为什么这个 Nginx conf 允许访问其他 hostnames/ports 上的 Gitlab?
Why does this Nginx conf allow access to Gitlab on other hostnames/ports?
整个系统都在一个 Vagrant 盒子里。 Nginx 安装在 Vagrant box 中,Gitlab 在 docker container 中。我可以在
访问 Gitlab
http://gitlab/
如 /etc/hosts 所述,但也可在
访问
http://gitlab:10080/
和
http://192.168.7.7:10080/
但是,那个端口应该关闭! Gitlab 应该只能在我的自定义 URL 端口 80 上访问。
nginx.conf
events {
worker_connections 1024;
}
http {
upstream gitlab {
server 192.168.7.7:10080;
}
server {
listen 80;
server_name gitlab-dw;
port_in_redirect off;
location / {
proxy_pass http://gitlab;
}
}
}
docker-compose.yml
version: '2'
services:
redis:
restart: always
image: sameersbn/redis:latest
command:
- --loglevel warning
volumes:
- /opt/redis:/var/lib/redis:Z
postgresql:
restart: always
image: sameersbn/postgresql:9.4-23
volumes:
- /opt/postgresql:/var/lib/postgresql:Z
environment:
- DB_USER=gitlab
- DB_PASS=password
- DB_NAME=gitlabhq_production
- DB_EXTENSION=pg_trgm
gitlab:
restart: always
image: sameersbn/gitlab:8.9.6-1
depends_on:
- redis
- postgresql
ports:
- "192.168.7.7:10080:80"
- "192.168.7.7:5500:5500"
- "192.168.7.7:10022:22"
volumes:
- /opt/gitlab:/home/git/data:Z
- /opt/gitlab/logs:/var/log/gitlab
- ./gitlab-runner/conf:/etc/gitlab-runner
- /home/vagrant/certs:/certs
environment:
- DEBUG=false
- DB_ADAPTER=postgresql
- DB_HOST=postgresql
- DB_PORT=5432
- DB_USER=gitlab
- DB_PASS=password
- DB_NAME=gitlabhq_production
- REDIS_HOST=redis
- REDIS_PORT=6379
- GITLAB_SSH_PORT=10022
- GITLAB_PORT=10080
- GITLAB_HOST=127.0.0.1
- GITLAB_SECRETS_DB_KEY_BASE=superrandomsecret
- GITLAB_REGISTRY_ENABLED=false
Vagrantfile
Vagrant.configure(2) do |config|
if Vagrant.has_plugin?("vagrant-cachier")
config.cache.scope = :box
end
config.vm.define "jenkins-gitlab" do |config|
config.vm.box = "ubuntu/trusty64"
config.vm.hostname = "jenkins-gitlab"
config.vm.boot_timeout = 300
config.vm.provision :shell, path: "provision.sh"
# Since we mount the dir using NFS we need a private network
config.vm.network :private_network, ip: "192.168.7.7"
config.vm.synced_folder "docker-compose", "/home/vagrant/docker-compose"
config.vm.provider "virtualbox" do |vb|
vb.gui = false
vb.memory = 8192
vb.cpus = 4
end
end
end
/etc/hosts(部分,在主机上)
192.168.7.7 gitlab-dw
192.168.7.7 jenkins-gitlab # VAGRANT: 7fb8647acc689de630f1c7e6550fd33f (jenkins-gitlab) / 9d0a108b-f842-4787-83e5-cfebecbb9d1e
/etc/hosts(在 Vagrant 访客上)
192.168.7.7 gitlab-dw
[更新]
另外,如果我在 /etc/default/docker 中更改我的 DOCKER_OPTS="--iptables=false",端口转发仍然有效。
如果我通过 docker exec -it containername /bin/bash 连接到我的容器并使 sudo iptables -L 容器的 iptables 看起来像:
root@11bb3902cb02:/# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER-ISOLATION all -- anywhere anywhere
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
您是 运行 您在 Docker 之外的 Nginx 实例。因此,Docker 端口需要公开,以便 Nginx 连接到 Docker 内的服务。一旦公开,您也可以连接到该服务,就像 Nginx 一样。
无法解决你的问题w/o重新考虑整个设计。
销毁整个 vagrant box 后,检查并重新启动,现在可以使用了。
也许一个问题是,我没有将 nginx.conf 作为一个名为 default 的文件复制到 /etc/nginx/sites-available/,而是将其复制到 /etc/nginx.conf
