LocalForward我在通过 SSH 隧道转发到容器的端口时遇到了一些问题。
整个网络如下所示:
这是我Dockerfile的GW Container:
FROM ubuntu:latest
RUN apt-get update \
&& apt-get install -y ssh \
&& apt-get clean
EXPOSE 80
COPY config /root/.ssh/config
ENTRYPOINT ["ssh", "app-server", "sleep infinity & wait"]
相关sshconfig文件:
Host vpn-gateway
StrictHostKeyChecking no
UserKnownHostsFile=/dev/null
Hostname 10.20.30.40
User matrix
Host app-server
StrictHostKeyChecking no
UserKnownHostsFile=/dev/null
Hostname 20.30.40.50
User matrix
ProxyCommand ssh vpn-gateway nc %h %p %r
LocalForward 80 30.40.50.60:1080
现在,我正在使用docker-compose以下docker-compose.yml文件进行容器编排:
version: "3.2"
services:
gateway:
container_name: gateway
image: gateway
build: ./docker/gateway
volumes:
- ~/.ssh/id_rsa:/root/.ssh/id_rsa
- ~/.ssh/id_rsa.pub:/root/.ssh/id_rsa.pub
ports:
- 8080:80
因此,我的想法是,如果我从 localhost 运行 wget:
wget http://127.0.0.1:8080/api/health我将从机器获得响应API Server( 30.40.50.60:1080)。问题是我被重置了:
--2018-06-25 07:19:26-- http://127.0.0.1:8080/api/health
Connecting to 127.0.0.1:8080... connected.
HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers.
Retrying.
--2018-06-25 07:19:27-- (try: 2) http://127.0.0.1:8080/api/health
Connecting to 127.0.0.1:8080... connected.
HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers.
Retrying.
这可能是由于 Docker 没有看到任何使用端口 80 的应用程序造成的,如下GW Container所述:https://serverfault.com/a/769583/292211
如果我exec到GW Container并运行,wget http://127.0.0.1:80/api/health我会得到适当的回应。
有没有办法欺骗 docker,让它认为端口 80 可用,这样GW Container它就可以允许我将端口转发到主机?或者这些事情能用更好的方式处理吗?SSH 隧道的所有混乱都是由于第三方安全限制造成的。
谢谢!
答案1
我怀疑问题在于 LocalForward 绑定地址默认是 localhost。
为了接受任意外部连接,您可以尝试:
Host app-server
LocalForward 0.0.0.0:80 30.40.50.60:1080