Nginx

HTTPS 不會暴露在 Docker 中執行的 NGINX 之外

  • March 13, 2021

我正在嘗試在 Docker 中設置 Apache Guacamole 和 NGINX 反向代理,並且在獲取 HTTPS 連接以脫離 NGINX 工作時遇到了一些麻煩(HTTP 工作正常)。我在大部分時間都在自學,並嘗試了每一個建議來嘗試解決類似的問題,但沒有運氣。

現在,兩個容器都可以正常啟動,反向代理日誌中沒有出現任何問題:

/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up

docker ps兩者都顯示為正在執行,並為反向代理公開了正確的埠:

CONTAINER ID   IMAGE            COMMAND                  CREATED       STATUS       PORTS                                      NAMES
60b4f2e6c3e2   nginx:latest     "/docker-entrypoint.…"   2 hours ago   Up 2 hours   0.0.0.0:80->80/tcp, 0.0.0.0:433->433/tcp   reverse-proxy
a4c7f1fc4759   oznu/guacamole   "/init"                  2 hours ago   Up 2 hours   8080/tcp                                   guacamole

netstat -tulpn | grep LISTEN還顯示埠已暴露(並且在容器未執行時不顯示,因此它似乎來自正確的位置):

tcp        0      0 0.0.0.0:5900            0.0.0.0:*               LISTEN      1391/vino-server
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      30538/docker-proxy
tcp        0      0 0.0.0.0:433             0.0.0.0:*               LISTEN      30499/docker-proxy
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      577/systemd-resolve
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      4489/sshd: /usr/sbi
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      624/cupsd
tcp6       0      0 :::5900                 :::*                    LISTEN      1391/vino-server
tcp6       0      0 :::22                   :::*                    LISTEN      4489/sshd: /usr/sbi
tcp6       0      0 ::1:631                 :::*                    LISTEN      624/cupsd

但是,無論是嘗試訪問 https://localhost、https://example.com 還是只是嘗試在本地或外部對機器進行 nmap 映射,都會顯示埠 80 開放而埠 433 關閉。

Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-11 18:57 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00011s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
631/tcp  open  ipp
5900/tcp open  vnc

我感覺這是某個地方的網路/防火牆問題,並嘗試按照指南將 iptables 重置為預設值,但這似乎沒有解決任何問題。我認為這不會產生任何影響,但是在我嘗試測試時證書是自簽名的,然後再設置 Let’s Encrypt。下面是我的 docker-compose.yml 和 nginx.conf。

碼頭工人-compose.yml

version: '3'

services:
 reverse-proxy:
   image: nginx:latest
   container_name: reverse-proxy
   ports:
     - 80:80
     - 433:433
   volumes:
     - ./nginx.conf:/etc/nginx/nginx.conf
     - ./example.com.crt:/etc/nginx/example.com.crt
     - ./example.com.key:/etc/nginx/example.com.key
   depends_on:
     - guacamole
   restart: always
 
 guacamole:
   image: oznu/guacamole
   container_name: guacamole
   expose:
     - 8080
   volumes:
     - /home/user/guacamole:/config
   restart: always

nginx.conf

worker_processes 1;

events {
   worker_connections 1024;
}

http {
   
   server {
       listen 80;
       server_name example.com;
       return 302 https://$host$request_uri; #302 for testing purposes, will be 301 later
   }
   
   server {
       listen 433 ssl;
       server_name example.com;
       
       ssl_certificate /etc/nginx/example.com.crt;
       ssl_certificate_key /etc/nginx/example.com.key;
       
       location / {
           proxy_pass http://guacamole:8080;
           proxy_buffering off;
           proxy_http_version 1.1;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header Upgrade $http_upgrade;
           proxy_set_header Connection $http_connection;
           access_log off;
       }
   }
}

預先感謝您的任何幫助!

經過更多故障排除並蒐索正確的關鍵字以偶然發現這篇文章後解決了這個問題。當 HTTPS 為 443 時,我正在監聽和轉發 433,哎呀。我猜是學習仔細檢查程式碼是否有錯誤的好課。

引用自:https://serverfault.com/questions/1056784