Docker nginx 代理容器的网络问题
Docker network issues with nginx proxy container
我目前正在尝试设置一个由 nginx 和 运行 代理的基于 docker 的 jira 和 confluence 平台,以解决某种路由和网络问题。
基本设置由三个 docker 容器组成 - nginx 容器处理特定域名的 https 请求(例如 jira.mydomain.com、confluence.mydomain.com)和重定向(proxy_pass) 对 jira 和 confluence 的特定容器的请求。
此设置通常有效 - 我可以通过在浏览器中打开 https://jira.mydomain.com and the confluence instance by opening https://confluence.mydomain.com 来访问 jira 实例。
我 运行 遇到的问题在登录 jira 时变得可见:
并按照 Find-out-more-link 到:
所提供的 JIRA health check link unfortunately did not help me to identify and solve the problem. Instead some exceptions in the log file lead to some more hints 问题的建议解决方案:
2017-06-07 15:04:26,980 http-nio-8080-exec-17 ERROR christian.schlaefcke 904x1078x1 eqafq3 84.141.114.234,172.17.0.7 /rest/applinks/3.0/applicationlinkForm/manifest.json [c.a.a.c.rest.ui.CreateApplicationLinkUIResource] ManifestNotFoundException thrown while retrieving manifest
ManifestNotFoundException thrown while retrieving manifest
com.atlassian.applinks.spi.manifest.ManifestNotFoundException: java.net.NoRouteToHostException: No route to host (Host unreachable)
...
Caused by: java.net.NoRouteToHostException: No route to host (Host unreachable)
当我遵循 this Atlassian knowledge base article 和 运行 的提示时,这个来自 JIRA 容器内部的 curl 语句:
curl -H "Accept: application/json" https://jira.mydomain.com/rest/applinks/1.0/manifest -v
我终于得到这个错误:
* Trying <PUBLIC_IP>...
* connect to <PUBLIC_IP> port 443 failed: No route to host
* Failed to connect to jira.mydomain.com port 443: No route to host
* Closing connection 0
curl: (7) Failed to connect to jira.mydomain.com port 443: No route to host
编辑:
外部 URL jira.mydomain.com 可以从容器内部 ping 通:
root@c9233dc17588:# ping jira.mydomain.com
PING jira.mydomain.com (<PUBLIC_IP>) 56(84) bytes of data.
64 bytes from rs226736.mydomain.com (<PUBLIC_IP>): icmp_seq=1 ttl=64 time=0.082 ms
64 bytes from rs226736.mydomain.com (<PUBLIC_IP>): icmp_seq=2 ttl=64 time=0.138 ms
64 bytes from rs226736.mydomain.com (<PUBLIC_IP>): icmp_seq=3 ttl=64 time=0.181 ms
从 JIRA 容器外部(例如 docker 主机或其他机器)curl 语句工作正常!
总的来说,我对 linux 有很好的体验,但我对网络、路由和 iptables 的了解相当有限。 Docker 是 运行 当前的 17.03.1-ce 版本结合 docker 在 centos 7 系统上组成:
~]# uname -a
Linux rs226736 3.10.0-514.21.1.el7.x86_64 #1 SMP Thu May 25 17:04:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
目前我什至不明白这到底是什么问题(iptables?,路由,docker?)以及如何调试它:-(
我尝试了通过 google 找到的一些 iptables 和 nginx 相关提示 - 但都没有成功。任何指向正确方向的提示都将不胜感激。
要求的配置:
NGINX docker-compose.yml
nginx:
image: nginx
container_name: nginx
ports:
- 80:80
- 443:443
external_links:
- my_domain-jira
- my_domain-confluence
volumes:
- /opt/docker/logs/nginx:/var/log/nginx
- ./nginx.conf:/etc/nginx/nginx.conf
- ./certs/jira.mydomain.com.crt:/etc/ssl/certs/jira.mydomain.com.crt
- ./certs/jira.mydomain.com.key:/etc/ssl/private/jira.mydomain.com.key
- ./certs/confluence.mydomain.com.crt:/etc/ssl/certs/confluence.mydomain.com.crt
- ./certs/confluence.mydomain.com.key:/etc/ssl/private/confluence.mydomain.com.key
JIRA docker-compose.yml(Confluence 类似):
jira:
container_name: my_domain-jira
build: .
external_links:
- postgres
volumes:
- ./inst/conf/server.xml:/opt/jira/conf/server.xml
- ./inst/bin/setenv.sh:/opt/jira/bin/setenv.sh
- /home/jira:/opt/atlassian-home
- /opt/docker/logs/jira:/opt/jira/logs
- /etc/localtime:/etc/localtime:ro
NGINX - nginx.conf
upstream jira {
server my_domain-jira:8080;
}
# begin jira configuration
server {
listen 80;
server_name jira.mydomain.com;
client_max_body_size 500M;
rewrite ^ https://$server_name$request_uri? permanent;
}
server {
listen 443 ssl;
server_name jira.mydomain.com;
ssl on;
ssl_certificate /etc/ssl/certs/jira.mydomain.com.crt;
ssl_certificate_key /etc/ssl/private/jira.mydomain.com.key;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK';
server_tokens off;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
client_max_body_size 500M;
location / {
proxy_pass http://jira/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_cache_bypass $http_upgrade;
}
}
想法(nginx / proxy_pass / 上游)主要来自:
在与虚拟服务器提供商讨论后发现,plesk 防火墙和 iptables 之间的防火墙规则冲突导致了这个问题。在供应商修复冲突后,可以访问容器。
这个问题现在已经解决了 - 感谢所有参与的人!
