我在 nginx 中托管了一堆服务(通过子域),例如 mine.mydomain.com、doku.mydomain.com 等。多年来,它一直运行顺利(Ubuntu Server,现在已升级到 20.04 LTS,几乎所有服务,包括在 Docker 中运行的 nginx 本身)。但在设置新网络(新硬件、在 VLAN 中隔离内容)后,无法通过子域/域(mine.mydomain.com)访问儿童 minecraft 服务器,尽管我测试过的所有其他服务仍然运行良好。
我对端口 25565 (minecraft) 进行了端口转发,看看是否可以使用我的 externalIP:port 进行访问,绕过 nginx。这很好用。奇怪的是,现在我也可以访问 minecraft 服务器了虽然我的外部 mine.mydomain.com。我看不出这有什么关系,因为我为 nginx 转发了端口 80、443,这应该是需要的(这是我的旧设置)。但它是一致的,只要我删除端口转发,访问(通过 nginx,mine.mydomain.com)就消失了,我收到错误:
io.netty.channel.AbstractChannel$AnnotatedConnecttException: Connection refused:
我已经将很多 nginx 配置分开,但不同的文件如下。首先是特定于 minecraft 的文件,然后是用于比较的 dokuwiki 实例(运行良好),以及 ssl、nginx、代理配置。
我的世界
server {
listen 443 ssl;
root /config/www;
index index.html index.htm index.php;
server_name mine.mydomain.com;
include /config/nginx/ssl.conf;
client_max_body_size 0;
location / {
# auth_basic "Restricted";
# auth_basic_user_file /config/nginx/.htpasswd;
include /config/nginx/proxy.conf;
proxy_pass http://10.0.30.21:25565;
}
}
多库维基
server {
listen 443 ssl;
root /config/www;
index index.html index.htm index.php;
server_name doku.mydomain.com;
include /config/nginx/ssl.conf;
client_max_body_size 0;
location / {
# auth_basic "Restricted";
# auth_basic_user_file /config/nginx/.htpasswd;
include /config/nginx/proxy.conf;
proxy_pass http://10.0.30.21:8844;
}
}
默认
(我有,other_domain.com因为我在两个不同的域上托管东西。但这other_domain.com只是一个网站,所有其他服务都在 mydomain.com 域上,每个服务都有子域,就像上面的两个例子一样)。
## Version 2021/01/03 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/default
error_page 502 /502.html;
# redirect all traffic to https
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
# main server block
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
root /config/www;
index index.html index.htm index.php;
server_name other_domain.com; ### ADD AFTER UPDATE!
# enable subfolder method reverse proxy confs
include /config/nginx/proxy-confs/*.subfolder.conf;
# all ssl related config moved to ssl.conf
include /config/nginx/ssl.conf;
# enable for ldap auth
#include /config/nginx/ldap.conf;
# enable for Authelia
#include /config/nginx/authelia-server.conf;
# enable for geo blocking
# See /config/nginx/geoip2.conf for more information.
#if ($allowed_country = no) {
#return 444;
#}
client_max_body_size 0;
location / {
try_files $uri $uri/ /index.html /index.php?$args =404;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# fastcgi_pass 127.0.0.1:9000;
fastcgi_pass 10.0.30.21:9000; ### ADD AFTER UPDATE!
