为什么在设置新网络后与我的 minecraft 服务器(通过 nginx)的连接丢失了,而其他所有 nginx 服务都运行正常?

为什么在设置新网络后与我的 minecraft 服务器(通过 nginx)的连接丢失了,而其他所有 nginx 服务都运行正常?

我在 nginx 中托管了一堆服务(通过子域),例如 mine.mydomain.com、doku.mydomain.com 等。多年来,它一直运行顺利(Ubuntu Server,现在已升级到 20.04 LTS,几乎所有服务,包括在 Docker 中运行的 nginx 本身)。但在设置新网络(新硬件、在 VLAN 中隔离内容)后,无法通过子域/域(mine.mydomain.com)访问儿童 minecraft 服务器,尽管我测试过的所有其他服务仍然运行良好。

我对端口 25565 (minecraft) 进行了端口转发,看看是否可以使用我的 externalIP:port 进行访问,绕过 nginx。这很好用。奇怪的是,现在我也可以访问 minecraft 服务器了虽然我的外部 mine.mydomain.com。我看不出这有什么关系,因为我为 nginx 转发了端口 80、443,这应该是需要的(这是我的旧设置)。但它是一致的,只要我删除端口转发,访问(通过 nginx,mine.mydomain.com)就消失了,我收到错误:

io.netty.channel.AbstractChannel$AnnotatedConnecttException: Connection refused:

我已经将很多 nginx 配置分开,但不同的文件如下。首先是特定于 minecraft 的文件,然后是用于比较的 dokuwiki 实例(运行良好),以及 ssl、nginx、代理配置。

我的世界

server {
    listen 443 ssl;

    root /config/www;
    index index.html index.htm index.php;

    server_name mine.mydomain.com;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
#       auth_basic "Restricted";
#       auth_basic_user_file /config/nginx/.htpasswd;
        include /config/nginx/proxy.conf;
        proxy_pass http://10.0.30.21:25565;
    }
}

多库维基

server {
    listen 443 ssl;

    root /config/www;
    index index.html index.htm index.php;

    server_name doku.mydomain.com;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
#       auth_basic "Restricted";
#       auth_basic_user_file /config/nginx/.htpasswd;
        include /config/nginx/proxy.conf;
        proxy_pass http://10.0.30.21:8844;
    }
}

默认 (我有,other_domain.com因为我在两个不同的域上托管东西。但这other_domain.com只是一个网站,所有其他服务都在 mydomain.com 域上,每个服务都有子域,就像上面的两个例子一样)。

## Version 2021/01/03 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/default

error_page 502 /502.html;

# redirect all traffic to https
server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    return 301 https://$host$request_uri;
}

# main server block
server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;

    root /config/www;
    index index.html index.htm index.php;

    server_name other_domain.com; ### ADD AFTER UPDATE!

    # enable subfolder method reverse proxy confs
    include /config/nginx/proxy-confs/*.subfolder.conf;

    # all ssl related config moved to ssl.conf
    include /config/nginx/ssl.conf;

    # enable for ldap auth
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    # enable for geo blocking
    # See /config/nginx/geoip2.conf for more information.
    #if ($allowed_country = no) {
    #return 444;
    #}

    client_max_body_size 0;

    location / {
        try_files $uri $uri/ /index.html /index.php?$args =404;
    }

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        # fastcgi_pass 127.0.0.1:9000;
        fastcgi_pass 10.0.30.21:9000; ### ADD AFTER UPDATE!
        fastcgi_index index.php;
        include /etc/nginx/fastcgi_params;
    }

# sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp"
# notice this is within the same server block as the base
# don't forget to generate the .htpasswd file as described on docker hub
#   location ^~ /cp {
#       auth_basic "Restricted";
#       auth_basic_user_file /config/nginx/.htpasswd;
#       include /config/nginx/proxy.conf;
#       proxy_pass http://192.168.1.50:5050/cp;
#   }

}

# sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above
# notice this is a new server block, you need a new server block for each subdomain
#server {
#   listen 443 ssl http2;
#   listen [::]:443 ssl http2;
#
#   root /config/www;
#   index index.html index.htm index.php;
#
#   server_name cp.*;
#
#   include /config/nginx/ssl.conf;
#
#   client_max_body_size 0;
#
#   location / {
#       auth_basic "Restricted";
#       auth_basic_user_file /config/nginx/.htpasswd;
#       include /config/nginx/proxy.conf;
#       proxy_pass http://192.168.1.50:5050;
#   }
#}

# sample reverse proxy config for "heimdall" via subdomain, with ldap authentication
# ldap-auth container has to be running and the /config/nginx/ldap.conf file should be filled with ldap info
# notice this is a new server block, you need a new server block for each subdomain
#server {
#   listen 443 ssl http2;
#   listen [::]:443 ssl http2;
#
#   root /config/www;
#   index index.html index.htm index.php;
#
#   server_name heimdall.*;
#
#   include /config/nginx/ssl.conf;
#
#   include /config/nginx/ldap.conf;
#
#   client_max_body_size 0;
#
#   location / {
#       # the next two lines will enable ldap auth along with the included ldap.conf in the server block
#       auth_request /auth;
#       error_page 401 =200 /ldaplogin;
#
#       include /config/nginx/proxy.conf;
#       resolver 127.0.0.11 valid=30s;
#       set $upstream_app heimdall;
#       set $upstream_port 443;
#       set $upstream_proto https;
#       proxy_pass $upstream_proto://$upstream_app:$upstream_port;
#   }
#}