我目前正在尝试设置一个由 nginx 和 运行 代理的基于 docker 的 jira 和 confluence 平台,以解决某种路由和网络问题。
基本设置由三个 docker 容器组成 - nginx 容器处理特定域名的 https 请求(例如 jira.mydomain.com、confluence.mydomain.com)和重定向(proxy_pass) 对 jira 和 confluence 的特定容器的请求。
此设置通常有效 - 我可以通过在浏览器中打开 https://jira.mydomain.com and the confluence instance by opening https://confluence.mydomain.com 来访问 jira 实例。
我 运行 遇到的问题在登录 jira 时变得可见:
并按照 Find-out-more-link 到:
所提供的 JIRA health check link unfortunately did not help me to identify and solve the problem. Instead some exceptions in the log file lead to some more hints 问题的建议解决方案:
2017-06-07 15:04:26,980 http-nio-8080-exec-17 ERROR christian.schlaefcke 904x1078x1 eqafq3 84.141.114.234,172.17.0.7 /rest/applinks/3.0/applicationlinkForm/manifest.json [c.a.a.c.rest.ui.CreateApplicationLinkUIResource] ManifestNotFoundException thrown while retrieving manifest
ManifestNotFoundException thrown while retrieving manifest
com.atlassian.applinks.spi.manifest.ManifestNotFoundException: java.net.NoRouteToHostException: No route to host (Host unreachable)
...
Caused by: java.net.NoRouteToHostException: No route to host (Host unreachable)
当我遵循 this Atlassian knowledge base article 和 运行 的提示时,这个来自 JIRA 容器内部的 curl 语句:
curl -H "Accept: application/json" https://jira.mydomain.com/rest/applinks/1.0/manifest -v
我终于得到这个错误:
* Trying <PUBLIC_IP>...
* connect to <PUBLIC_IP> port 443 failed: No route to host
* Failed to connect to jira.mydomain.com port 443: No route to host
* Closing connection 0
curl: (7) Failed to connect to jira.mydomain.com port 443: No route to host
编辑: 外部 URL jira.mydomain.com 可以从容器内部 ping 通:
root@c9233dc17588:# ping jira.mydomain.com
PING jira.mydomain.com (<PUBLIC_IP>) 56(84) bytes of data.
64 bytes from rs226736.mydomain.com (<PUBLIC_IP>): icmp_seq=1 ttl=64 time=0.082 ms
64 bytes from rs226736.mydomain.com (<PUBLIC_IP>): icmp_seq=2 ttl=64 time=0.138 ms
64 bytes from rs226736.mydomain.com (<PUBLIC_IP>): icmp_seq=3 ttl=64 time=0.181 ms
从 JIRA 容器外部(例如 docker 主机或其他机器)curl 语句工作正常!
总的来说,我对 linux 有很好的体验,但我对网络、路由和 iptables 的了解相当有限。 Docker 是 运行 当前的 17.03.1-ce 版本结合 docker 在 centos 7 系统上组成:
~]# uname -a
Linux rs226736 3.10.0-514.21.1.el7.x86_64 #1 SMP Thu May 25 17:04:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
目前我什至不明白这到底是什么问题(iptables?,路由,docker?)以及如何调试它:-(
我尝试了通过 google 找到的一些 iptables 和 nginx 相关提示 - 但都没有成功。任何指向正确方向的提示都将不胜感激。
要求的配置:
NGINX docker-compose.yml
nginx:
image: nginx
container_name: nginx
ports:
- 80:80
- 443:443
external_links:
- my_domain-jira
- my_domain-confluence
volumes:
- /opt/docker/logs/nginx:/var/log/nginx
- ./nginx.conf:/etc/nginx/nginx.conf
- ./certs/jira.mydomain.com.crt:/etc/ssl/certs/jira.mydomain.com.crt
- ./certs/jira.mydomain.com.key:/etc/ssl/private/jira.mydomain.com.key
- ./certs/confluence.mydomain.com.crt:/etc/ssl/certs/confluence.mydomain.com.crt
- ./certs/confluence.mydomain.com.key:/etc/ssl/private/confluence.mydomain.com.key
JIRA docker-compose.yml(Confluence 类似):
jira:
container_name: my_domain-jira
build: .
external_links:
- postgres
volumes:
- ./inst/conf/server.xml:/opt/jira/conf/server.xml
- ./inst/bin/setenv.sh:/opt/jira/bin/setenv.sh
- /home/jira:/opt/atlassian-home
- /opt/docker/logs/jira:/opt/jira/logs
- /etc/localtime:/etc/localtime:ro
NGINX - nginx.conf
upstream jira {
server my_domain-jira:8080;
}
# begin jira configuration
server {
listen 80;
server_name jira.mydomain.com;
client_max_body_size 500M;
rewrite ^ https://$server_name$request_uri? permanent;
}
server {
listen 443 ssl;
server_name jira.mydomain.com;
ssl on;
ssl_certificate /etc/ssl/certs/jira.mydomain.com.crt;
ssl_certificate_key /etc/ssl/private/jira.mydomain.com.key;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK';
server_tokens off;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
client_max_body_size 500M;
location / {
proxy_pass http://jira/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_cache_bypass $http_upgrade;
}
}
想法(nginx / proxy_pass / 上游)主要来自:
在与虚拟服务器提供商讨论后发现,plesk 防火墙和 iptables 之间的防火墙规则冲突导致了这个问题。在供应商修复冲突后,可以访问容器。
这个问题现在已经解决了 - 感谢所有参与的人!