我有一台服务器(Ubuntu-Server),上面有一些基于 Docker 的服务器(Gitlab、Redmine)和 NGINX 作为代理。
gitlab.<myserver> => NGINX -> <docker-net-ip>:port => Gitlab-container
redmine.<myserver> => NGINX -> <docker-net-ip>:port => Redmine-container
SQL-container
Certbot
这很有效。现在我想通过 Cockpit Web 服务扩展我的服务器:
cockpit.<myserver> => NGINX -> localhost:9090 => Cockpit running on the server
gitlab.<myserver> => NGINX -> <docker-net-ip>:port => Gitlab-container
redmine.<myserver> => NGINX -> <docker-net-ip>:port => Redmine-container
SQL-container
Certbot
我添加了一条额外的 NGINX 规则(对应于https://github.com/cockpit-project/cockpit/wiki/Proxying-Cockpit-over-NGINX) 的 cockpit,然后 cockpit 可用,但 Redmine 和 Gitlab 都不可用。如果我删除规则,则反之亦然。
在/etc/nginx/站点可用/和/etc/nginx/sites-enabled/存储了以下 NGINX 规则:
gitlab.<我的服务器>
server {
listen 80;
listen [::]:80;
server_name gitlab.<myserver>;
location / {
proxy_pass http://<docker-net-ip>:port;
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr;
}
}
redmine.<我的服务器>
server {
listen 80;
listen [::]:80;
server_name redmine.<myserver>;
location / {
proxy_pass http://<docker-net-ip>:port;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
现在我补充道:
驾驶舱。<我的服务器>
server {
listen 80;
listen 443 ssl;
server_name cockpit.<myserver>;
location / {
# Required to proxy the connection to Cockpit
proxy_pass https://127.0.0.1:9090;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
# Required for web sockets to function
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Pass ETag header from Cockpit to clients.
# See: https://github.com/cockpit-project/cockpit/issues/5239
gzip off;
}
}
和/etc/cockpit/cockpit.conf
[WebService]
Origins = https://cockpit.<myserver> 127.0.0.1:9090
ProtocolHeader = X-Forwarded-Proto
[Log]
Fatal = /var/log/cockpit.log
[Session]
IdleTimeout=15
这里缺少什么?
答案1
这里缺少什么?
此问题并非在所有设备上都存在。有些设备显示“此连接不安全。”适用于 redmine 和 gitlab。但 cockpit 没有。现在谜题的答案是,Gitlab 和 Redmine 的规则不完整,https 请求卡在了任何地方。
缺少 443 端口(https)的规则。现在我把这些块改成了两个:
- 将 http 请求重定向到 https
- 监听 https 请求并转发给应用程序
现在看起来像这样:
/etc/nginx/sites-available/gitlab.<我的服务器>链接到/etc/nginx/sites-enabled/gitlab。<我的服务器>
# redirect http request to https while keeping the request uri
server {
listen 80;
listen [::]:80;
server_name gitlab.<myserver>;
return 301 https://gitlab.<myserver>$request_uri;
}
# https requests will forwarded to the server application
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name gitlab.<myserver>;
location / {
proxy_pass http://<docker-net-ip>:<port>;
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr;
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
gzip off;
}
}
/etc/nginx/sites-available/redmine。<我的服务器>链接到/etc/nginx/sites-enabled/redmine。<我的服务器>
# redirect http request to https while keeping the request uri
server {
listen 80;
listen [::]:80;
server_name redmine.<myserver>;
return 301 https://redmine.<myserver>$request_uri;
}
# https requests will forwarded to the server application
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name redmine.<myserver>;
location / {
proxy_pass http://<docker-net-ip>:<port>;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
gzip off;
}
}
/etc/nginx/sites-available/cockpit。<我的服务器>链接到/etc/nginx/sites-enabled/cockpit。<我的服务器>
server {
listen 80;
listen 443 ssl;
server_name cockpit.<myserver>;
location / {
# Required to proxy the connection to Cockpit
proxy_pass https://127.0.0.1:9090;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
# Required for web sockets to function
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Pass ETag header from Cockpit to clients.
# See: https://github.com/cockpit-project/cockpit/issues/5239
gzip off;
}
}
和/etc/cockpit/cockpit.conf
[WebService]
Origins = https://cockpit.<myserver> 127.0.0.1:9090
ProtocolHeader = X-Forwarded-Proto
[Log]
Fatal = /var/log/cockpit.log
[Session]
IdleTimeout=15
并且为了完整:
/etc/nginx/站点可用/默认链接到/etc/nginx/sites-enabled/default
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or WordPress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
server {
listen 80 default_server;
listen [::]:80 default_server;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
error_log /opt/logs/certbot_error debug;
}