# sample reverse proxy config for "heimdall" via subdomain, with Authelia
# Authelia container has to be running in the same user defined bridge network, with container name "authelia", and with 'path: "authelia"' set in its configuration.yml
# notice this is a new server block, you need a new server block for each subdomain
#server {
#   listen 443 ssl http2;
#   listen [::]:443 ssl http2;
#
#   root /config/www;
#   index index.html index.htm index.php;
#
#   server_name heimdall.*;
#
#   include /config/nginx/ssl.conf;
#
#   include /config/nginx/authelia-server.conf;
#
#   client_max_body_size 0;
#
#   location / {
#       # the next line will enable Authelia along with the included authelia-server.conf in the server block
#       include /config/nginx/authelia-location.conf;
#
#       include /config/nginx/proxy.conf;
#       resolver 127.0.0.11 valid=30s;
#       set $upstream_app heimdall;
#       set $upstream_port 443;
#       set $upstream_proto https;
#       proxy_pass $upstream_proto://$upstream_app:$upstream_port;
#   }
#}

# enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf;
# enable proxy cache for auth
proxy_cache_path cache/ keys_zone=auth_cache:10m;

ssl.conf

# session settings
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

# Diffie-Hellman parameter for DHE cipher suites
ssl_dhparam /config/nginx/dhparams.pem;

# ssl certs
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

# protocols
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers REDACTED;

# HSTS, remove # from the line below to enable HSTS
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;


# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;

# Optional additional headers
#add_header Content-Security-Policy "upgrade-insecure-requests";
#add_header X-Frame-Options "SAMEORIGIN" always;
#add_header X-XSS-Protection "1; mode=block" always;
#add_header X-Content-Type-Options "nosniff" always;
#add_header X-UA-Compatible "IE=Edge" always;
#add_header Cache-Control "no-transform" always;
#add_header Referrer-Policy "same-origin" always;

代理配置文件

client_max_body_size 10m;
client_body_buffer_size 128k;

#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;

# Basic Proxy Config
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect  http://  $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
#proxy_cookie_path / "/; HTTPOnly; Secure"; # enable at your own risk, may break certain apps
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 32 4k;

nginx.con

user abc;
worker_processes 4;
pid /run/nginx.pid;
include /etc/nginx/modules/*.conf;

events {
    worker_connections 768;
    # multi_accept on;
}

http {

    ##
    # Basic Settings
    ##

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    # server_tokens off;

    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    client_max_body_size 0;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ##
    # Logging Settings
    ##

    access_log /config/log/nginx/access.log;
    error_log /config/log/nginx/error.log;

    ##
    # Gzip Settings
    ##

    gzip on;
    gzip_disable "msie6";

    # gzip_vary on;
    # gzip_proxied any;
    # gzip_comp_level 6;
    # gzip_buffers 16 8k;
    # gzip_http_version 1.1;
    # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

    ##
    # nginx-naxsi config
    ##
    # Uncomment it if you installed nginx-naxsi
    ##

    #include /etc/nginx/naxsi_core.rules;

    ##
    # nginx-passenger config
    ##
    # Uncomment it if you installed nginx-passenger
    ##

    #passenger_root /usr;
    #passenger_ruby /usr/bin/ruby;

    ##
    # Virtual Host Configs
    ##
    include /etc/nginx/conf.d/*.conf;
    include /config/nginx/site-confs/*;
  
}


#mail {
#   # See sample authentication script at:
#   # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#   # auth_http localhost/auth.php;
#   # pop3_capabilities "TOP" "USER";
#   # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#   server {
#       listen     localhost:110;
#       protocol   pop3;
#       proxy      on;
#   }
#
#   server {
#       listen     localhost:143;
#       protocol   imap;
#       proxy      on;
#   }
#}
daemon off;

docker-compose.yaml文件;minecraft 和 nginx 部分(nginx 是“swag”容器的一部分):

  swag:
    image: linuxserver/swag
    container_name: swag
    volumes:
      - /mnt/data/docker/letsencrypt/config:/config
      - /etc/localtime:/etc/localtime:ro
    ports:
      - "10.0.30.21:80:80"
      - "10.0.30.21:443:443"
    environment:
      - PUID=1000
      - PGID=1004
      - EMAIL=READCTED
      - TZ=REDACTED
      - URL=mydomain.com
      - SUBDOMAINS=hass,dash,mqtt,enter,doku,print,mail,panel,mine,rcon,next,hassos 
      - DHLEVEL=4096
      - VALIDATION=http
      - EXTRA_DOMAINS=other_domain.com
    cap_add:
      - NET_ADMIN
    restart: unless-stopped
    networks:
      mynet:
        ipv4_address: 172.11.0.2

  minecraft_server:
    image: itzg/minecraft-server:latest
    container_name: minecraft_server
    ports:
      - "10.0.30.21:25565:25565"
    volumes:
      - "/mnt/data/docker/minecraft:/data"
    environment:
      EULA: "TRUE"
      ENABLE_RCON: "TRUE"
      RCON_PASSWORD: "REDACTED"
      RCON_PORT: 28016
      CONSOLE: 'FALSE'
    restart: always

相关内容