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
}
# sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp"
# notice this is within the same server block as the base
# don't forget to generate the .htpasswd file as described on docker hub
# location ^~ /cp {
# auth_basic "Restricted";
# auth_basic_user_file /config/nginx/.htpasswd;
# include /config/nginx/proxy.conf;
# proxy_pass http://192.168.1.50:5050/cp;
# }
}
# sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above
# notice this is a new server block, you need a new server block for each subdomain
#server {
# listen 443 ssl http2;
# listen [::]:443 ssl http2;
#
# root /config/www;
# index index.html index.htm index.php;
#
# server_name cp.*;
#
# include /config/nginx/ssl.conf;
#
# client_max_body_size 0;
#
# location / {
# auth_basic "Restricted";
# auth_basic_user_file /config/nginx/.htpasswd;
# include /config/nginx/proxy.conf;
# proxy_pass http://192.168.1.50:5050;
# }
#}
# sample reverse proxy config for "heimdall" via subdomain, with ldap authentication
# ldap-auth container has to be running and the /config/nginx/ldap.conf file should be filled with ldap info
# notice this is a new server block, you need a new server block for each subdomain
#server {
# listen 443 ssl http2;
# listen [::]:443 ssl http2;
#
# root /config/www;
# index index.html index.htm index.php;
#
# server_name heimdall.*;
#
# include /config/nginx/ssl.conf;
#
# include /config/nginx/ldap.conf;
#
# client_max_body_size 0;
#
# location / {
# # the next two lines will enable ldap auth along with the included ldap.conf in the server block
# auth_request /auth;
# error_page 401 =200 /ldaplogin;
#
# include /config/nginx/proxy.conf;
# resolver 127.0.0.11 valid=30s;
# set $upstream_app heimdall;
# set $upstream_port 443;
# set $upstream_proto https;
# proxy_pass $upstream_proto://$upstream_app:$upstream_port;
# }
#}
# sample reverse proxy config for "heimdall" via subdomain, with Authelia
# Authelia container has to be running in the same user defined bridge network, with container name "authelia", and with 'path: "authelia"' set in its configuration.yml
# notice this is a new server block, you need a new server block for each subdomain
#server {
# listen 443 ssl http2;
# listen [::]:443 ssl http2;
#
# root /config/www;
# index index.html index.htm index.php;
#
# server_name heimdall.*;
#
# include /config/nginx/ssl.conf;
#
# include /config/nginx/authelia-server.conf;
#
# client_max_body_size 0;
#
# location / {
# # the next line will enable Authelia along with the included authelia-server.conf in the server block
# include /config/nginx/authelia-location.conf;
#
# include /config/nginx/proxy.conf;
# resolver 127.0.0.11 valid=30s;
# set $upstream_app heimdall;
# set $upstream_port 443;
# set $upstream_proto https;
# proxy_pass $upstream_proto://$upstream_app:$upstream_port;
# }
#}
# enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf;
# enable proxy cache for auth
proxy_cache_path cache/ keys_zone=auth_cache:10m;
ssl.conf
# session settings
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE cipher suites
ssl_dhparam /config/nginx/dhparams.pem;
# ssl certs
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
# protocols
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers REDACTED;
# HSTS, remove # from the line below to enable HSTS
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
# Optional additional headers
#add_header Content-Security-Policy "upgrade-insecure-requests";
#add_header X-Frame-Options "SAMEORIGIN" always;
#add_header X-XSS-Protection "1; mode=block" always;
#add_header X-Content-Type-Options "nosniff" always;
#add_header X-UA-Compatible "IE=Edge" always;
#add_header Cache-Control "no-transform" always;
#add_header Referrer-Policy "same-origin" always;
代理配置文件
client_max_body_size 10m;
client_body_buffer_size 128k;
#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;
# Basic Proxy Config
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
#proxy_cookie_path / "/; HTTPOnly; Secure"; # enable at your own risk, may break certain apps
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 32 4k;
nginx.con
user abc;
worker_processes 4;
pid /run/nginx.pid;
include /etc/nginx/modules/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
client_max_body_size 0;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Logging Settings
##
access_log /config/log/nginx/access.log;
error_log /config/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
##
# nginx-naxsi config
##
# Uncomment it if you installed nginx-naxsi
##
#include /etc/nginx/naxsi_core.rules;
##
# nginx-passenger config
##
# Uncomment it if you installed nginx-passenger
##
#passenger_root /usr;
#passenger_ruby /usr/bin/ruby;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /config/nginx/site-confs/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
daemon off;
docker-compose.yaml文件;minecraft 和 nginx 部分(nginx 是“swag”容器的一部分):
swag:
image: linuxserver/swag
container_name: swag
volumes:
- /mnt/data/docker/letsencrypt/config:/config
- /etc/localtime:/etc/localtime:ro
ports:
- "10.0.30.21:80:80"
- "10.0.30.21:443:443"
environment:
- PUID=1000
- PGID=1004
- EMAIL=READCTED
- TZ=REDACTED
- URL=mydomain.com
- SUBDOMAINS=hass,dash,mqtt,enter,doku,print,mail,panel,mine,rcon,next,hassos
- DHLEVEL=4096
- VALIDATION=http
- EXTRA_DOMAINS=other_domain.com
cap_add:
- NET_ADMIN
restart: unless-stopped
networks:
mynet:
ipv4_address: 172.11.0.2
minecraft_server:
image: itzg/minecraft-server:latest
container_name: minecraft_server
ports:
- "10.0.30.21:25565:25565"
volumes:
- "/mnt/data/docker/minecraft:/data"
environment:
EULA: "TRUE"
ENABLE_RCON: "TRUE"
RCON_PASSWORD: "REDACTED"
RCON_PORT: 28016
CONSOLE: 'FALSE'
restart: always