無法從執行它的作業系統外部訪問 docker 容器
我不是基於 Unix 的系統的重度使用者。而且我在向公眾開放伺服器埠(80)並將其重定向到正在執行的容器時遇到了一些麻煩。
所以基本上,我在一個正在執行的 Ubuntu 伺服器(IP 167.86.106.109)上有一個正在執行的容器,容器的 IP 是 127.0.200.1(並且埠 80 是開放的)。
在 167.86.106.109 上執行
TELNET 127.0.200.1 80
,我可以執行返回 200 的 GET。從外面我有一個超時我已經完成了以下操作,但仍然無法從外部訪問埠 80 上的 167.86.106.109(超時錯誤):
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -m conntrack --ctstate NEW -j DNAT --to 127.0.200.1:80
iptables -t nat -A PREROUTING -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A OUTPUT -i eth0 -p tcp --dport 80 -m conntrack --ctstate NEW -j DNAT --to 127.0.200.1:80
iptables-save > /etc/iptables.rules
ufw allow http
顯然,我做錯了什麼,但是什麼?
輸出
docker ps
:2f7617d72299 polk-auction-ui:latest "/docker-entrypoint.…" 52 minutes ago Up 52 minutes 127.0.200.1:80->80/tcp polk-auction-ui
這是在 Ubuntu 20.04(64 位)上。該容器是 Docker 容器 (v 20.10.14)
有關我目前設置的更多資訊:
作業系統(IP 167.86.106.109)在 VPS 上執行,我想從外部訪問的 docker 容器正在執行具有以下配置的 nginx:
user nginx; worker_processes 1; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; #tcp_nopush on; keepalive_timeout 65; gzip on; #include /etc/nginx/conf.d/*.conf; server { listen 80; location / { root /usr/share/nginx/html; index index.html index.htm; try_files $uri $uri/ /index.html; #try_files $uri =404; } } }
結果
ufw status verbose
:Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), deny (routed) New profiles: skip To Action From -- ------ ---- 22/tcp ALLOW IN Anywhere 80/tcp ALLOW IN Anywhere 30333 ALLOW IN Anywhere 22/tcp (v6) ALLOW IN Anywhere (v6) 80/tcp (v6) ALLOW IN Anywhere (v6) 30333 (v6) ALLOW IN Anywhere (v6)
的輸出
iptables -L -v -n
:(很多來自docker本身)Chain INPUT (policy DROP 37 packets, 2168 bytes) pkts bytes target prot opt in out source destination 32669 4524K f2b-sshd tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22 2374K 1737M ufw-before-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0 2374K 1737M ufw-before-input all -- * * 0.0.0.0/0 0.0.0.0/0 274K 16M ufw-after-input all -- * * 0.0.0.0/0 0.0.0.0/0 262K 16M ufw-after-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0 262K 16M ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0 262K 16M ufw-track-input all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 167M 118G DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0 167M 118G DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0 888K 166M ACCEPT all -- * br-4c0567f529d0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 19186 1150K DOCKER all -- * br-4c0567f529d0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- br-4c0567f529d0 !br-4c0567f529d0 0.0.0.0/0 0.0.0.0/0 19186 1150K ACCEPT all -- br-4c0567f529d0 br-4c0567f529d0 0.0.0.0/0 0.0.0.0/0 51M 59G ACCEPT all -- * br-56fce7b8bc16 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 3433 971K DOCKER all -- * br-56fce7b8bc16 0.0.0.0/0 0.0.0.0/0 39M 3429M ACCEPT all -- br-56fce7b8bc16 !br-56fce7b8bc16 0.0.0.0/0 0.0.0.0/0 3397 969K ACCEPT all -- br-56fce7b8bc16 br-56fce7b8bc16 0.0.0.0/0 0.0.0.0/0 42M 53G ACCEPT all -- * br-9316082e3f65 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 3397 969K DOCKER all -- * br-9316082e3f65 0.0.0.0/0 0.0.0.0/0 33M 2699M ACCEPT all -- br-9316082e3f65 !br-9316082e3f65 0.0.0.0/0 0.0.0.0/0 3397 969K ACCEPT all -- br-9316082e3f65 br-9316082e3f65 0.0.0.0/0 0.0.0.0/0 37132 233M ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0 13310 1453K ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0 0 0 ufw-before-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ufw-before-forward all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ufw-after-forward all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ufw-after-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ufw-reject-forward all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ufw-track-forward all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1835K 83M ufw-before-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0 1835K 83M ufw-before-output all -- * * 0.0.0.0/0 0.0.0.0/0 2843 253K ufw-after-output all -- * * 0.0.0.0/0 0.0.0.0/0 2843 253K ufw-after-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0 2843 253K ufw-reject-output all -- * * 0.0.0.0/0 0.0.0.0/0 2843 253K ufw-track-output all -- * * 0.0.0.0/0 0.0.0.0/0 Chain DOCKER (4 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- !br-9316082e3f65 br-9316082e3f65 0.0.0.0/0 172.18.0.2 tcp dpt:8080 0 0 ACCEPT tcp -- !br-56fce7b8bc16 br-56fce7b8bc16 0.0.0.0/0 172.19.0.2 tcp dpt:8080 0 0 ACCEPT tcp -- !br-4c0567f529d0 br-4c0567f529d0 0.0.0.0/0 172.20.0.2 tcp dpt:3306 0 0 ACCEPT tcp -- !br-4c0567f529d0 br-4c0567f529d0 0.0.0.0/0 172.20.0.3 tcp dpt:8080 0 0 ACCEPT tcp -- !br-56fce7b8bc16 br-56fce7b8bc16 0.0.0.0/0 172.19.0.5 tcp dpt:30333 0 0 ACCEPT tcp -- !br-9316082e3f65 br-9316082e3f65 0.0.0.0/0 172.18.0.5 tcp dpt:30333 0 0 ACCEPT tcp -- !br-56fce7b8bc16 br-56fce7b8bc16 0.0.0.0/0 172.19.0.3 tcp dpt:80 Chain DOCKER-ISOLATION-STAGE-1 (1 references) pkts bytes target prot opt in out source destination 0 0 DOCKER-ISOLATION-STAGE-2 all -- br-4c0567f529d0 !br-4c0567f529d0 0.0.0.0/0 0.0.0.0/0 39M 3429M DOCKER-ISOLATION-STAGE-2 all -- br-56fce7b8bc16 !br-56fce7b8bc16 0.0.0.0/0 0.0.0.0/0 33M 2699M DOCKER-ISOLATION-STAGE-2 all -- br-9316082e3f65 !br-9316082e3f65 0.0.0.0/0 0.0.0.0/0 13310 1453K DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 167M 118G RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-ISOLATION-STAGE-2 (4 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * br-4c0567f529d0 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * br-56fce7b8bc16 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * br-9316082e3f65 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0 73M 6129M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-USER (1 references) pkts bytes target prot opt in out source destination 167M 118G RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain f2b-sshd (1 references) pkts bytes target prot opt in out source destination 28666 4185K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ufw-after-forward (1 references) pkts bytes target prot opt in out source destination Chain ufw-after-input (1 references) pkts bytes target prot opt in out source destination 0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137 0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138 81 4104 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 11583 599K ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68 0 0 ufw-skip-to-policy-input all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST Chain ufw-after-logging-forward (1 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-after-logging-input (1 references) pkts bytes target prot opt in out source destination 12797 753K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-after-logging-output (1 references) pkts bytes target prot opt in out source destination Chain ufw-after-output (1 references) pkts bytes target prot opt in out source destination Chain ufw-before-forward (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 0 0 ufw-user-forward all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ufw-before-input (1 references) pkts bytes target prot opt in out source destination 5083 453K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 41195 5355K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 4634 827K ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 4634 827K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12 4586 357K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 211K 74M ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68 1823K 109M ufw-not-local all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353 0 0 ACCEPT udp -- * * 0.0.0.0/0 239.255.255.250 udp dpt:1900 1823K 109M ufw-user-input all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ufw-before-logging-forward (1 references) pkts bytes target prot opt in out source destination Chain ufw-before-logging-input (1 references) pkts bytes target prot opt in out source destination Chain ufw-before-logging-output (1 references) pkts bytes target prot opt in out source destination Chain ufw-before-output (1 references) pkts bytes target prot opt in out source destination 5089 453K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 1722K 74M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 2488 227K ufw-user-output all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ufw-logging-allow (0 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] " Chain ufw-logging-deny (2 references) pkts bytes target prot opt in out source destination 3643 763K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID limit: avg 3/min burst 10 671 48807 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-not-local (1 references) pkts bytes target prot opt in out source destination 1823K 109M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST 0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ufw-reject-forward (1 references) pkts bytes target prot opt in out source destination Chain ufw-reject-input (1 references) pkts bytes target prot opt in out source destination Chain ufw-reject-output (1 references) pkts bytes target prot opt in out source destination Chain ufw-skip-to-policy-forward (0 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ufw-skip-to-policy-input (7 references) pkts bytes target prot opt in out source destination 11664 603K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ufw-skip-to-policy-output (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ufw-track-forward (1 references) pkts bytes target prot opt in out source destination Chain ufw-track-input (1 references) pkts bytes target prot opt in out source destination Chain ufw-track-output (1 references) pkts bytes target prot opt in out source destination 346 43729 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW 1599 153K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW Chain ufw-user-forward (1 references) pkts bytes target prot opt in out source destination Chain ufw-user-input (1 references) pkts bytes target prot opt in out source destination 2237 132K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 2240 114K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 1663K 100M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:30333 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:30333 Chain ufw-user-limit (0 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] " 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain ufw-user-limit-accept (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ufw-user-logging-forward (0 references) pkts bytes target prot opt in out source destination Chain ufw-user-logging-input (0 references) pkts bytes target prot opt in out source destination Chain ufw-user-logging-output (0 references) pkts bytes target prot opt in out source destination Chain ufw-user-output (1 references) pkts bytes target prot opt in out source destination
編輯:
docker-compose 使用:
version: "3.8" networks: polkadot: external: true kusama: external: true services: polk-auction-ui: image: polk-auction-ui:latest container_name: polk-auction-ui ports: - "127.0.200.1:80:80" networks: - polkadot - kusama
圖像是這樣建構的:
# Build step FROM node:14 as build WORKDIR /app COPY package.json yarn.lock ./ RUN yarn install COPY . ./ RUN yarn build:prod # Run step FROM nginx:stable-alpine COPY nginx.conf /etc/nginx/nginx.conf COPY --from=build /app/dist /usr/share/nginx/html EXPOSE 80 CMD ["nginx", "-g", "daemon off;"]
127.0.0.0/8
是環回介面,又名 localhost。要在所有介面上發布,您可以從發布的埠中刪除 IP 地址:version: "3.8" networks: polkadot: external: true kusama: external: true services: polk-auction-ui: image: polk-auction-ui:latest container_name: polk-auction-ui ports: - "80:80" networks: - polkadot - kusama