Nginx

通過 NGINX 的駕駛艙 - 設置使其他服務無法訪問

  • November 14, 2021

我有一個伺服器(Ubuntu-Server),帶有一些基於 Docker 的伺服器(Gitlab、Redmine)和 NGINX 作為代理。

gitlab.<myserver>    => NGINX -> <docker-net-ip>:port => Gitlab-container  
redmine.<myserver>   => NGINX -> <docker-net-ip>:port => Redmine-container
                                                        SQL-container  
                                                        Certbot  

這就像一個魅力。現在我想通過 Cockpit Web Service 擴展我的伺服器:

cockpit.<myserver>   => NGINX -> localhost:9090       => Cockpit running on the server  
gitlab.<myserver>    => NGINX -> <docker-net-ip>:port => Gitlab-container  
redmine.<myserver>   => NGINX -> <docker-net-ip>:port => Redmine-container
                                                        SQL-container  
                                                        Certbot  

我為駕駛艙添加了一個額外的 NGINX 規則(對應於https://github.com/cockpit-project/cockpit/wiki/Proxying-Cockpit-over-NGINX),然後駕駛艙可用,但 Redmine 和 Gitlab 都沒有。如果我刪除規則,反之亦然。

在*/etc/nginx/sites-available//etc/nginx/sites-enabled/*中儲存了以下 NGINX 規則:

gitlab.<我的伺服器>

server {

   listen 80;
   listen [::]:80;

   server_name gitlab.&lt;myserver&gt;;

   location / {
       proxy_pass         http://&lt;docker-net-ip&gt;:port;
       proxy_buffering    off;
       proxy_set_header   X-Real-IP       $remote_addr;
   }
}

redmine.<我的伺服器>

server {

   listen 80;
   listen [::]:80;

   server_name redmine.&lt;myserver&gt;;

   location / {
       proxy_pass         http://&lt;docker-net-ip&gt;:port;
       proxy_set_header   Host                $host;
       proxy_set_header   X-Real-IP           $remote_addr;
       proxy_set_header   X-Forwarded-for     $proxy_add_x_forwarded_for;
       proxy_set_header   X-Forwarded-Proto   $scheme;
   }
}

現在我添加了:

cockpit.<myserver>

server {
   listen         80;
   listen         443 ssl;

   server_name    cockpit.&lt;myserver&gt;;

   location / {
       # Required to proxy the connection to Cockpit
       proxy_pass https://127.0.0.1:9090;
       proxy_set_header Host $host;
       proxy_set_header X-Forwarded-Proto $scheme;

       # Required for web sockets to function
       proxy_http_version 1.1;
       proxy_buffering off;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "upgrade";

       # Pass ETag header from Cockpit to clients.
       # See: https://github.com/cockpit-project/cockpit/issues/5239
       gzip off;
   }
}

和*/etc/cockpit/cockpit.conf*

[WebService]
Origins = https://cockpit.&lt;myserver&gt; 127.0.0.1:9090
ProtocolHeader = X-Forwarded-Proto

[Log]
Fatal = /var/log/cockpit.log

[Session]
IdleTimeout=15

這裡缺少什麼?

這裡缺少什麼?

並非所有設備都會出現此問題。有些人顯示*“此連接不安全”。*對於 redmine 和 gitlab。但駕駛艙沒有。現在謎題的解決方案是,Gitlab 和 Redmine 的規則不完整,https 請求無處可去。

缺少埠 443 (https) 的規則。現在我把塊變成了兩個:

  1. 將http請求重定向到https
  2. 監聽 https 請求並將它們轉發到應用程序

現在看起來像這樣:

/etc/nginx/sites-available/gitlab.<myserver>連結到/etc/nginx/sites-enabled/gitlab.<myserver>

# redirect http request to https while keeping the request uri
server {

   listen 80;
   listen [::]:80;

   server_name gitlab.&lt;myserver&gt;;

   return 301 https://gitlab.&lt;myserver&gt;$request_uri;
}

# https requests will forwarded to the server application
server {

   listen 443 ssl;
   listen [::]:443 ssl;

   server_name gitlab.&lt;myserver&gt;;

   location / {
       proxy_pass         http://&lt;docker-net-ip&gt;:&lt;port&gt;;
       proxy_buffering    off;
       proxy_set_header   X-Real-IP       $remote_addr;

       # Note: You should disable gzip for SSL traffic.
       # See: https://bugs.debian.org/773332
       gzip off;
   }
}

/etc/nginx/sites-available/redmine.<myserver>連結到/etc/nginx/sites-enabled/redmine.<myserver>

# redirect http request to https while keeping the request uri
server {

   listen 80;
   listen [::]:80;

   server_name redmine.&lt;myserver&gt;;

   return 301 https://redmine.&lt;myserver&gt;$request_uri;
}

# https requests will forwarded to the server application
server {

   listen 443 ssl;
   listen [::]:443 ssl;

   server_name redmine.&lt;myserver&gt;;

   location / {
       proxy_pass         http://&lt;docker-net-ip&gt;:&lt;port&gt;;
       proxy_set_header   Host                $host;
       proxy_set_header   X-Real-IP           $remote_addr;
       proxy_set_header   X-Forwarded-for     $proxy_add_x_forwarded_for;
       proxy_set_header   X-Forwarded-Proto   $scheme;

       # Note: You should disable gzip for SSL traffic.
       # See: https://bugs.debian.org/773332
       gzip off;
   }
}

/etc/nginx/sites-available/cockpit.<myserver>連結到/etc/nginx/sites-enabled/cockpit.<myserver>

server {
   listen         80;
   listen         443 ssl;

   server_name    cockpit.&lt;myserver&gt;;

   location / {
       # Required to proxy the connection to Cockpit
       proxy_pass https://127.0.0.1:9090;
       proxy_set_header Host $host;
       proxy_set_header X-Forwarded-Proto $scheme;

       # Required for web sockets to function
       proxy_http_version 1.1;
       proxy_buffering off;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "upgrade";

       # Pass ETag header from Cockpit to clients.
       # See: https://github.com/cockpit-project/cockpit/issues/5239
       gzip off;
   }
}

和*/etc/cockpit/cockpit.conf*

[WebService]
Origins = https://cockpit.&lt;myserver&gt; 127.0.0.1:9090
ProtocolHeader = X-Forwarded-Proto

[Log]
Fatal = /var/log/cockpit.log

[Session]
IdleTimeout=15

並且為了完成:

/etc/nginx/sites-available/default連結到*/etc/nginx/sites-enabled/default*

##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or WordPress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
#
server {
   listen 80 default_server;
   listen [::]:80 default_server;

   # SSL configuration
   #
   # listen 443 ssl default_server;
   # listen [::]:443 ssl default_server;
   #
   # Note: You should disable gzip for SSL traffic.
   # See: https://bugs.debian.org/773332
   #
   # Read up on ssl_ciphers to ensure a secure configuration.
   # See: https://bugs.debian.org/765782
   #
   # Self signed certs generated by the ssl-cert package
   # Don't use them in a production server!
   #
   # include snippets/snakeoil.conf;

   root /var/www/html;

   error_log /opt/logs/certbot_error debug;
}

引用自:https://serverfault.com/questions/1083473