设置 nginx 作为 webservice docker 容器之间的代理

设置 nginx 作为 webservice docker 容器之间的代理

我正在尝试设置一个服务器来托管特定的 Web 应用程序。我已经注册了一个域名(假设为 example.org),通过 digitalocean 创建了一个 vps,并将 example.org 的 DNS 设置为指向它,因此如果我运行一个简单的 Web 服务器,我就可以通过在 Web 浏览器中打开 example.org 来访问它。

我想使用此服务器来托管文件浏览器(https://filebrowser.org/)。如果我只使用默认的docker命令运行它,它就可以工作。但是,我想

  1. 让它 (以及任何其他 Web 服务) 位于 HTTPS 之后。
  2. 使其可通过 example.org/files 访问。这样我也可以将此域名用于其他用途。

这个想法是在一个docker容器中运行nginx,并发布端口80和443。然后我按照这个指南在另一个容器中安装certbot:https://mindsers.blog/post/https-using-nginx-certbot-docker/。最后,我想在第三个 docker 容器中运行 filebrowser。这样,只有 nginx 可以从外部访问,并且它处理到其他服务的所有路由。如果我理解正确的话,我只需要为 nginx 容器设置 ssl-certs,它就可以在内部与普通 http 通信。我当前的 docker-compose.yaml 是:

version: '3'

services:
  webserver:
    image: nginx:latest
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./nginx/conf/:/etc/nginx/conf.d/:ro
      - ./nginx/www/:/srv/www/:ro
      - ./certbot/www:/var/www/certbot/:ro
      - ./certbot/conf/:/etc/nginx/ssl:ro
  certbot:
    image: certbot/certbot:latest
    volumes:
      - ./certbot/www/:/var/www/certbot/:rw
      - ./certbot/conf/:/etc/letsencrypt/:rw
  filebrowser:
    image: filebrowser/filebrowser:latest
    volumes:
      - ./filebrowser/files:/srv
      - ./filebrowser/filebrowser.db:/filebrowser.db
      - ./filebrowser/filebrowser.json:/.filebrowser.json

从看这个答案https://serverfault.com/a/813776/1037593,我已经使用以下配置设置了 nginx:

server {
listen 80;
listen [::]:80;
server_name example.org www.example.org;
server_tokens off;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    location / {
        return 301 https://example.org$request_uri;
    }
}


server {
    listen 443 default_server ssl;
    listen [::]:443 ssl;
    http2 on;

    server_name example.org;

    ssl_certificate /etc/nginx/ssl/live/example.org/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/live/example.org/privkey.pem;

    location / {
        root /srv/www/;
    }

    location /files {
        return 302 /files/;
    }

    location /files/ {
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_redirect off;
        add_header Pragma "no-cache";
        add_header Cache-Control "no-cache";

        proxy_pass http://filebrowser:8080/;

        sub_filter 'action="/' 'action="/files/';
        sub_filter 'href="/' 'href="/files/';
        sub_filter 'src="/' 'src="/files/';
        sub_filter_once off;
    }
}

最后,文件浏览器的配置是

{
  "port": 8080,
  "baseURL": "",
  "address": "",
  "log": "stdout",
  "database": "/filebrowser.db",
  "root": "/srv"
}

当我运行此程序时,当我导航到 example.org 时,会显示 nginx 在 / 处提供的虚拟 index.html 文件。当我尝试导航到 example.org/files 时,我获得了 filebrowser 的登录页面,但是当我输入用户名和密码(我知道它们是正确的)时,我收到错误消息“凭据错误”,并且 nginx 的控制台显示无法找到特定文件的错误。运行docker compose up并尝试登录的完整输出为:

[+] Running 4/4
 ✔ Network webservices_default          Created    0.1s
 ✔ Container webservices-certbot-1      Created    0.1s
 ✔ Container webservices-filebrowser-1  Created    0.1s
 ✔ Container webservices-webserver-1    Created    0.1s
Attaching to webservices-certbot-1, webservices-filebrowser-1, webservices-webserver-1
webservices-filebrowser-1  | 2023/07/26 12:49:57 Using config file: /.filebrowser.json
webservices-filebrowser-1  | 2023/07/26 12:49:57 Listening on [::]:8080
webservices-webserver-1    | /docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
webservices-webserver-1    | /docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
webservices-webserver-1    | /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
webservices-webserver-1    | 10-listen-on-ipv6-by-default.sh: info: can not modify /etc/nginx/conf.d/default.conf (read-only file system?)
webservices-webserver-1    | /docker-entrypoint.sh: Sourcing /docker-entrypoint.d/15-local-resolvers.envsh
webservices-webserver-1    | /docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
webservices-webserver-1    | /docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
webservices-webserver-1    | /docker-entrypoint.sh: Configuration complete; ready for start up
webservices-webserver-1    | 2023/07/26 12:49:57 [notice] 1#1: using the "epoll" event method
webservices-webserver-1    | 2023/07/26 12:49:57 [notice] 1#1: nginx/1.25.1
webservices-webserver-1    | 2023/07/26 12:49:57 [notice] 1#1: built by gcc 12.2.0 (Debian 12.2.0-14)
webservices-webserver-1    | 2023/07/26 12:49:57 [notice] 1#1: OS: Linux 5.15.0-78-generic
webservices-webserver-1    | 2023/07/26 12:49:57 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576
webservices-webserver-1    | 2023/07/26 12:49:57 [notice] 1#1: start worker processes
webservices-webserver-1    | 2023/07/26 12:49:57 [notice] 1#1: start worker process 21
webservices-certbot-1      | Saving debug log to /var/log/letsencrypt/letsencrypt.log
webservices-certbot-1      | Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.
webservices-certbot-1 exited with code 1
webservices-webserver-1    | 89.8.210.16 - - [26/Jul/2023:12:50:17 +0000] "GET /files HTTP/2.0" 302 145 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0" "-"
webservices-webserver-1    | 89.8.210.16 - - [26/Jul/2023:12:50:17 +0000] "GET /files/ HTTP/2.0" 200 4439 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0" "-"
webservices-webserver-1    | 2023/07/26 12:50:17 [warn] 21#21: *1 an upstream response is buffered to a temporary file /var/cache/nginx/proxy_temp/1/00/0000000001 while reading upstream, client: 89.8.210.16, server: example.org, request: "GET /files/static/js/chunk-vendors.0f8eac7b.js HTTP/2.0", upstream: "http://172.20.0.4:8080/static/js/chunk-vendors.0f8eac7b.js", host: "example.org", referrer: "https://example.org/files/"
webservices-webserver-1    | 2023/07/26 12:50:17 [warn] 21#21: *1 an upstream response is buffered to a temporary file /var/cache/nginx/proxy_temp/2/00/0000000002 while reading upstream, client: 89.8.210.16, server: example.org, request: "GET /files/static/css/app.2991abc4.css HTTP/2.0", upstream: "http://172.20.0.4:8080/static/css/app.2991abc4.css", host: "example.org", referrer: "https://example.org/files/"
webservices-webserver-1    | 2023/07/26 12:50:17 [warn] 21#21: *1 an upstream response is buffered to a temporary file /var/cache/nginx/proxy_temp/3/00/0000000003 while reading upstream, client: 89.8.210.16, server: example.org, request: "GET /files/static/js/app.8ca2bdf9.js HTTP/2.0", upstream: "http://172.20.0.4:8080/static/js/app.8ca2bdf9.js", host: "example.org", referrer: "https://example.org/files/"
webservices-webserver-1    | 89.8.210.16 - - [26/Jul/2023:12:50:17 +0000] "GET /files/static/css/app.2991abc4.css HTTP/2.0" 200 50042 "https://example.org/files/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0" "-"
webservices-webserver-1    | 89.8.210.16 - - [26/Jul/2023:12:50:17 +0000] "GET /files/static/css/chunk-vendors.e9e545fd.css HTTP/2.0" 200 7539 "https://example.org/files/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0" "-"
webservices-webserver-1    | 89.8.210.16 - - [26/Jul/2023:12:50:17 +0000] "GET /files/static/js/chunk-vendors.0f8eac7b.js HTTP/2.0" 200 251297 "https://example.org/files/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0" "-"
webservices-webserver-1    | 89.8.210.16 - - [26/Jul/2023:12:50:17 +0000] "GET /files/static/js/app.8ca2bdf9.js HTTP/2.0" 200 102234 "https://example.org/files/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0" "-"
webservices-webserver-1    | 89.8.210.16 - - [26/Jul/2023:12:50:18 +0000] "GET /static/img/logo.svg HTTP/2.0" 404 153 "https://example.org/login?redirect=%2Ffiles%2Ffiles%2F" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0" "-"
webservices-webserver-1    | 2023/07/26 12:50:18 [error] 21#21: *1 open() "/srv/www/static/img/logo.svg" failed (2: No such file or directory), client: 89.8.210.16, server: example.org, request: "GET /static/img/logo.svg HTTP/2.0", host: "example.org", referrer: "https://example.org/login?redirect=%2Ffiles%2Ffiles%2F"
webservices-webserver-1    | 2023/07/26 12:50:53 [error] 21#21: *1 open() "/srv/www/api/login" failed (2: No such file or directory), client: 89.8.210.16, server: example.org, request: "POST /api/login HTTP/2.0", host: "example.org", referrer: "https://example.org/login?redirect=%2Ffiles%2Ffiles%2F"
webservices-webserver-1    | 89.8.210.16 - - [26/Jul/2023:12:50:53 +0000] "POST /api/login HTTP/2.0" 404 153 "https://example.org/login?redirect=%2Ffiles%2Ffiles%2F" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0" "-"

似乎有些资源不是从 filebrowser-service 查询的,而是从 /srv/www 查询的,这意味着代理无法正常工作。最初,我甚至没有看到登录页面,在 -block 中添加额外设置之前也出现了类似的错误消息location /files/。我是否必须添加其他 sub_filters?我认为这可以通过使用子域(改为 files.example.org)来解决,但我认为这看起来更简洁。我还尝试摆弄filebrowser-config 中的baseURLaddress-fields,但毫无进展。我也找不到有关这些的任何文档。我还尝试了以下方法:https://nginxproxymanager.com/,但我得到的行为与手动执行时大致相同。我对 nginx 和 webservices 还很陌生,所以任何帮助都会很感激。

答案1

我通过在 filebrowser.json 中将 baseURL 变量设置为“/files”解决了这个问题。然后我将 nginx-config 更改为不proxy_pass http://filebrowser:8080带尾部斜杠并删除所有sub_filter-stuff。这样 filebrowser 就可以处理 URL 中的更改。我仍然在日志中收到一些错误消息,但至少该应用程序可以满足我的需求。

相关内容