我有2个使用docker compose部署的docker容器。
一个是nginx,另一个是我的flask应用程序。我仅将nginx用作静态服务器来加密证书。
如果我在不使用nginx的情况下部署flask应用程序,则可以成功卷曲/ ping服务器。但是,在引入nginx的那一刻,我无法连接。
我要做的是至少通过数字外部IP(例如xx.xx.xx.xx)访问服务器,然后通过指向相同IP的域访问我的服务器。(我的域实际上是一个子域,例如api.domain.com)
我的码头工人组成是:
services:
nginx:
build:
context: ./nginx
dockerfile: Dockerfile
args:
DOMAIN: ${DOMAIN}
FLASK: application
ports:
- 80:80
- 443:443
volumes:
- /etc/letsencrypt:/etc/letsencrypt
depends_on:
- application
application:
build:
context: ./flask_app
dockerfile: Dockerfile
ports:
- 5000:5000
nginx.conf
user nginx;
worker_processes auto;
worker_rlimit_nofile 8192;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
charset utf-8;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
log_not_found off;
types_hash_max_size 2048;
client_max_body_size 16M;
include mime.types;
default_type application/octet-stream;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_ciphers 'TLS13+AESGCM+AES128:TLS13+AESGCM+AES256:TLS13+CHACHA20:EECDH+AESGCM:EECDH+CHACHA20';
ssl_stapling on;
ssl_stapling_verify on;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
include conf.d/*.conf;
}
flask_app.conf
server {
listen 80;
listen [::]:80;
server_name www.${DOMAIN} ${DOMAIN};
location ^~ /.well-known/acme-challenge/ {
root /var/www/_letsencrypt;
}
location / {
return 301 https://${DOMAIN}${DOLLAR}request_uri;
}
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name www.${DOMAIN} ${DOMAIN};
ssl_certificate /etc/letsencrypt/live/${DOMAIN}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${DOMAIN}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/${DOMAIN}/chain.pem;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
# You might want to change the CSP policy to fit your needs - see https://content-security-policy.com/
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header Allow "GET, POST, HEAD" always;
access_log /var/log/nginx/${DOMAIN}.access.log;
error_log /var/log/nginx/${DOMAIN}.error.log warn;
location / {
proxy_http_version 1.1;
proxy_cache_bypass ${DOLLAR}http_upgrade;
proxy_hide_header X-Powered-By;
proxy_hide_header Server;
proxy_hide_header X-AspNetMvc-Version;
proxy_hide_header X-AspNet-Version;
proxy_set_header Proxy "";
proxy_set_header Upgrade ${DOLLAR}http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host ${DOLLAR}host;
proxy_set_header X-Real-IP ${DOLLAR}remote_addr;
proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme;
proxy_set_header X-Forwarded-Host ${DOLLAR}host;
proxy_set_header X-Forwarded-Port ${DOLLAR}server_port;
proxy_pass http://application:5000;
}
location ~* \.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|woff2|svg)${DOLLAR} {
expires 7d;
add_header Pragma public;
add_header Cache-Control public;
proxy_pass http://application:5000;
}
if ( ${DOLLAR}request_method !~ ^(GET|POST|HEAD)${DOLLAR} ) {
return 405;
}
if (${DOLLAR}http_user_agent ~* LWP::Simple|BBBike|wget) {
return 403;
}
location ~ /\.(?!well-known) {
deny all;
}
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
}
我不确定为什么您的nginx配置包含${DOLLAR}
多个位置。我认为这不是有效的语法,也找不到与此有关的任何文档。像这样的行:
proxy_set_header Host ${DOLLAR}host;
实际上应该是:
proxy_set_header Host $host;
至于${DOMAIN}
在nginx conf中使用,我会避免这种情况并选择更简单的配置。只需在nginx配置文件中指定域:
server_name www.example.com example.com;
我熟悉“复杂配置”下的官方nginx图像文档,它向您展示了如何从正在运行的容器中复制有效的配置,然后根据需要进行修改。
完成这项工作后,如果您确实要在docker-compose文件中指定域,并将nginx配置视为在容器启动时修改的模板,则可以继续阅读“在...中使用环境变量”部分nginx配置”,其中显示了一种解决方法envsubst
。但是,单个站点部署可能不需要这样做。
本文收集自互联网,转载请注明来源。
如有侵权,请联系 [email protected] 删除。
我来说两句