我正在尝试在 Docker 中设置 Apache Guacamole 和 NGINX 反向代理,但在从 NGINX 建立 HTTPS 连接时遇到了一些问题(HTTP 工作正常)。我大部分都是自学的,尝试了所有建议来解决类似的问题,但都没有成功。
现在,两个容器启动正常,反向代理日志中没有任何问题:
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
docker ps显示两者都正在运行,并且为反向代理公开了正确的端口:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
60b4f2e6c3e2 nginx:latest "/docker-entrypoint.…" 2 hours ago Up 2 hours 0.0.0.0:80->80/tcp, 0.0.0.0:433->433/tcp reverse-proxy
a4c7f1fc4759 oznu/guacamole "/init" 2 hours ago Up 2 hours 8080/tcp guacamole
netstat -tulpn | grep LISTEN还显示端口被暴露(并且当容器没有运行时不会显示所以它似乎来自正确的位置):
tcp 0 0 0.0.0.0:5900 0.0.0.0:* LISTEN 1391/vino-server
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 30538/docker-proxy
tcp 0 0 0.0.0.0:433 0.0.0.0:* LISTEN 30499/docker-proxy
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 577/systemd-resolve
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 4489/sshd: /usr/sbi
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 624/cupsd
tcp6 0 0 :::5900 :::* LISTEN 1391/vino-server
tcp6 0 0 :::22 :::* LISTEN 4489/sshd: /usr/sbi
tcp6 0 0 ::1:631 :::* LISTEN 624/cupsd
然而,两者都试图访问 https://localhost,https://example.com或者甚至尝试在本地或外部对机器进行 nmap 操作都显示端口 80 打开而端口 433 关闭。
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-11 18:57 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00011s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
631/tcp open ipp
5900/tcp open vnc
我感觉这是某个地方的网络/防火墙问题,并尝试按照指南将 iptables 重置为默认值,但似乎没有解决任何问题。我认为这不会有任何影响,但在设置 Let's Encrypt 之前,我尝试测试时证书是自签名的。以下是我的 docker-compose.yml 和 nginx.conf。
docker-compose.yml
version: '3'
services:
reverse-proxy:
image: nginx:latest
container_name: reverse-proxy
ports:
- 80:80
- 433:433
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf
- ./example.com.crt:/etc/nginx/example.com.crt
- ./example.com.key:/etc/nginx/example.com.key
depends_on:
- guacamole
restart: always
guacamole:
image: oznu/guacamole
container_name: guacamole
expose:
- 8080
volumes:
- /home/user/guacamole:/config
restart: always
nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
server {
listen 80;
server_name example.com;
return 302 https://$host$request_uri; #302 for testing purposes, will be 301 later
}
server {
listen 433 ssl;
server_name example.com;
ssl_certificate /etc/nginx/example.com.crt;
ssl_certificate_key /etc/nginx/example.com.key;
location / {
proxy_pass http://guacamole:8080;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
access_log off;
}
}
}
预先感谢您的任何帮助!
答案1
经过更多的故障排除和搜索合适的关键字后,问题解决了这个帖子。我正在监听并转发 433,而 HTTPS 是 443,哎呀。我想,这是一次很好的教训,让我学会仔细检查代码中的错误。