Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Within a docker container, a “curl http://google.com” com” works fine, but a “curl https://google.com” com” would fail. However, outside of the container on the VM natively, both of these will work.

...

Since version 17 of Docker, the following entry needs to be added to the iptables policy on the host that is running the containers:-

Code Block
sudo iptables -I FORWARD -p tcp --tcp-flags SYN,textRST SYN -j TCPMSS --clamp-mss-to-pmtu

This sets the “maxi,um “maximum segment size” value of a TCP Syn packet when it initiates a connection as part of “path MTU” negotiation. This is intended to get past the issue of “icmp 3 code 4” packet blocking issues (by the sending of the original packet) where the “Don’t fragment” flag is set on an IP packet, but the packet is too large and the sending router/host does not receive the icmp 3 code 4 packet to change and resend the “too large” packet as a smaller size. This is often an issue when using tunnelling or “packet sleeving” – GRE and IPSEC packets as well.

Docker Compose

The aforementioned fix does not necessarily apply when using docker compose. To apply the MTU fix when using docker compose please refer to the following article.
https://www.civo.com/learn/fixing-networking-for-docker

References

https://www.frozentux.net/iptables-tutorial/chunkyhtml/x4721.html

https://stackoverflow.com/questions/47551873/no-http-https-connectivity-inside-docker-container