Search code examples
dockersslcurl

Can't make https requests from docker container to some urls (curl 28 Connection timed out)

I have a php app running in docker and for some reason most requests from container fail by timeout like symfony http client requests and composer install. I was trying to get to the source of this trouble to generalize it and it seems like container cannot make https requests. Most of the time at least: google, facebook, yandex response like everything is fine. The only way I've managed to make those requests is network_mode: host, but I'm not doing that for safety and it is another trouble to connect containers with this setting - php just stopped getting requests from nginx some time ago. Furthermore, the same container locally makes those requests just fine, which makes me think the culprit is a firewall, but I'm not any good at reading those rules and they are a mess, I followed ufw-docker guide to set everything up.

TL;DR

What I currently have is php and nginx in docker, they can communicate with each other, I can successfully connect to the app and get a response, but outgoing https connections are blocked (at least those which I need).

Most of curl requests end like this

$ curl https://raw.githubusercontent.com/ -v -4
* Host raw.githubusercontent.com:443 was resolved.
* IPv6: (none)
* IPv4: 185.199.109.133, 185.199.108.133, 185.199.111.133, 185.199.110.133
*   Trying 185.199.109.133:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* Connection timed out after 300004 milliseconds
* closing connection #0
curl: (28) Connection timed out after 300004 milliseconds

Same requests made from host and this container locally are ok.

Using php:8.3-fpm-alpine image, server is ubuntu 24.04

Edit, tried so far:

  • checked dns resolving in container, also tried adding dns in daemon.json (removed at this point)
  • tried single vanilla php image
  • removed all DOCKER-USER related rules in iptables, allowed all traffic iptables -F DOCKER-USER && iptables -A DOCKER-USER -j RETURN
  • checked ufw rules Default: deny (incoming), allow (outgoing), deny (routed), tried allowing routed
  • tried last two bullets together
  • checked mtu
  • checked /var/log/syslog for any ufw blocked entries (there are none)
Solution

  • I also ran into this issue. I spent a lot of time configuring UFW, DNS, and other things, but nothing worked. In the end, lowering the MTU to 1400 solved the problem. Honestly, I don’t even understand why this worked...

    Just try to set DOCKER_OPTS="--mtu 1400" in /etc/default/docker.

    Or update docker-compose.yml like this:

    version: '3.8'

services:
  php:
    image: php:8.3-fpm
    container_name: php_app
    volumes:
      - .:/var/www/html
    ports:
      - "9000:9000"
    networks:
      - my_network

networks:
  my_network:
    driver: bridge
    driver_opts:
      com.docker.network.driver.mtu: 1400