如何使用Nginx容器proxy_pass到端口80上的节点docker容器
[英]How to proxy_pass to a node docker container on port 80 with nginx container
问题描述
In short, I'm trying to set up an nginx container to proxy_pass to other containers on port 80. 
简而言之,我正在尝试将nginx容器设置为proxy_pass到端口80上的其他容器。
I was following along with this tutorial: https://dev.to/domysee/setting-up-a-reverse-proxy-with-nginx-and-docker-compose-29jg 我一直在跟随本教程: https : //dev.to/domysee/setting-up-a-reverse-proxy-with-nginx-and-docker-compose-29jg
They describe having a docker compose file that looks something like: 他们描述了一个docker compose文件,看起来像:
version: '3'
services:
nginx:
image: nginx:latest
container_name: production_nginx
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf
- ./nginx/error.log:/etc/nginx/error_log.log
- ./nginx/cache/:/etc/nginx/cache
- /etc/letsencrypt/:/etc/letsencrypt/
ports:
- 80:80
- 443:443
your_app_1:
image: your_app_1_image:latest
container_name: your_app_1
expose:
- "80"
your_app_2:
image: your_app_2_image:latest
container_name: your_app_2
expose:
- "80"
your_app_3:
image: your_app_3_image:latest
container_name: your_app_3
expose:
- "80"
Then in the nginx config they do a proxy_pass based on the path like this: 然后在nginx配置中,他们根据如下路径执行proxy_pass:
proxy_pass http://your_app_1:80;
This all makes sense to me, however when I was making a test node server to listen on port 80, I'm getting the error: Error: listen EACCES: permission denied 0.0.0.0:80. 这一切对我来说都是有意义的,但是,当我使测试节点服务器在端口80上侦听时,出现错误:错误:侦听EACCES:权限被拒绝0.0.0.0:80。 In my Dockerfile for the node server, I'm using a different user: 在节点服务器的Dockerfile中,我使用了另一个用户:
USER node
I know I'm getting this error because non root users are not supposed to be able to bind below port 1024 or something. 我知道我收到此错误,因为非root用户不应该能够在端口1024或以下端口进行绑定。 And I know it's bad practice to run as root in a container... so how in the world is something like this possible? 而且我知道以root身份在容器中运行是一种不好的做法……那么,在世界上这种可能性怎么可能? I feel like I'm missing something here. 我觉得我在这里想念什么。 It would be nice to not have to remember some custom high port your server is running on every time you do a proxy_pass in nginx... or is that just a fact of life? 不必每次在nginx中执行proxy_pass时都记得服务器正在运行的一些自定义高端口,那将是一件很高兴的事情,或者这仅仅是事实而已?
1 个解决方案
解决方案1
0 已采纳 2019-06-02 06:20:02
I see zero issues in doing an expose on the port,as long as we dont publish the port. 只要不发布端口,我发现在端口上进行公开操作会出现零问题。
EXPOSE will not allow communication via the defined ports to containers outside of the same network or to the host machine. EXPOSE不允许通过定义的端口与同一网络外部的容器或主机进行通信。 To allow this to happen you need to publish the ports. 为此,您需要发布端口。
But its doable at the cost of adding security holes by granting kernel capabilities using --add-cap flag on the Docker client or the Docker-Compose cap_add . 但是它可以通过在Docker客户端或Docker-Compose cap_add上使用--add-cap标志授予内核功能来增加安全漏洞的代价来cap_add 。 NET_BIND_SERVICE is the capability that we should be adding. NET_BIND_SERVICE是我们应该添加的功能。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.