【问题标题】:Nginx reverse SSL proxy docker-composeNginx 反向 SSL 代理 docker-compose
【发布时间】:2020-01-09 13:04:28
【问题描述】:

我正在尝试在我的 Ubuntu 18.04 服务器上将 nginx 设置为反向代理。

我已经在下面设置了我认为正确的内容,但是点击 http://web.service.com 会使我进入默认的 nginx 欢迎屏幕(而它应该重定向到 https:// 并转到 https://web.service.com 我最终得到 404 错误屏幕。

我有以下docker-compose.yml 配置:

version: "3"
services:
    web_service:
        image: "test/webservice"
        container_name: "webservice"
        hostname: "webservice"

    mysql:
        image: "mysql:5.7"
        container_name: "mysql"
        hostname: "mysql"

    nginx:
        build:
            context: .
            dockerfile: "Dockerfile"
        image: "nginx"
        container_name: "nginx"
        hostname: "nginx"
        ports:
            - "80:80"
            - "443:443"
        volumes:
            - "/var/nginx/data/certs:/etc/nginx/certs"

注意:web_service 在端口 8080 上托管网页

我有我的默认nginx.conf

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}

还有我自定义的web_service.conf,它内置在新的 nginx 映像中。

server {
    listen 80;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl default_server;

    server_name www.web.server.com web.server.com;

    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  SSLv3 TLSv1;
    ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;

    access_log /var/log/nginx/access.log;
    error_log  /var/log/nginx/error.log info;

    keepalive_timeout 75 75;

    ssl_certificate /etc/nginx/certs/web_server.com.crt;
    ssl_certificate_key /etc/nginx/certs/web_server.com.key;
    ssl_session_timeout 5m;

    add_header Strict-Transport-Security "max-age=7200";

    location / {

      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;

      proxy_pass          http://webservice:8080;
      proxy_read_timeout  90;
      proxy_redirect      http://webservice:8080 https://web.service.com;
    }
}

之前我只是在撰写文件中添加了web_servicemysql,我为web_server 公开了port 80:8080

对这个问题有什么想法吗?

【问题讨论】:

    标签: docker nginx docker-compose


    【解决方案1】:

    设法使用以下配置解决了我的问题:

    upstream docker-webapp {
        server webapp:8080;
    }
    
    server {
        listen 80;
    
        server_name _;
    
        return 301 https://$host$request_uri;
    }
    
    server {
        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;    
    
        server_name www.example.com example.com;
    
        ## Access and error logs.
        access_log /var/log/nginx/access.log;
        error_log  /var/log/nginx/error.log info;
    
        ## Keep alive timeout set to a greater value for SSL/TLS.
        keepalive_timeout 75s;
    
        ## Server certificate and key.
        ssl_certificate         /etc/ssl/certs/certificate.crt;
        ssl_certificate_key     /etc/ssl/certs/certificate.key;
        ssl_dhparam             /etc/ssl/certs/dhparam.pem; 
    
        ssl_protocols TLSv1.2 TLSv1.3;               
        ssl_prefer_server_ciphers on; 
        ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
        ssl_ecdh_curve secp384r1;               
        ssl_session_timeout  10m;
        ssl_session_cache shared:SSL:10m;
        ssl_session_tickets off;                
        ssl_stapling on;                        
        ssl_stapling_verify on;                  
        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
    
        location / {
            proxy_pass         http://docker-webapp;
            proxy_redirect     off;
            proxy_set_header   Host $host;
            proxy_set_header   X-Real-IP $remote_addr;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header   X-Forwarded-Host $server_name;
        }
    }
    

    以及在此处找到的信息:https://cipherli.st/

    附带说明,我部署的 webapp 需要对其自身进行健康检查,因此我需要将公共证书安装到 webapp 容器的密钥库中。最重要的是,它也只支持TLSv1.2,因此我将TLSv1.2 添加到ssl_protocols 行。

    【讨论】:

      【解决方案2】:

      这并不能直接回答你的问题,但你可以试试这个 Nginx 容器;它真的让自动处理 SSL 变得像在公园里散步一样。

      https://hub.docker.com/r/linuxserver/letsencrypt

      【讨论】:

        【解决方案3】:

        由于您的图像中缺少证书配置,因此您需要将 ca-certificate 添加到 docker 系统证书以使用 https(您可以在互联网上查看)。 配置文件中关于安全风险的另一件事是 SSLv3。您应该删除它以避免POODLE 攻击。

        【讨论】:

          猜你喜欢
          • 2018-05-31
          • 1970-01-01
          • 1970-01-01
          • 2016-07-22
          • 2023-04-05
          • 1970-01-01
          • 2020-06-06
          • 1970-01-01
          • 1970-01-01
          相关资源
          最近更新 更多