我在 AWS 实例(充当服务器)和充当客户端的个人计算机之间设置了一条 wireguard 隧道。Wireguard 安装在 docker 容器中(使用 linuxserver 映像)。在本地计算机上,我有一个网站,我想使用 Nginx 代理从服务器访问该网站。基本上,我想连接到 AWS 实例的 IP,并通过 Wireguard 隧道重定向到本地计算机上的网站。我可以从 AWS 实例上的 Nginx docker 容器 curl 我的网站,但代理不起作用。我该如何解决这个问题?
AWS 实例(Wireguard 服务器和 Nginx 代理)
version: "3"
services:
reverseproxy:
container_name: reverseproxy
build: .
restart: unless-stopped
network_mode: service:wireguard
wireguard:
image: lscr.io/linuxserver/wireguard:latest
container_name: wireguard
cap_add:
- NET_ADMIN
- SYS_MODULE
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Rome
- SERVERURL=107.22.140.0 #optional
- SERVERPORT=51820 #optional
- PEERS=1 #optional
- PEERDNS=auto #optional
- INTERNAL_SUBNET=10.0.0.0 #optional
- ALLOWEDIPS=0.0.0.0/0 #optional
- LOG_CONFS=true #optional
volumes:
- /home/ubuntu/wireguard/config:/config
- /lib/modules:/lib/modules
ports:
- 51820:51820/udp
- 80:80
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
restart: unless-stopped
Nginx 代理的配置:
worker_processes 1;
events { worker_connections 1024; }
http {
sendfile on;
upstream docker-proxy {
server 10.0.1.2:80;
}
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
server {
listen 80;
resolver 127.0.0.11 ipv6=off;
location / {
proxy_pass http://docker-proxy/;
proxy_redirect off;
}
}
}
具有 Wireguard 和本地网站的本地机器:
version: '3'
services:
nginx:
container_name: nginx
#depends_on:
#- reverseproxy
image: nginx:alpine
restart: unless-stopped
ports:
- 80:80
networks:
vpn:
ipv4_address: 10.0.1.2
wireguard:
image: lscr.io/linuxserver/wireguard:latest
container_name: wireguard
cap_add:
- NET_ADMIN
- SYS_MODULE
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Rome
- SERVERURL=wireguard.domain.com #optional
- SERVERPORT=51820 #optional
- PEERS= #optional
- PEERDNS=auto #optional
- INTERNAL_SUBNET=10.0.0.0 #optional
- ALLOWEDIPS=0.0.0.0/0 #optional
- LOG_CONFS=true #optional
volumes:
- /home/user/dev/nginx-proxy/config:/config
- /lib/modules:/lib/modules
ports:
- 51820:51820/udp
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
restart: unless-stopped
networks:
vpn:
ipv4_address: 10.0.1.5
networks:
vpn:
ipam:
config:
- subnet: 10.0.1.0/8
答案1
如果你想要的是转发端口从您的 AWS 服务器,您不需要 nginx,您只需在 WireGuard 容器中使用 iptables 规则来转发端口 80 即可。
在您的 AWS 服务器上,将此 WireGuard 配置文件保存在某个目录中,如下所示server/wireguard/wg0.conf:
# server/wireguard/wg0.conf
# local settings for AWS server
[Interface]
PrivateKey = <server private key>
Address = 10.0.0.1/32
ListenPort = 51820
# port forwarding to Docker `nginx` service on `vpn` network on personal computer
PreUp = iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.0.1.2
# masquerading for Internet traffic to Docker `vpn` network on personal computer
PreUp = iptables -t nat -A POSTROUTING -d 10.0.1.0/24 -j MASQUERADE
# remote settings for personal computer
[Peer]
PublicKey = <client public key>
