在NGINX反向代理后面添加附加的Docker容器

sczxawaw  于 2023-01-04  发布在  Nginx
关注(0)|答案(1)|浏览(142)

我有一个Docker合成文件,运行一个将NGIX用作反向代理的应用程序。对于STIG Manager和Keycloak,代理在HTTPS上运行,但我希望添加的其他容器在非HTTPS的不同端口上运行。

1我想在代理后面添加额外的Docker容器。

#2我想使用DNS名称调用应用。
环境:(托管停靠器的服务器)
gsil-docker1.gsil.mil
合成文件:

version: '3.7'
services:
  nginx:
    # image: nginx:1.23.1
    # alternative image from Ironbank
    image: registry1.dso.mil/ironbank/opensource/nginx/nginx:1.23.1
    volumes:
      - ./nginx/nginx.conf:/etc/nginx/nginx.conf
      - ./certs/localhost/localhost.crt:/etc/nginx/cert.pem
      - ./certs/localhost/localhost.key:/etc/nginx/privkey.pem
      - ./certs/dod/Certificates_PKCS7_v5.9_DoD.pem.pem:/etc/nginx/dod-certs.pem
      - ./nginx/index.html:/usr/share/nginx/html/index.html
    ports:
    - "443:443"
  keycloak:
    # image: quay.io/keycloak/keycloak:19.0.2
    # alternative image from Ironbank
    image: registry1.dso.mil/ironbank/opensource/keycloak/keycloak:19.0.2
    environment:
      - KEYCLOAK_ADMIN=admin
      - KEYCLOAK_ADMIN_PASSWORD=Pa55w0rd
      - KC_PROXY=edge
      - KC_HOSTNAME_URL=https://localhost/kc/
      - KC_HOSTNAME_ADMIN_URL=https://localhost/kc/
      - KC_SPI_X509CERT_LOOKUP_PROVIDER=nginx
      - KC_SPI_X509CERT_LOOKUP_NGINX_SSL_CLIENT_CERT=SSL-CLIENT-CERT
      - KC_SPI_TRUSTSTORE_FILE_FILE=/tmp/truststore.p12
      - KC_SPI_TRUSTSTORE_FILE_PASSWORD=password
    command: start --import-realm
    volumes:
      - ./certs/dod/Certificates_PKCS7_v5.9_DoD.pem.p12:/tmp/truststore.p12
      - ./kc/stigman_realm.json:/opt/keycloak/data/import/stigman_realm.json
      - ./kc/create-x509-user.jar:/opt/keycloak/providers/create-x509-user.jar
      # uncomment below to persist Keycloak data
      # - ./kc/h2:/opt/keycloak/data/h2
  stigman:
    # image: nuwcdivnpt/stig-manager:1.2.20
    # alternative image based on Ironbank Node.js
    image: nuwcdivnpt/stig-manager:latest-ironbank
    environment:
      - STIGMAN_OIDC_PROVIDER=http://keycloak:8080/realms/stigman
      - STIGMAN_CLIENT_OIDC_PROVIDER=https://localhost/kc/realms/stigman
      - STIGMAN_CLASSIFICATION=U
      - STIGMAN_DB_HOST=mysql
      - STIGMAN_DB_USER=stigman
      - STIGMAN_DB_PASSWORD=stigmanpw
      # uncomment below to fetch current STIG library from DISA and import it
      # - STIGMAN_INIT_IMPORT_STIGS=true
    init: true
  mysql:
    # image: mysql:8.0.21
    # alternative image from Ironbank
    image: registry1.dso.mil/ironbank/opensource/mysql/mysql8:8.0.31
    environment:
      - MYSQL_ROOT_PASSWORD=rootpw
      - MYSQL_USER=stigman
      - MYSQL_DATABASE=stigman
      - MYSQL_PASSWORD=stigmanpw
    # uncomment below to persist MySQL data
    volumes:
      - ./mysql-data:/var/lib/mysql

