我在 0.0.0.0:8000 上使用 gunicorn 启动了 django 应用程序,在 nginx 后面作为反向代理监听 1337 端口。
version: '3.7'
services:
web:
build: .
command: gunicorn myapp.wsgi:application --name myapp --log-file - --log-level info --bind 0.0.0.0:8000
volumes:
- ./web-backend/src/:/usr/src/app/
ports:
- 8000:8000
env_file:
- .env_web
depends_on:
- db
db:
image: postgres:11.5-alpine
volumes:
- postgres_data:/var/lib/postgresql/data/
env_file:
- .env_db
nginx:
build: ./nginx
ports:
- 1337:80
depends_on:
- web
volumes:
postgres_data:
使用 nginx.conf:
upstream myapp {
server web:8000;
}
server {
listen 80;
location / {
proxy_pass http://myapp;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
}
}
该应用程序自然可以从 8000 和 1337 的本地主机访问,但我希望它也可以从不同网络中的所有主机访问(信息如下)。
一些信息:我可以使用 ssh 连接的 Django 应用程序主机:10.157.100.98/24,而主机本身上的 eth0 是 192.168.0.13/24,我相信将来它会为互联网开放端口,但现在只是让 10.157.100.0 网络中的所有用户都可以访问该应用程序。
追踪:
Tracing route to 10.157.100.98 over a maximum of 30 hops
1 5 ms 4 ms 5 ms 10.156.80.1
2 5 ms 4 ms 6 ms 172.30.237.241
3 3 ms 3 ms 4 ms 172.30.225.6
4 4 ms 4 ms 4 ms 172.30.225.6
5 23 ms 23 ms 23 ms 135.7.192.30
6 42 ms 42 ms 42 ms 135.7.192.7
7 42 ms 43 ms 43 ms 135.7.193.21
8 43 ms 43 ms 43 ms sth-vlan478-domain.net [172.30.8z.x1]
9 43 ms 43 ms 43 ms sth2-vlan20-domain.net [172.30.8z.x2]
10 43 ms 44 ms 44 ms sth3-vlan22-domain.net [172.30.8z.x3]
11 43 ms 45 ms 43 ms 172.30.8z.x4
12 * * * Request timed out.
13 * * * Request timed out.
14 43 ms 42 ms 45 ms 10.157.100.98
Trace complete.
路线
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.0.1 0.0.0.0 UG 0 0 0 eth0
instance-data.e 192.168.0.1 255.255.255.255 UGH 0 0 0 eth0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
172.30.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-df38aebf18b9
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
iptables
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp -- anywhere sth5-vlan401-domain.net tcp dpt:postgresql
ACCEPT tcp -- anywhere sth6-certr01-domain.net tcp dpt:8000
ACCEPT tcp -- anywhere 172.30.0.5 tcp dpt:http
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
route
'''
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.0.1 0.0.0.0 UG 0 0 0 eth0
instance-data.e 192.168.0.1 255.255.255.255 UGH 0 0 0 eth0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
172.30.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-df38aebf18b9
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
'''
我想指出的是,在网络方面我完全是个新手。因此:
我通过 172.30.86.42 连接到我的 django 应用服务器,因此为了让所有用户(也将通过该代理连接)能够通过 10.157.100.98:8000 或 1337 访问应用程序,我需要为该接口打开这些端口,对吗?还有什么吗?
如果有人愿意演示一下流量是如何一点一点进行的,我相信这对所有新手都会有益。
答案1
已解决...我让 Nginx 监听 1337 而不是 80,后者实际上是通过 OpenStack 中的安全组打开的。