docker 中作为反向代理的 Caddy 拒绝连接到其他容器
Caddy as reverse proxy in docker refuses to connect to other containers
我想在 docker 环境中试用 Caddy,但它似乎无法连接到其他容器。我创建了一个网络“caddy”,并想 运行 在它旁边放一个 portainer。如果我进入 caddy 的卷,我可以看到生成了证书,所以这似乎有效。另外 portainer 是 运行ning 并且可以通过服务器 IP 访问(http://65.21.139.246:1000/). But when I access via the url: https://smallhetzi.fading-flame.com/ 我得到一个 502 并且在 caddy 的日志中我可以看到这条消息:
{
"level": "error",
"ts": 1629873106.715402,
"logger": "http.log.error",
"msg": "dial tcp 172.20.0.2:1000: connect: connection refused",
"request": {
"remote_addr": "89.247.255.231:15146",
"proto": "HTTP/2.0",
"method": "GET",
"host": "smallhetzi.fading-flame.com",
"uri": "/",
"headers": {
"Accept-Encoding": [
"gzip, deflate, br"
],
"Accept-Language": [
"de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7"
],
"Cache-Control": [
"max-age=0"
],
"User-Agent": [
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36"
],
"Sec-Fetch-Site": [
"none"
],
"Accept": [
"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"
],
"Sec-Fetch-Mode": [
"navigate"
],
"Sec-Fetch-User": [
"?1"
],
"Sec-Fetch-Dest": [
"document"
],
"Sec-Ch-Ua": [
"\"Chromium\";v=\"92\", \" Not A;Brand\";v=\"99\", \"Google Chrome\";v=\"92\""
],
"Sec-Ch-Ua-Mobile": [
"?0"
],
"Upgrade-Insecure-Requests": [
"1"
]
},
"tls": {
"resumed": false,
"version": 772,
"cipher_suite": 4865,
"proto": "h2",
"proto_mutual": true,
"server_name": "smallhetzi.fading-flame.com"
}
},
"duration": 0.000580828,
"status": 502,
"err_id": "pq78d9hen",
"err_trace": "reverseproxy.statusError (reverseproxy.go:857)"
}
但是有两个组合文件:
球童:
version: '3.9'
services:
caddy:
image: caddy:2-alpine
container_name: caddy
restart: unless-stopped
ports:
- "80:80"
- "443:443"
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile
- certs-volume:/data
- caddy_config:/config
volumes:
certs-volume:
caddy_config:
networks:
default:
external:
name: caddy
Caddyfile:
{
email simonheiss87@gmail.com
# acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
}
smallhetzi.fading-flame.com {
reverse_proxy portainer:1000
}
和我的 portainer 文件:
version: '3.9'
services:
portainer:
image: portainer/portainer-ce
container_name: portainer
restart: always
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- portainer_data:/data portainer/portainer
entrypoint: /portainer -p :80
ports:
- "1000:80"
volumes:
portainer_data:
networks:
default:
external:
name: caddy
我认为发生的情况是,这两个容器不知何故不在同一个网络中,但我不明白为什么。
现在的解决方法是,当我对我的 Caddyfile 进行此更改时:
smallhetzi.fading-flame.com {
reverse_proxy 65.21.139.246:1000
}
然后我得到一个有效的证书和 portainer ui。但我宁愿不在我的 Caddyfile 上传播 IP。我是否必须为 caddy 配置其他东西以在 docker 中设置为 运行?