Nginx配置:

events {
  worker_connections  4096;  ## Default: 1024
}
pid        /var/cache/nginx/nginx.pid;
http {
    server {
        listen                      443 ssl;
        server_name                 localhost;
        root                        /usr/share/nginx/html;
        client_max_body_size        100M;
        ssl_certificate             /etc/nginx/cert.pem;
        ssl_certificate_key         /etc/nginx/privkey.pem;
        ssl_prefer_server_ciphers   on;
        
        ssl_client_certificate      /etc/nginx/dod-certs.pem;
        ssl_verify_client           optional;
        ssl_verify_depth            4;
        
        error_log                   /var/log/nginx/error.log debug;

        if ($return_unauthorized) { return 496; }

        location / {
            autoindex on;
            ssi on;
        }
        location /stigman/ {
            proxy_pass              http://stigman:54000/;
        }
        location /kc/ {
            proxy_pass              http://keycloak:8080/;
            proxy_set_header        Host               $host;
            proxy_set_header        X-Real-IP          $remote_addr;
            proxy_set_header        X-Forwarded-For    $proxy_add_x_forwarded_for;
            proxy_set_header        X-Forwarded-Host   $host;
            proxy_set_header        X-Forwarded-Server $host;
            proxy_set_header        X-Forwarded-Port   $server_port;
            proxy_set_header        X-Forwarded-Proto  $scheme;
            proxy_set_header        ssl-client-cert    $ssl_client_escaped_cert;
            proxy_buffer_size       128k;
            proxy_buffers           4 256k;
            proxy_busy_buffers_size 256k;
        }
    }

    # define which endpoints require mTLS
    map_hash_bucket_size 128;
    map $uri $secured_url {
        default false;
        "/kc/realms/stigman/protocol/openid-connect/auth" true;
    }

    map "$secured_url:$ssl_client_verify" $return_unauthorized {
            default 0;
            "true:FAILED" 1;
            "true:NONE" 1;
            "true:" 1;
    }
}

我试过添加设置到我的docker-compose和nginx,但我无法使它工作。
对接合成添加:

networks:
  default:
    name: grafana_default
    external: true

nginx添加:

server {
         listen 80;
         server_name                 grafana.gsil.mil;
         location / {
              proxy_pass              http://grafana.gsil.smil:3000/;
              }
    }

Additionally, I have created a CNAME DNS entry for grafana.gsil.mil and pointed it to gsil-docker1.gsil.mil
container应用程序都在运行,我可以通过以下方式分别访问所有这些应用程序:

  • gsil-docker1.gsil.mil/stigman
  • gsil-docker1.gsil.mil/kc
  • gsil-docker1.gsil.mil:3000

grafana的docker-compose文件:

version: '3.0'

volumes: 
  grafana-data:

services:
  grafana:
    container_name: grafana
    image:  registry1.dso.mil/ironbank/opensource/grafana/grafana:9.3.2
    environment:
      - grafana.config 
    restart: always
    volumes:
      - grafana-data:/var/lib/grafana
    ports:
    - 3000:3000/tcp

我做了很多搜索,但是我找到的例子倾向于显示在nginx上的http和http后端应用程序。我很难找到一些东西来帮助把这一切联系在一起。你能有一个http后端应用程序的https代理吗?或者我需要创建证书,让我所有的后端应用程序运行https吗?

vaqhlq81

vaqhlq811#

这个问题很容易解决。我需要在我的docker-compose文件中添加端口80到我的nginx配置中。当只监听https时,NGINX不能代理http流量(所以添加http)。

version: '3.7'
services:
  nginx:
    ports:
        - "443:443"
        - "80:80"

我对这些具体项目的推测都是正确的:

  • 使Docker知道外部网络(当您要添加/proxy的容器不属于同一网络时)
networks:
  default:
    name: grafana_default
    external: true
  • 添加DNS CNAME条目正确。
    我已经为www.example.com创建了CNAME DNS条目grafana.gsil.mil,并将其指向gsil-docker1.gsil.mil
  • 必须为需要添加的每个附加容器向nginx.conf添加适当的行。
server {
         listen 80;
         server_name                 grafana.gsil.mil;
         location / {
              proxy_pass              http://grafana.gsil.smil:3000/;
              }
    }

相关问题