在docker中公开端口-撰写或配置第二个letencrypt证书
[英]Expose port in docker-compose or configure second letsencrypt certificate
问题描述
I'm running a selfhosted gitlab docker instance, but I'm facing some problems configuring the registry as I do get the error 
我正在运行一个自托管的gitlab docker实例,但是在遇到错误时配置我遇到了一些问题
Error response from daemon: Get https://example.com:4567/v2/: dial tcp <IP>:4567: connect: connection refused
for doing docker login example.com:4567 . 用于执行docker login example.com:4567 。
So it seems that I have to expose the port
4567somehow.因此,似乎必须以某种方式公开端口4567。An (better) alternative would be to configure a second domain for the registry - like
registry.example.com.(更好的)替代方案是为注册表配置第二个域,例如registry.example.com。 As you can see below I'm using letsencrypt certificates for my gitlab instance.如下所示,我正在为gitlab实例使用letencrypt证书。 But how do I get a second certificate for the registry? 但是,如何获得注册表的第二份证书?
This is how my docker-compose looks like - I'm using jwilder/nginx-proxy for my reverse proxy. 这就是我的jwilder/nginx-proxy -compose的样子-我将jwilder/nginx-proxy用于反向代理。
docker-compose.yml 泊坞窗,compose.yml
gitlab:
image: gitlab/gitlab-ce:11.9.0-ce.0
container_name: gitlab
networks:
- reverse-proxy
restart: unless-stopped
ports:
- '50022:22'
volumes:
- /opt/gitlab/config:/etc/gitlab
- /opt/gitlab/logs:/var/log/gitlab
- /opt/gitlab/data:/var/opt/gitlab
- /opt/nginx/conf.d:/etc/nginx/conf.d
- /opt/nginx/certs:/etc/nginx/certs:ro
environment:
VIRTUAL_HOST: example.com
VIRTUAL_PROTO: https
VIRTUAL_PORT: 443
LETSENCRYPT_HOST: example.com
LETSENCRYPT_EMAIL: certs@example.com
gitlab.rb gitlab.rb
external_url 'https://example.com'
nginx['redirect_http_to_https'] = true
nginx['ssl_certificate'] = '/etc/nginx/certs/example.com/fullchain.pem'
nginx['ssl_certificate_key'] = '/etc/nginx/certs/example.com/key.pem'
gitlab_rails['backup_keep_time'] = 604800
gitlab_rails['backup_path'] = '/backups'
gitlab_rails['registry_enabled'] = true
registry_external_url 'https://example.com:4567'
registry_nginx['ssl_certificate'] = "/etc/nginx/certs/example.com/fullchain.pem"
registry_nginx['ssl_certificate_key'] = "/etc/nginx/certs/example.com/key.pem"
For the second alternative it would look like: 对于第二种选择,它看起来像:
registry_external_url 'https://registry.example.com'
registry_nginx['ssl_certificate'] = "/etc/nginx/certs/registry.example.com/fullchain.pem"
registry_nginx['ssl_certificate_key'] = "/etc/nginx/certs/registry.example.com/key.pem"
But how do I set this up in my docker-compose? 但是如何在docker-compose中设置呢?
Update 更新
Im configuring nginx just via jwilder package, without changing anyhting. 我只是通过jwilder软件包配置了nginx,没有任何改变。 So this part of my docker-compose.yml file just looks like this: 所以我的docker-compose.yml文件的这一部分看起来像这样:
services:
nginx-proxy:
image: jwilder/nginx-proxy
container_name: nginx-proxy
networks:
- reverse-proxy
ports:
- "80:80"
- "443:443"
volumes:
- /opt/nginx-proxy/vhost.d:/etc/nginx/vhost.d:rw
- /opt/nginx/certs:/etc/nginx/certs:ro
- html:/usr/share/nginx/html
- /var/run/docker.sock:/tmp/docker.sock:ro
nginx-letsencrypt:
image: jrcs/letsencrypt-nginx-proxy-companion
container_name: nginx-letsencrypt
networks:
- reverse-proxy
depends_on:
- nginx-proxy
volumes:
- /opt/nginx-proxy/vhost.d:/etc/nginx/vhost.d:rw
- html:/usr/share/nginx/html
- /opt/nginx/certs:/etc/nginx/certs:rw
- /var/run/docker.sock:/var/run/docker.sock:rw
environment:
NGINX_PROXY_CONTAINER: "nginx-proxy"
1 个解决方案
解决方案1
3 2019-03-26 17:33:12
TL; TL; DR: DR:
So it seems that I have to expose the port 4567 somehow.
Yes, however jwilder/nginx-proxy does not support more than one port per virtual host and port 443 is already exposed. 是的,但是jwilder/nginx-proxy不支持每个虚拟主机一个以上的端口,并且端口443已公开。 There is a pull request for that feature but it has not been merged yet. 该功能有一个拉取请求 ,但尚未合并。 You'll need to expose this port another way (see below) 您需要以其他方式公开此端口(请参见下文)
You are using jwilder/nginx-proxy as reverse proxy to access a Gitlab instance in a container but with your current configuration onlyport 443 is exposed: 您正在使用jwilder/nginx-proxy作为反向代理来访问容器中的Gitlab实例,但使用当前配置,仅公开了端口443 :
environment:
VIRTUAL_HOST: example.com
VIRTUAL_PROTO: https
VIRTUAL_PORT: 443
All other Gitlab services (including the registry on port 4567 ) are not proxied and therefore not reachable through example.com . 所有其他Gitlab服务(包括端口4567上的注册表)均未被代理,因此无法通过example.com访问。
Unfortunately it is not possible yet to expose multiple port on a single hostname with jwilder/nginx-proxy . 不幸的是, 尚无法使用jwilder/nginx-proxy在单个主机名上公开多个端口。 There is a pull request open for that use case but it had not been merged yet (you are not the only one with this kind of issue). 该用例有一个拉取请求 ,但尚未被合并(您不是唯一遇到这种问题的人)。
An (better) alternative would be to configure a second domain for the registry
This won't work if you keep using jwilder/nginx-proxy as even if you changed registry_external_url , you'll still be stuck with the port issue, and you cannot allocate the same port to two different services. 如果您继续使用jwilder/nginx-proxy ,即使您更改了registry_external_url ,这也将无法正常工作,您仍然会遇到端口问题,并且无法将同一端口分配给两个不同的服务。
What you can do: 你可以做什么:
- vote and comment for mentioned PR to be merged :) 对将要合并的PR进行投票和评论:)
- try to build the Docker image from mentionned pull request's fork and configure your compose with something like
VIRTUAL_HOST=example.com:443,example.com:4567尝试从提到的拉取请求的分支构建Docker映像,并使用VIRTUAL_HOST=example.com:443,example.com:4567类的内容配置您的撰写 - configure a reverse proxy manually fort port 4567 - you may wind-up a plain
nginxcontainer in addition with your current configuration which would specifically do this, or re-configure your entire proxying scheme without using jwilder images手动配置反向代理要端口4567-您可以在当前配置的基础上另外添加一个普通的nginx容器,或者专门配置此代理,或者重新配置整个代理方案而无需使用jwilder映像 - update your configuration to expose example.com:4567 instead of example.com:443 but you'll lose HTTPS access. 更新您的配置以暴露example.com:4567而不是example.com:443,但您将失去HTTPS访问权限。 (though it's probably not what you are looking for) (尽管可能不是您要找的东西)
I am aware this does not provide a finite solution but I hope it helps. 我知道这不能提供有限的解决方案,但希望对您有所帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.