通過 NGINX 的駕駛艙 - 設置使其他服務無法訪問
我有一個伺服器(Ubuntu-Server),帶有一些基於 Docker 的伺服器(Gitlab、Redmine)和 NGINX 作為代理。
gitlab.<myserver> => NGINX -> <docker-net-ip>:port => Gitlab-container redmine.<myserver> => NGINX -> <docker-net-ip>:port => Redmine-container SQL-container Certbot
這就像一個魅力。現在我想通過 Cockpit Web Service 擴展我的伺服器:
cockpit.<myserver> => NGINX -> localhost:9090 => Cockpit running on the server gitlab.<myserver> => NGINX -> <docker-net-ip>:port => Gitlab-container redmine.<myserver> => NGINX -> <docker-net-ip>:port => Redmine-container SQL-container Certbot
我為駕駛艙添加了一個額外的 NGINX 規則(對應於https://github.com/cockpit-project/cockpit/wiki/Proxying-Cockpit-over-NGINX),然後駕駛艙可用,但 Redmine 和 Gitlab 都沒有。如果我刪除規則,反之亦然。
在*/etc/nginx/sites-available/和/etc/nginx/sites-enabled/*中儲存了以下 NGINX 規則:
gitlab.<我的伺服器>
server { listen 80; listen [::]:80; server_name gitlab.<myserver>; location / { proxy_pass http://<docker-net-ip>:port; proxy_buffering off; proxy_set_header X-Real-IP $remote_addr; } }
redmine.<我的伺服器>
server { listen 80; listen [::]:80; server_name redmine.<myserver>; location / { proxy_pass http://<docker-net-ip>:port; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } }
現在我添加了:
cockpit.<myserver>
server { listen 80; listen 443 ssl; server_name cockpit.<myserver>; location / { # Required to proxy the connection to Cockpit proxy_pass https://127.0.0.1:9090; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto $scheme; # Required for web sockets to function proxy_http_version 1.1; proxy_buffering off; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; # Pass ETag header from Cockpit to clients. # See: https://github.com/cockpit-project/cockpit/issues/5239 gzip off; } }
和*/etc/cockpit/cockpit.conf*
[WebService] Origins = https://cockpit.<myserver> 127.0.0.1:9090 ProtocolHeader = X-Forwarded-Proto [Log] Fatal = /var/log/cockpit.log [Session] IdleTimeout=15
這裡缺少什麼?
這裡缺少什麼?
並非所有設備都會出現此問題。有些人顯示*“此連接不安全”。*對於 redmine 和 gitlab。但駕駛艙沒有。現在謎題的解決方案是,Gitlab 和 Redmine 的規則不完整,https 請求無處可去。
缺少埠 443 (https) 的規則。現在我把塊變成了兩個:
- 將http請求重定向到https
- 監聽 https 請求並將它們轉發到應用程序
現在看起來像這樣:
/etc/nginx/sites-available/gitlab.<myserver>連結到/etc/nginx/sites-enabled/gitlab.<myserver>
# redirect http request to https while keeping the request uri server { listen 80; listen [::]:80; server_name gitlab.<myserver>; return 301 https://gitlab.<myserver>$request_uri; } # https requests will forwarded to the server application server { listen 443 ssl; listen [::]:443 ssl; server_name gitlab.<myserver>; location / { proxy_pass http://<docker-net-ip>:<port>; proxy_buffering off; proxy_set_header X-Real-IP $remote_addr; # Note: You should disable gzip for SSL traffic. # See: https://bugs.debian.org/773332 gzip off; } }
/etc/nginx/sites-available/redmine.<myserver>連結到/etc/nginx/sites-enabled/redmine.<myserver>
# redirect http request to https while keeping the request uri server { listen 80; listen [::]:80; server_name redmine.<myserver>; return 301 https://redmine.<myserver>$request_uri; } # https requests will forwarded to the server application server { listen 443 ssl; listen [::]:443 ssl; server_name redmine.<myserver>; location / { proxy_pass http://<docker-net-ip>:<port>; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # Note: You should disable gzip for SSL traffic. # See: https://bugs.debian.org/773332 gzip off; } }
/etc/nginx/sites-available/cockpit.<myserver>連結到/etc/nginx/sites-enabled/cockpit.<myserver>
server { listen 80; listen 443 ssl; server_name cockpit.<myserver>; location / { # Required to proxy the connection to Cockpit proxy_pass https://127.0.0.1:9090; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto $scheme; # Required for web sockets to function proxy_http_version 1.1; proxy_buffering off; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; # Pass ETag header from Cockpit to clients. # See: https://github.com/cockpit-project/cockpit/issues/5239 gzip off; } }
和*/etc/cockpit/cockpit.conf*
[WebService] Origins = https://cockpit.<myserver> 127.0.0.1:9090 ProtocolHeader = X-Forwarded-Proto [Log] Fatal = /var/log/cockpit.log [Session] IdleTimeout=15
並且為了完成:
/etc/nginx/sites-available/default連結到*/etc/nginx/sites-enabled/default*
## # You should look at the following URL's in order to grasp a solid understanding # of Nginx configuration files in order to fully unleash the power of Nginx. # https://www.nginx.com/resources/wiki/start/ # https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/ # https://wiki.debian.org/Nginx/DirectoryStructure # # In most cases, administrators will remove this file from sites-enabled/ and # leave it as reference inside of sites-available where it will continue to be # updated by the nginx packaging team. # # This file will automatically load configuration files provided by other # applications, such as Drupal or WordPress. These applications will be made # available underneath a path with that package name, such as /drupal8. # # Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. ## # Default server configuration # server { listen 80 default_server; listen [::]:80 default_server; # SSL configuration # # listen 443 ssl default_server; # listen [::]:443 ssl default_server; # # Note: You should disable gzip for SSL traffic. # See: https://bugs.debian.org/773332 # # Read up on ssl_ciphers to ensure a secure configuration. # See: https://bugs.debian.org/765782 # # Self signed certs generated by the ssl-cert package # Don't use them in a production server! # # include snippets/snakeoil.conf; root /var/www/html; error_log /opt/logs/certbot_error debug; }