Docker 中运行的 NGINX 之外未暴露 HTTPS

Docker 中运行的 NGINX 之外未暴露 HTTPS

我正在尝试在 Docker 中设置 Apache Guacamole 和 NGINX 反向代理,但在从 NGINX 建立 HTTPS 连接时遇到了一些问题(HTTP 工作正常)。我大部分都是自学的,尝试了所有建议来解决类似的问题,但都没有成功。

现在,两个容器启动正常,反向代理日志中没有任何问题:

/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up

docker ps显示两者都正在运行,并且为反向代理公开了正确的端口:

CONTAINER ID   IMAGE            COMMAND                  CREATED       STATUS       PORTS                                      NAMES
60b4f2e6c3e2   nginx:latest     "/docker-entrypoint.…"   2 hours ago   Up 2 hours   0.0.0.0:80->80/tcp, 0.0.0.0:433->433/tcp   reverse-proxy
a4c7f1fc4759   oznu/guacamole   "/init"                  2 hours ago   Up 2 hours   8080/tcp                                   guacamole

netstat -tulpn | grep LISTEN还显示端口被暴露(并且当容器没有运行时不会显示所以它似乎来自正确的位置):

tcp        0      0 0.0.0.0:5900            0.0.0.0:*               LISTEN      1391/vino-server
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      30538/docker-proxy
tcp        0      0 0.0.0.0:433             0.0.0.0:*               LISTEN      30499/docker-proxy
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      577/systemd-resolve
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      4489/sshd: /usr/sbi
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      624/cupsd
tcp6       0      0 :::5900                 :::*                    LISTEN      1391/vino-server
tcp6       0      0 :::22                   :::*                    LISTEN      4489/sshd: /usr/sbi
tcp6       0      0 ::1:631                 :::*                    LISTEN      624/cupsd

然而,两者都试图访问 https://localhost,https://example.com或者甚至尝试在本地或外部对机器进行 nmap 操作都显示端口 80 打开而端口 433 关闭。

Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-11 18:57 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00011s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
631/tcp  open  ipp
5900/tcp open  vnc

我感觉这是某个地方的网络/防火墙问题,并尝试按照指南将 iptables 重置为默认值,但似乎没有解决任何问题。我认为这不会有任何影响,但在设置 Let's Encrypt 之前,我尝试测试时证书是自签名的。以下是我的 docker-compose.yml 和 nginx.conf。

docker-compose.yml

version: '3'

services:
  reverse-proxy:
    image: nginx:latest
    container_name: reverse-proxy
    ports:
      - 80:80
      - 433:433
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf
      - ./example.com.crt:/etc/nginx/example.com.crt
      - ./example.com.key:/etc/nginx/example.com.key
    depends_on:
      - guacamole
    restart: always
  
  guacamole:
    image: oznu/guacamole
    container_name: guacamole
    expose:
      - 8080
    volumes:
      - /home/user/guacamole:/config
    restart: always

nginx.conf

worker_processes 1;

events {
    worker_connections 1024;
}

http {
    
    server {
        listen 80;
        server_name example.com;
        return 302 https://$host$request_uri; #302 for testing purposes, will be 301 later
    }
    
    server {
        listen 433 ssl;
        server_name example.com;
        
        ssl_certificate /etc/nginx/example.com.crt;
        ssl_certificate_key /etc/nginx/example.com.key;
        
        location / {
            proxy_pass http://guacamole:8080;
            proxy_buffering off;
            proxy_http_version 1.1;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $http_connection;
            access_log off;
        }
    }
}

预先感谢您的任何帮助!

答案1

经过更多的故障排除和搜索合适的关键字后,问题解决了这个帖子。我正在监听并转发 433,而 HTTPS 是 443,哎呀。我想,这是一次很好的教训,让我学会仔细检查代码中的错误。

相关内容