将请求转发到同一环境中的另一个 Azure 容器应用会导致 403 禁止

将请求转发到同一环境中的另一个 Azure 容器应用会导致 403 禁止

-- 从 Stackoverflow 复制 --

我正在尝试在 Azure 容器应用环境中设置两个容器。一个容器应用具有 Caddy 反向代理和 SPA 应用文件 ( app-www),另一个容器应用具有带 Apollo 的 Express API ( app-api)。app-api位于app-wwwCaddy 代理的上游。

在我的本地机器 Docker 实例上,使用 localhost 和 ports 进行网络连接可以正常工作。当我app-api使用 TCP 设置入口并在 Caddy 配置中仅使用主机的应用程序名称(例如)时,它也可以在 Azure 上运行http://app-api:5000。但是,我无法使用 TCP 内置容器应用程序身份验证等功能,因此我想配置 HTTP 入口并使其仅安全。

通过反向代理访问时,使用 HTTP ingressapp-api会返回。Caddy日志中出现以下内容,但日志中没有任何内容...403 forbiddenapp-wwwapp-api

{"level":"debug","ts":1703005543.3806593,"logger":"http.handlers.rewrite","msg":"rewrote request","request":{"remote_ip":"100.100.0.48","remote_port":"56138","proto":"HTTP/1.1","method":"GET","host":"app-www.somerandom-abc123.westeurope.azurecontainerapps.io:443","uri":"/tools/evidence/api/content/d8e5a7fd-2330-42ca-949f-b4a5bc5b3dcc.png","headers":{"Authorization":[],"Sec-Ch-Ua":["\"Not_A Brand\";v=\"8\", \"Chromium\";v=\"120\""],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-Dest":["document"],"Upgrade-Insecure-Requests":["1"],"X-K8se-App-Namespace":["k8se-apps"],"X-Arr-Ssl":["true"],"Sec-Fetch-User":["?1"],"X-Envoy-External-Address":["10.0.0.7"],"Sec-Ch-Ua-Platform":["\"macOS\""],"X-Request-Id":["d6d212bd-44f5-4bf8-ac46-9d4c41fc833c"],"X-Ms-Containerapp-Revision-Name":["app-www--3covj1h"],"X-Original-Url":["/tools/evidence/api/content/d8e5a7fd-2330-42ca-949f-b4a5bc5b3dcc.png"],"X-Appgw-Trace-Id":["1df4953e9788544fc1a4ede599a32efc"],"Accept-Encoding":["gzip, deflate, br"],"X-Forwarded-For":["xxx.xxx.xxx.xxx:49999,10.0.0.7"],"X-Original-Host":["my-external-url.com"],"Dnt":["1"],"Accept-Language":["en-US,en;q=0.9"],"X-K8se-App-Name":["app-www--3covj1h"],"Sec-Ch-Ua-Mobile":["?0"],"X-Envoy-Expected-Rq-Timeout-Ms":["1800000"],"X-K8se-App-Kind":["web"],"X-Ms-Containerapp-Name":["app-www"],"X-Forwarded-Port":["443"],"Cache-Control":["max-age=0"],"Sec-Fetch-Site":["none"],"X-K8se-Protocol":["http1"],"X-Forwarded-Proto":["https"]}},"method":"GET","uri":"/content/d8e5a7fd-2330-42ca-949f-b4a5bc5b3dcc.png"},
{"level":"debug","ts":1703005543.380741,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"app-api.internal.somerandom-abc123.westeurope.azurecontainerapps.io:443","total_upstreams":1},
{"level":"debug","ts":1703005543.4035332,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"app-api.internal.somerandom-abc123.westeurope.azurecontainerapps.io:443","duration":0.022743249,"request":{"remote_ip":"100.100.0.48","remote_port":"56138","proto":"HTTP/1.1","method":"GET","host":"app-www.somerandom-abc123.westeurope.azurecontainerapps.io:443","uri":"/content/d8e5a7fd-2330-42ca-949f-b4a5bc5b3dcc.png","headers":{"Authorization":[],"X-Arr-Ssl":["true"],"X-Ms-Containerapp-Revision-Name":["app-www--3covj1h"],"X-Original-Url":["/tools/evidence/api/content/d8e5a7fd-2330-42ca-949f-b4a5bc5b3dcc.png"],"X-Forwarded-Host":["app-www.somerandom-abc123.westeurope.azurecontainerapps.io:443"],"Dnt":["1"],"X-Forwarded-For":["100.100.0.48"],"X-Forwarded-Port":["443"],"Sec-Fetch-User":["?1"],"Accept-Language":["en-US,en;q=0.9"],"Sec-Ch-Ua-Mobile":["?0"],"Sec-Fetch-Site":["none"],"X-K8se-App-Kind":["web"],"Sec-Ch-Ua":["\"Not_A Brand\";v=\"8\", \"Chromium\";v=\"120\""],"X-Request-Id":["d6d212bd-44f5-4bf8-ac46-9d4c41fc833c"],"Accept-Encoding":["gzip, deflate, br"],"X-Ms-Containerapp-Name":["app-www"],"X-K8se-Protocol":["http1"],"X-Forwarded-Proto":["http"],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"],"Upgrade-Insecure-Requests":["1"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-Dest":["document"],"X-Envoy-External-Address":["10.0.0.7"],"Sec-Ch-Ua-Platform":["\"macOS\""],"X-Appgw-Trace-Id":["1df4953e9788544fc1a4ede599a32efc"],"X-Original-Host":["my-external-url.com"],"X-Envoy-Expected-Rq-Timeout-Ms":["1800000"],"Cache-Control":["max-age=0"],"X-K8se-App-Name":["app-www--3covj1h"],"X-K8se-App-Namespace":["k8se-apps"]}},"headers":{"Date":["Tue, 19 Dec 2023 17:05:43 GMT"]},"status":403}

奇怪的是,当我尝试app-www使用 wget 从容器内部获取相同的代理文件时,它工作正常,例如

# wget https://app-api.internal.somerandom-abc123.westeurope.azurecontainerapps.io/content/d8e5a7fd-2330-42ca-949f-b4a5bc5b3dcc.png

我已尝试过一些事情......

  • 确保应用程序不会缩放到零。
  • 使用应用程序名称(即https://app-api)而不是 FQDN。对于使用应用程序名称的 HTTP 连接,它会挂起。对于 TCP 入口,它可以正常工作。
  • 使用不安全的 http 也不起作用。

我有点疯狂地试图解决这个问题 - 它看起来像一个非常基本的配置(基本上是一个 SPA 应用程序加 API)但它就是不起作用。

app-www来自下面的Caddyfile

{
    auto_https off
    debug
}

(uselogin) {
    basicauth {
        {$PROXY_AUTH_CREDENTIALS}
    }
}

http://:80 {
    encode gzip
    header -Server
    header -X-Powered-By
    header Referrer-Policy "strict-origin-when-cross-origin"
    header X-Content-Type-Options: "nosniff"
    header X-Frame-Options: "SAMEORIGIN"

    handle /somepath/health-check {
        respond "health-check" 200
    }

    handle /somepath/* {
        import uselogin
        uri strip_prefix /somepath/
        # root * ./dist
        root * /srv/www
        try_files {path} /index.html
        file_server
    }

    handle /somepath/api/* {
        import uselogin
        uri strip_prefix /somepath/api
        reverse_proxy https://app-api.internal.somerandom-abc123.westeurope.azurecontainerapps.io
    }

    handle * {
        respond 404
    }
}



相关内容