我刚从论坛得到帮助,结果发现,那个 caddy 重定向到容器内部的端口,而不是 public 那个。在我的例子中,portainer 在 80 内部运行,所以将 Caddyfile 更改为:
smallhetzi.fading-flame.com {
reverse_proxy portainer:80
}
或这个
smallhetzi.fading-flame.com {
reverse_proxy http://portainer
}
完成任务。这也意味着,我可以摆脱直接通过端口 1000 暴露 portainer。现在我只能通过代理访问它。
希望有人能从中得到一些帮助:)
我想在 docker 环境中试用 Caddy,但它似乎无法连接到其他容器。我创建了一个网络“caddy”,并想 运行 在它旁边放一个 portainer。如果我进入 caddy 的卷,我可以看到生成了证书,所以这似乎有效。另外 portainer 是 运行ning 并且可以通过服务器 IP 访问(http://65.21.139.246:1000/). But when I access via the url: https://smallhetzi.fading-flame.com/ 我得到一个 502 并且在 caddy 的日志中我可以看到这条消息:
{
"level": "error",
"ts": 1629873106.715402,
"logger": "http.log.error",
"msg": "dial tcp 172.20.0.2:1000: connect: connection refused",
"request": {
"remote_addr": "89.247.255.231:15146",
"proto": "HTTP/2.0",
"method": "GET",
"host": "smallhetzi.fading-flame.com",
"uri": "/",
"headers": {
"Accept-Encoding": [
"gzip, deflate, br"
],
"Accept-Language": [
"de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7"
],
"Cache-Control": [
"max-age=0"
],
"User-Agent": [
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36"
],
"Sec-Fetch-Site": [
"none"
],
"Accept": [
"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"
],
"Sec-Fetch-Mode": [
"navigate"
],
"Sec-Fetch-User": [
"?1"
],
"Sec-Fetch-Dest": [
"document"
],
"Sec-Ch-Ua": [
"\"Chromium\";v=\"92\", \" Not A;Brand\";v=\"99\", \"Google Chrome\";v=\"92\""
],
"Sec-Ch-Ua-Mobile": [
"?0"
],
"Upgrade-Insecure-Requests": [
"1"
]
},
"tls": {
"resumed": false,
"version": 772,
"cipher_suite": 4865,
"proto": "h2",
"proto_mutual": true,
"server_name": "smallhetzi.fading-flame.com"
}
},
"duration": 0.000580828,
"status": 502,
"err_id": "pq78d9hen",
"err_trace": "reverseproxy.statusError (reverseproxy.go:857)"
}
但是有两个组合文件:
球童:
version: '3.9'
services:
caddy:
image: caddy:2-alpine
container_name: caddy
restart: unless-stopped
ports:
- "80:80"
- "443:443"
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile
- certs-volume:/data
- caddy_config:/config
volumes:
certs-volume:
caddy_config:
networks:
default:
external:
name: caddy
Caddyfile:
{
email simonheiss87@gmail.com
# acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
}
smallhetzi.fading-flame.com {
reverse_proxy portainer:1000
}
和我的 portainer 文件:
version: '3.9'
services:
portainer:
image: portainer/portainer-ce
container_name: portainer
restart: always
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- portainer_data:/data portainer/portainer
entrypoint: /portainer -p :80
ports:
- "1000:80"
volumes:
portainer_data:
networks:
default:
external:
name: caddy
我认为发生的情况是,这两个容器不知何故不在同一个网络中,但我不明白为什么。
现在的解决方法是,当我对我的 Caddyfile 进行此更改时:
smallhetzi.fading-flame.com {
reverse_proxy 65.21.139.246:1000
}
然后我得到一个有效的证书和 portainer ui。但我宁愿不在我的 Caddyfile 上传播 IP。我是否必须为 caddy 配置其他东西以在 docker 中设置为 运行?
我刚从论坛得到帮助,结果发现,那个 caddy 重定向到容器内部的端口,而不是 public 那个。在我的例子中,portainer 在 80 内部运行,所以将 Caddyfile 更改为:
smallhetzi.fading-flame.com {
reverse_proxy portainer:80
}
或这个
smallhetzi.fading-flame.com {
reverse_proxy http://portainer
}
完成任务。这也意味着,我可以摆脱直接通过端口 1000 暴露 portainer。现在我只能通过代理访问它。
希望有人能从中得到一些帮助:)