Nginx

無法從執行它的作業系統外部訪問 docker 容器

  • April 20, 2022

我不是基於 Unix 的系統的重度使用者。而且我在向公眾開放伺服器埠(80)並將其重定向到正在執行的容器時遇到了一些麻煩。

所以基本上,我在一個正在執行的 Ubuntu 伺服器(IP 167.86.106.109)上有一個正在執行的容器,容器的 IP 是 127.0.200.1(並且埠 80 是開放的)。

在 167.86.106.109 上執行TELNET 127.0.200.1 80,我可以執行返回 200 的 GET。從外面我有一個超時

我已經完成了以下操作,但仍然無法從外部訪問埠 80 上的 167.86.106.109(超時錯誤):

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -m conntrack --ctstate NEW -j DNAT --to 127.0.200.1:80

iptables -t nat -A PREROUTING -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -A POSTROUTING -t nat -j MASQUERADE

iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT

iptables -t nat -A OUTPUT -i eth0 -p tcp --dport 80 -m conntrack --ctstate NEW -j DNAT --to 127.0.200.1:80

iptables-save > /etc/iptables.rules

ufw allow http

顯然,我做錯了什麼,但是什麼?

輸出docker ps

2f7617d72299   polk-auction-ui:latest   "/docker-entrypoint.…"   52 minutes ago   Up 52 minutes   127.0.200.1:80->80/tcp   polk-auction-ui

這是在 Ubuntu 20.04(64 位)上。該容器是 Docker 容器 (v 20.10.14)

有關我目前設置的更多資訊:

作業系統(IP 167.86.106.109)在 VPS 上執行,我想從外部訪問的 docker 容器正在執行具有以下配置的 nginx:

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

events {
   worker_connections  1024;
}

http {
   include       /etc/nginx/mime.types;
   default_type  application/octet-stream;

   log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                     '$status $body_bytes_sent "$http_referer" '
                     '"$http_user_agent" "$http_x_forwarded_for"';

   access_log  /var/log/nginx/access.log  main;

   sendfile        on;
   #tcp_nopush     on;

   keepalive_timeout  65;
   gzip  on;
   #include /etc/nginx/conf.d/*.conf;
   
   server {
     listen 80;
     location / {
       root   /usr/share/nginx/html;
       index  index.html index.htm;
       try_files $uri $uri/ /index.html;
       #try_files $uri =404;
     }
   }
}

結果ufw status verbose

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere
80/tcp                     ALLOW IN    Anywhere
30333                      ALLOW IN    Anywhere
22/tcp (v6)                ALLOW IN    Anywhere (v6)
80/tcp (v6)                ALLOW IN    Anywhere (v6)
30333 (v6)                 ALLOW IN    Anywhere (v6)

的輸出iptables -L -v -n:(很多來自docker本身)