AllowedIPs = 10.0.0.2/32, 10.0.1.0/24
<server private key>用您为服务器生成的 WireGuard 私钥替换,并<client public key>用您为客户端生成的 WireGuard 公钥替换。
然后将此 Docker Compose 文件保存在其上方的目录中,如下所示server/docker-compose.yml:
# server/docker-compose.yml
version: '3'
services:
wireguard:
image: procustodibus/wireguard
cap_add:
- NET_ADMIN
ports:
- 80:80
- 51820:51820/udp
volumes:
- ./wireguard:/etc/wireguard
docker-compose up并从与 Docker Compose 文件相同的目录运行。
接下来,在您的个人计算机上,将此 WireGuard 配置文件保存在某个目录中,如下所示client/wireguard/wg0.conf:
# client/wireguard/wg0.conf
# local settings for personal computer
[Interface]
PrivateKey = <client private key>
Address = 10.0.0.2/32
ListenPort = 51820
# masquerading for WireGuard traffic to Docker `vpn` network on personal computer
PreUp = iptables -t nat -A POSTROUTING -d 10.0.1.0/24 -j MASQUERADE
# remote settings for AWS server
[Peer]
PublicKey = <server public key>
AllowedIPs = 10.0.0.1/32
Endpoint = <server ip address or domain name>:51820
PersistentKeepalive = 25
将其替换<client private key>为您为客户端生成的 WireGuard 私钥,并将其<server public key>替换为您为服务器生成的 WireGuard 公钥。将其替换<server ip address or domain name>为您的 AWS 服务器的公有 IP 地址或域名。
然后将此 Docker Compose 文件保存在其上方的目录中,如下所示client/docker-compose.yml:
# client/docker-compose.yml
version: '3'
services:
nginx:
image: nginx
networks:
vpn:
ipv4_address: 10.0.1.2
wireguard:
image: procustodibus/wireguard
cap_add:
- NET_ADMIN
networks:
vpn:
ipv4_address: 10.0.1.5
ports:
- 51820:51820/udp
volumes:
- ./wireguard:/etc/wireguard
networks:
vpn:
ipam:
config:
- subnet: 10.0.1.0/24
docker-compose up并从与 Docker Compose 文件相同的目录运行。
但是,如果你需要 nginx在您的 AWS 服务器上(例如,为了保留 HTTP 客户端的真实 IP 地址,或终止 TLS 等),跳过 AWS 服务器的 WireGuard 配置中的端口转发 iptables 规则:
# server/wireguard/wg0.conf
# local settings for AWS server
[Interface]
PrivateKey = <server private key>
Address = 10.0.0.1/32
ListenPort = 51820
# masquerading for Internet traffic to Docker `vpn` network on personal computer
PreUp = iptables -t nat -A POSTROUTING -d 10.0.1.0/24 -j MASQUERADE
# remote settings for personal computer
[Peer]
PublicKey = <client public key>
AllowedIPs = 10.0.0.2/32, 10.0.1.0/24
将反向代理 nginx 配置文件保存在 AWS 服务器上与 WireGuard 配置同级的目录中,例如server/reverseproxy/nginx.conf:
# server/reverseproxy/nginx.conf
events {}
http {
server {
listen 80;
location / {
proxy_pass http://10.0.1.2:80;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
}
在此配置文件中使用您想要的任何代理指令(或其他 nginx 配置)(您问题中的原始反向代理配置应该可以正常工作) - 只需确保上游服务器地址和端口与您个人计算机上网络nginx中使用的 Docker 服务使用的地址和端口相匹配。vpn
然后将此reverseproxy服务添加到 AWS 服务器上的 Docker Compose 配置中:
# server/docker-compose.yml
version: '3'
services:
reverseproxy:
image: nginx
network_mode: service:wireguard
volumes:
- ./reverseproxy:/etc/nginx
wireguard:
image: procustodibus/wireguard
cap_add:
- NET_ADMIN
ports:
- 80:80
- 51820:51820/udp
volumes:
- ./wireguard:/etc/wireguard
在您的个人计算机上,使用与本答案第一部分相同的“客户端”WireGuard 和 Docker Compose 配置。