nginx dynamic SNI TCP forwarding with docker

I have a bunch of puppet docker containers. One for each environment because puppet-libs are only loaded once.
I didn't want to expose a different port for each puppet-container each time a new environment is built. The goal is to talk to each container with \.puppet fqdn.

Turns out there is a pretty simple way to realize that by putting nginx in front of them.

nginx.conf:

user  nginx;
worker_processes  1;
error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

events {
  worker_connections  1024;
}

stream {
  server {
    listen 8140;
    ssl_preread on;
    proxy_pass  $ssl_preread_server_name:8140;
    resolver 127.0.0.11;
  }
}

External requests for \.puppet are routet to nginx. nginx does one mor DNS-lookup on docker internal resolver. If \.puppet matches a conainer-name it gets forwarded to that container.

---

Last update: March 22, 2021