Ngnix 反向代理在 Docker 中为本地主机设置 SSL

Ngnix 反向代理在 Docker 中为本地主机设置 SSL

使用下面的 docker compose.yml 我创建了 2 个容器和一个反向代理容器。

version: '3'

services:
  # SSGTM Tag Server Container
  tagging_server_container:
    image: gcr.io/cloud-tagging-10302018/gtm-cloud-image:stable
    ports:
      - '8080:8080'
    restart: always
    environment:
      PREVIEW_SERVER_URL: https://preview.ssgtm.dev
      CONTAINER_CONFIG: aWQ9...
    networks:
      - ssgtm
  # SSGTM Preview Server Container
  preview_server_container:
    image: gcr.io/cloud-tagging-10302018/gtm-cloud-image:stable
    ports:
      - '8081:8080'
    restart: always
    environment:
      RUN_AS_PREVIEW_SERVER: true
      CONTAINER_CONFIG: aWQ9...
    networks:
      - ssgtm
  proxy:
    image: nginx:1.19.10-alpine
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./conf/nginx.conf:/etc/nginx/nginx.conf
      - ./certs:/etc/nginx/certs
    depends_on:
      - preview_server_container
      - tagging_server_container
    networks:
      - ssgtm
networks:
  ssgtm:
    driver: bridge

并且还在内部conf/nginx.conf用于mkcert -cert-file ssgtm.dev.crt -key-file ssgtm.dev.key ssgtm.dev "*.ssgtm.dev" localhost 127.0.0.1 ::1创建 SSL 证书和密钥。

events {
  worker_connections 1024;
}

http {
  
  upstream docker-tagging-server {
    server tagging_server_container:8080;
  }

  upstream docker-preview-server {
    server preview_server_container:8080;
  }
  
  server {
    listen 443 ssl;
    server_name 127.0.0.1;

    ssl_certificate /etc/nginx/certs/cert.crt;
    ssl_certificate_key /etc/nginx/certs/cert.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!MD5;

    location / {
      proxy_buffering off;
      proxy_redirect  off;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Forwarded-Host $host;
      proxy_set_header X-Forwarded-Port $server_port;

      proxy_pass http://docker-preview-server;
    }
  }
  
  server {
    listen 443 ssl;
    server_name ssgtm.dev;

    ssl_certificate /etc/nginx/certs/cert.crt;
    ssl_certificate_key /etc/nginx/certs/cert.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!MD5;

    location / {
      proxy_buffering off;
      proxy_redirect  off;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Forwarded-Host $host;
      proxy_set_header X-Forwarded-Port $server_port;

      proxy_pass http://docker-tagging-server;
    }
  }

  server {
    listen 443 ssl;
    server_name preview.ssgtm.dev;

    ssl_certificate /etc/nginx/certs/cert.crt;
    ssl_certificate_key /etc/nginx/certs/cert.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!MD5;

    location / {
      proxy_buffering off;
      proxy_redirect  off;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Forwarded-Host $host;
      proxy_set_header X-Forwarded-Port $server_port;

      proxy_pass http://docker-preview-server;
    }
  }
}

我正在将我的 VirtualHost 请求代理到目标容器。

另外,hosts我在下面的文件中添加了本地解析。效果很好...它解析为 127.0.0.1,然后转到 Nginx,再转到其目标容器。

127.0.0.1 preview.ssgtm.dev
::1 preview.ssgtm.dev

127.0.0.1 ssgtm.dev
::1 ssgtm.dev

我面临的问题是... 两个容器应用程序都向域 IP 请求 TCP,端口为 443... 因此,当它向 ssgtm.dev:443 请求时,它变为 127.0.0.1:443,并返回错误Message: connect ECONNREFUSED 127.0.0.1:443,我无法理解此错误。据我所知,它无法连接到端口为 443 的 127.0.0.1,但我已经添加了它!我做错了什么?

答案1

容器无法访问 Nginx,因为它们正尝试连接到它们自己网络命名空间的本地主机,我们可以尝试name host.docker.internal解析为主机使用的内部 IP 地址的特殊 DNS。

修改您的nginx.conf文件,使其不再向ssgtm.dev:443或发出请求127.0.0.1:443,而是向 发出请求host.docker.internal:443

server {
    listen 443 ssl;
    server_name host.docker.internal;

    ssl_certificate /etc/nginx/certs/cert.crt;
    ssl_certificate_key /etc/nginx/certs/cert.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!MD5;

    location / {
      proxy_buffering off;
      proxy_redirect  off;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Forwarded-Host $host;
      proxy_set_header X-Forwarded-Port $server_port;

      proxy_pass http://docker-preview-server;
    }
  }

相关内容