        }

        location /radio/ {
-            proxy_pass http://$ICECAST_HOST:$ICECAST_PORT/;
+            rewrite ^/radio/(.*)$ /$1 break;
+            proxy_pass $upstream_icecast;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -122,7 +132,8 @@ http {
        }

        location /gitea/ {
-            proxy_pass http://$GITEA_HOST:$GITEA_PORT/;
+            rewrite ^/gitea/(.*)$ /$1 break;
+            proxy_pass $upstream_gitea;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -136,7 +147,8 @@ http {
        location /hasura/ {
            auth_request /internal/auth/admin-validate;
            error_page 401 403 = @auth_denied;
-            proxy_pass http://$HASURA_HOST:$HASURA_PORT/;
+            rewrite ^/hasura/(.*)$ /$1 break;
+            proxy_pass $upstream_hasura;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -153,7 +165,8 @@ http {
        location /notes/ {
            auth_request /internal/auth/admin-validate;
            error_page 401 403 = @auth_denied;
-            proxy_pass http://$QUARTZ_HOST:$QUARTZ_PORT/;
+            rewrite ^/notes/(.*)$ /$1 break;
+            proxy_pass $upstream_quartz;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
@@ -166,7 +179,8 @@ http {

        location = /internal/auth/admin-validate {
            internal;
-            proxy_pass http://$BACKEND_HOST:$BACKEND_PORT/auth/validate-admin;
+            rewrite ^ /auth/validate-admin break;
+            proxy_pass $upstream_backend;
            proxy_pass_request_body off;
            proxy_set_header Content-Length "";
            proxy_set_header Cookie $http_cookie;
@@ -183,7 +197,8 @@ http {
        location /searxng/ {
            auth_request /internal/auth/admin-validate;
            error_page 401 403 = @auth_denied;
-            proxy_pass http://$SEARXNG_HOST:$SEARXNG_PORT/;
+            rewrite ^/searxng/(.*)$ /$1 break;
+            proxy_pass $upstream_searxng;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -200,6 +215,13 @@ http {
        ssl_certificate     /etc/letsencrypt/live/localhost/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/localhost/privkey.pem;

+        set $upstream_backend http://$BACKEND_HOST:$BACKEND_PORT;
+        set $upstream_icecast http://$ICECAST_HOST:$ICECAST_PORT;
+        set $upstream_gitea http://$GITEA_HOST:$GITEA_PORT;
+        set $upstream_hasura http://$HASURA_HOST:$HASURA_PORT;
+        set $upstream_quartz http://$QUARTZ_HOST:$QUARTZ_PORT;
+        set $upstream_searxng http://$SEARXNG_HOST:$SEARXNG_PORT;
+
        location /uploads/ {
            alias /uploads/;
            add_header X-Content-Type-Options nosniff always;
@@ -221,7 +243,7 @@ http {

        location $BACKEND_ENDPOINT/ws {
            rewrite ^$BACKEND_ENDPOINT/(.*)$ /$1 break;
-            proxy_pass http://$BACKEND_HOST:$BACKEND_PORT/;
+            proxy_pass $upstream_backend;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
@@ -234,7 +256,7 @@ http {
        location $BACKEND_ENDPOINT/auth/login {
            limit_req zone=login burst=3 nodelay;
            rewrite ^$BACKEND_ENDPOINT/(.*)$ /$1 break;
-            proxy_pass http://$BACKEND_HOST:$BACKEND_PORT/;
+            proxy_pass $upstream_backend;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -244,7 +266,7 @@ http {
        location $BACKEND_ENDPOINT/messages/upload {
            limit_req zone=upload burst=3 nodelay;
            rewrite ^$BACKEND_ENDPOINT/(.*)$ /$1 break;
-            proxy_pass http://$BACKEND_HOST:$BACKEND_PORT/;
+            proxy_pass $upstream_backend;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -254,7 +276,7 @@ http {
        location $BACKEND_ENDPOINT/ {
            limit_req zone=api burst=20 nodelay;
            rewrite ^$BACKEND_ENDPOINT/(.*)$ /$1 break;
-            proxy_pass http://$BACKEND_HOST:$BACKEND_PORT/;
+            proxy_pass $upstream_backend;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -266,7 +288,8 @@ http {
        }

        location /radio/ {
-            proxy_pass http://$ICECAST_HOST:$ICECAST_PORT/;
+            rewrite ^/radio/(.*)$ /$1 break;
+            proxy_pass $upstream_icecast;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -278,7 +301,8 @@ http {
        }

        location /gitea/ {
-            proxy_pass http://$GITEA_HOST:$GITEA_PORT/;
+            rewrite ^/gitea/(.*)$ /$1 break;
+            proxy_pass $upstream_gitea;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -292,7 +316,8 @@ http {
        location /hasura/ {
            auth_request /internal/auth/admin-validate;
            error_page 401 403 = @auth_denied;
-            proxy_pass http://$HASURA_HOST:$HASURA_PORT/;
+            rewrite ^/hasura/(.*)$ /$1 break;
+            proxy_pass $upstream_hasura;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -309,7 +334,8 @@ http {
        location /notes/ {
            auth_request /internal/auth/admin-validate;
            error_page 401 403 = @auth_denied;
-            proxy_pass http://$QUARTZ_HOST:$QUARTZ_PORT/;
+            rewrite ^/notes/(.*)$ /$1 break;
+            proxy_pass $upstream_quartz;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
@@ -322,7 +348,8 @@ http {

        location = /internal/auth/admin-validate {
            internal;
-            proxy_pass http://$BACKEND_HOST:$BACKEND_PORT/auth/validate-admin;
+            rewrite ^ /auth/validate-admin break;
+            proxy_pass $upstream_backend;
            proxy_pass_request_body off;
            proxy_set_header Content-Length "";
            proxy_set_header Cookie $http_cookie;
@@ -339,7 +366,8 @@ http {
        location /searxng/ {
            auth_request /internal/auth/admin-validate;
            error_page 401 403 = @auth_denied;
-            proxy_pass http://$SEARXNG_HOST:$SEARXNG_PORT/;
+            rewrite ^/searxng/(.*)$ /$1 break;
+            proxy_pass $upstream_searxng;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;