Chain INPUT (policy DROP 37 packets, 2168 bytes)
pkts bytes target     prot opt in     out     source               destination
32669 4524K f2b-sshd   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22
2374K 1737M ufw-before-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
2374K 1737M ufw-before-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
274K   16M ufw-after-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
262K   16M ufw-after-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
262K   16M ufw-reject-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
262K   16M ufw-track-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
   0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
167M  118G DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
167M  118G DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0
888K  166M ACCEPT     all  --  *      br-4c0567f529d0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
19186 1150K DOCKER     all  --  *      br-4c0567f529d0  0.0.0.0/0            0.0.0.0/0
   0     0 ACCEPT     all  --  br-4c0567f529d0 !br-4c0567f529d0  0.0.0.0/0            0.0.0.0/0
19186 1150K ACCEPT     all  --  br-4c0567f529d0 br-4c0567f529d0  0.0.0.0/0            0.0.0.0/0
 51M   59G ACCEPT     all  --  *      br-56fce7b8bc16  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
3433  971K DOCKER     all  --  *      br-56fce7b8bc16  0.0.0.0/0            0.0.0.0/0
 39M 3429M ACCEPT     all  --  br-56fce7b8bc16 !br-56fce7b8bc16  0.0.0.0/0            0.0.0.0/0
3397  969K ACCEPT     all  --  br-56fce7b8bc16 br-56fce7b8bc16  0.0.0.0/0            0.0.0.0/0
 42M   53G ACCEPT     all  --  *      br-9316082e3f65  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
3397  969K DOCKER     all  --  *      br-9316082e3f65  0.0.0.0/0            0.0.0.0/0
 33M 2699M ACCEPT     all  --  br-9316082e3f65 !br-9316082e3f65  0.0.0.0/0            0.0.0.0/0
3397  969K ACCEPT     all  --  br-9316082e3f65 br-9316082e3f65  0.0.0.0/0            0.0.0.0/0
37132  233M ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
   0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
13310 1453K ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
   0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0
   0     0 ufw-before-logging-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
   0     0 ufw-before-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
   0     0 ufw-after-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
   0     0 ufw-after-logging-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
   0     0 ufw-reject-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
   0     0 ufw-track-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
1835K   83M ufw-before-logging-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0
1835K   83M ufw-before-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0
2843  253K ufw-after-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0
2843  253K ufw-after-logging-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0
2843  253K ufw-reject-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0
2843  253K ufw-track-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER (4 references)
pkts bytes target     prot opt in     out     source               destination
   0     0 ACCEPT     tcp  --  !br-9316082e3f65 br-9316082e3f65  0.0.0.0/0            172.18.0.2           tcp dpt:8080
   0     0 ACCEPT     tcp  --  !br-56fce7b8bc16 br-56fce7b8bc16  0.0.0.0/0            172.19.0.2           tcp dpt:8080
   0     0 ACCEPT     tcp  --  !br-4c0567f529d0 br-4c0567f529d0  0.0.0.0/0            172.20.0.2           tcp dpt:3306
   0     0 ACCEPT     tcp  --  !br-4c0567f529d0 br-4c0567f529d0  0.0.0.0/0            172.20.0.3           tcp dpt:8080
   0     0 ACCEPT     tcp  --  !br-56fce7b8bc16 br-56fce7b8bc16  0.0.0.0/0            172.19.0.5           tcp dpt:30333
   0     0 ACCEPT     tcp  --  !br-9316082e3f65 br-9316082e3f65  0.0.0.0/0            172.18.0.5           tcp dpt:30333
   0     0 ACCEPT     tcp  --  !br-56fce7b8bc16 br-56fce7b8bc16  0.0.0.0/0            172.19.0.3           tcp dpt:80

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target     prot opt in     out     source               destination
   0     0 DOCKER-ISOLATION-STAGE-2  all  --  br-4c0567f529d0 !br-4c0567f529d0  0.0.0.0/0            0.0.0.0/0         
 39M 3429M DOCKER-ISOLATION-STAGE-2  all  --  br-56fce7b8bc16 !br-56fce7b8bc16  0.0.0.0/0            0.0.0.0/0         
 33M 2699M DOCKER-ISOLATION-STAGE-2  all  --  br-9316082e3f65 !br-9316082e3f65  0.0.0.0/0            0.0.0.0/0         
13310 1453K DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
167M  118G RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (4 references)
pkts bytes target     prot opt in     out     source               destination
   0     0 DROP       all  --  *      br-4c0567f529d0  0.0.0.0/0            0.0.0.0/0
   0     0 DROP       all  --  *      br-56fce7b8bc16  0.0.0.0/0            0.0.0.0/0
   0     0 DROP       all  --  *      br-9316082e3f65  0.0.0.0/0            0.0.0.0/0
   0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
 73M 6129M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
pkts bytes target     prot opt in     out     source               destination
167M  118G RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain f2b-sshd (1 references)
pkts bytes target     prot opt in     out     source               destination
28666 4185K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-after-forward (1 references)
pkts bytes target     prot opt in     out     source               destination

Chain ufw-after-input (1 references)
pkts bytes target     prot opt in     out     source               destination
   0     0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:137
   0     0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:138
  81  4104 ufw-skip-to-policy-input  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:139
11583  599K ufw-skip-to-policy-input  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:445
   0     0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
   0     0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:68
   0     0 ufw-skip-to-policy-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
pkts bytes target     prot opt in     out     source               destination
   0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (1 references)
pkts bytes target     prot opt in     out     source               destination
12797  753K LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
pkts bytes target     prot opt in     out     source               destination