现在可以了,不知道到底是什么问题,但是现在已经解决了。
整个系统都在一个 Vagrant 盒子里。 Nginx 安装在 Vagrant box 中,Gitlab 在 docker container 中。我可以在
访问 Gitlabhttp://gitlab/
如 /etc/hosts 所述,但也可在
http://gitlab:10080/
和
http://192.168.7.7:10080/
但是,那个端口应该关闭! Gitlab 应该只能在我的自定义 URL 端口 80 上访问。
nginx.conf
events {
worker_connections 1024;
}
http {
upstream gitlab {
server 192.168.7.7:10080;
}
server {
listen 80;
server_name gitlab-dw;
port_in_redirect off;
location / {
proxy_pass http://gitlab;
}
}
}
docker-compose.yml
version: '2'
services:
redis:
restart: always
image: sameersbn/redis:latest
command:
- --loglevel warning
volumes:
- /opt/redis:/var/lib/redis:Z
postgresql:
restart: always
image: sameersbn/postgresql:9.4-23
volumes:
- /opt/postgresql:/var/lib/postgresql:Z
environment:
- DB_USER=gitlab
- DB_PASS=password
- DB_NAME=gitlabhq_production
- DB_EXTENSION=pg_trgm
gitlab:
restart: always
image: sameersbn/gitlab:8.9.6-1
depends_on:
- redis
- postgresql
ports:
- "192.168.7.7:10080:80"
- "192.168.7.7:5500:5500"
- "192.168.7.7:10022:22"
volumes:
- /opt/gitlab:/home/git/data:Z
- /opt/gitlab/logs:/var/log/gitlab
- ./gitlab-runner/conf:/etc/gitlab-runner
- /home/vagrant/certs:/certs
environment:
- DEBUG=false
- DB_ADAPTER=postgresql
- DB_HOST=postgresql
- DB_PORT=5432
- DB_USER=gitlab
- DB_PASS=password
- DB_NAME=gitlabhq_production
- REDIS_HOST=redis
- REDIS_PORT=6379
- GITLAB_SSH_PORT=10022
- GITLAB_PORT=10080
- GITLAB_HOST=127.0.0.1
- GITLAB_SECRETS_DB_KEY_BASE=superrandomsecret
- GITLAB_REGISTRY_ENABLED=false
Vagrantfile
Vagrant.configure(2) do |config|
if Vagrant.has_plugin?("vagrant-cachier")
config.cache.scope = :box
end
config.vm.define "jenkins-gitlab" do |config|
config.vm.box = "ubuntu/trusty64"
config.vm.hostname = "jenkins-gitlab"
config.vm.boot_timeout = 300
config.vm.provision :shell, path: "provision.sh"
# Since we mount the dir using NFS we need a private network
config.vm.network :private_network, ip: "192.168.7.7"
config.vm.synced_folder "docker-compose", "/home/vagrant/docker-compose"
config.vm.provider "virtualbox" do |vb|
vb.gui = false
vb.memory = 8192
vb.cpus = 4
end
end
end
/etc/hosts(部分,在主机上)
192.168.7.7 gitlab-dw
192.168.7.7 jenkins-gitlab # VAGRANT: 7fb8647acc689de630f1c7e6550fd33f (jenkins-gitlab) / 9d0a108b-f842-4787-83e5-cfebecbb9d1e
/etc/hosts(在 Vagrant 访客上)
192.168.7.7 gitlab-dw
[更新]
另外,如果我在 /etc/default/docker 中更改我的 DOCKER_OPTS="--iptables=false",端口转发仍然有效。
如果我通过 docker exec -it containername /bin/bash 连接到我的容器并使 sudo iptables -L 容器的 iptables 看起来像:
root@11bb3902cb02:/# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER-ISOLATION all -- anywhere anywhere
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
您是 运行 您在 Docker 之外的 Nginx 实例。因此,Docker 端口需要公开,以便 Nginx 连接到 Docker 内的服务。一旦公开,您也可以连接到该服务,就像 Nginx 一样。
无法解决你的问题w/o重新考虑整个设计。
销毁整个 vagrant box 后,检查并重新启动,现在可以使用了。
也许一个问题是,我没有将 nginx.conf 作为一个名为 default 的文件复制到 /etc/nginx/sites-available/,而是将其复制到 /etc/nginx.conf
现在可以了,不知道到底是什么问题,但是现在已经解决了。