Chain ufw-after-output (1 references)
pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-forward (1 references)
pkts bytes target     prot opt in     out     source               destination
   0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
   0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
   0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
   0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 12
   0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
   0     0 ufw-user-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-before-input (1 references)
pkts bytes target     prot opt in     out     source               destination
5083  453K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
41195 5355K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
4634  827K ufw-logging-deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
4634  827K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
   0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
   0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
   0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 12
4586  357K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
211K   74M ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
1823K  109M ufw-not-local  all  --  *      *       0.0.0.0/0            0.0.0.0/0
   0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251          udp dpt:5353
   0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            239.255.255.250      udp dpt:1900
1823K  109M ufw-user-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-before-logging-forward (1 references)
pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-logging-input (1 references)
pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-logging-output (1 references)
pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-output (1 references)
pkts bytes target     prot opt in     out     source               destination
5089  453K ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
1722K   74M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
2488  227K ufw-user-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-logging-allow (0 references)
pkts bytes target     prot opt in     out     source               destination
   0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
pkts bytes target     prot opt in     out     source               destination
3643  763K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID limit: avg 3/min burst 10
 671 48807 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
pkts bytes target     prot opt in     out     source               destination
1823K  109M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL
   0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
   0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
   0     0 ufw-logging-deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10
   0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-reject-forward (1 references)
pkts bytes target     prot opt in     out     source               destination

Chain ufw-reject-input (1 references)
pkts bytes target     prot opt in     out     source               destination

Chain ufw-reject-output (1 references)
pkts bytes target     prot opt in     out     source               destination

Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target     prot opt in     out     source               destination
   0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-skip-to-policy-input (7 references)
pkts bytes target     prot opt in     out     source               destination
11664  603K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-skip-to-policy-output (0 references)
pkts bytes target     prot opt in     out     source               destination
   0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-track-forward (1 references)
pkts bytes target     prot opt in     out     source               destination

Chain ufw-track-input (1 references)
pkts bytes target     prot opt in     out     source               destination

Chain ufw-track-output (1 references)
pkts bytes target     prot opt in     out     source               destination
 346 43729 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW
1599  153K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW

Chain ufw-user-forward (1 references)
pkts bytes target     prot opt in     out     source               destination

Chain ufw-user-input (1 references)
pkts bytes target     prot opt in     out     source               destination
2237  132K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
2240  114K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
1663K  100M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:30333
   0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:30333

Chain ufw-user-limit (0 references)
pkts bytes target     prot opt in     out     source               destination
   0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
   0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
pkts bytes target     prot opt in     out     source               destination
   0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-user-logging-forward (0 references)
pkts bytes target     prot opt in     out     source               destination

Chain ufw-user-logging-input (0 references)
pkts bytes target     prot opt in     out     source               destination

Chain ufw-user-logging-output (0 references)
pkts bytes target     prot opt in     out     source               destination

Chain ufw-user-output (1 references)
pkts bytes target     prot opt in     out     source               destination

編輯:

docker-compose 使用:

version: "3.8"

networks:
   polkadot:
       external: true
   kusama:
       external: true

services: 
   polk-auction-ui:
       image: polk-auction-ui:latest
       container_name: polk-auction-ui
       ports:
           - "127.0.200.1:80:80"
       networks:
           - polkadot
           - kusama

圖像是這樣建構的:

# Build step
FROM node:14 as build
WORKDIR /app
COPY package.json yarn.lock ./
RUN yarn install
COPY . ./
RUN yarn build:prod

# Run step
FROM nginx:stable-alpine
COPY nginx.conf /etc/nginx/nginx.conf
COPY --from=build /app/dist /usr/share/nginx/html
EXPOSE 80
CMD ["nginx", "-g", "daemon off;"]

127.0.0.0/8是環回介面,又名 localhost。要在所有介面上發布,您可以從發布的埠中刪除 IP 地址:

version: "3.8"

networks:
   polkadot:
       external: true
   kusama:
       external: true

services: 
   polk-auction-ui:
       image: polk-auction-ui:latest
       container_name: polk-auction-ui
       ports:
           - "80:80"
       networks:
           - polkadot
           - kusama

引用自:https://serverfault.com/questions/1099063