[英]Implementation of Nginx Container for Reverse Proxying and SSL certificates for Django Containers inside Docker Swarm
I want to deploy Django Application with Docker Swarm.我想用 Docker Swarm 部署 Django 应用程序。 I was following this guide where it does not use the docker swarm nor docker-compose, and specifically created two Django containers, one Nginx container, and a Certbot container for the SSL certificate. I was following this guide where it does not use the docker swarm nor docker-compose, and specifically created two Django containers, one Nginx container, and a Certbot container for the SSL certificate. The Nginx container reverse proxy and load balance across the two Django containers which are in the two servers using their IPs Nginx 容器反向代理和负载平衡跨两个 Django 容器,这两个容器在使用它们的 IP 的两个服务器中
upstream django {
server APP_SERVER_1_IP;
server APP_SERVER_2_IP;
}
server {
listen 80 default_server;
return 444;
}
server {
listen 80;
listen [::]:80;
server_name your_domain.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name your_domain.com;
# SSL
ssl_certificate /etc/letsencrypt/live/your_domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your_domain.com/privkey.pem;
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
client_max_body_size 4G;
keepalive_timeout 5;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://django;
}
location ^~ /.well-known/acme-challenge/ {
root /var/www/html;
}
}
I want to implement all this same functionality but with Docker Swarm so that I can scale the containers with one command docker service update --replicas 3 <servicename>
我想使用 Docker Swarm 实现所有这些相同的功能,这样我就可以使用一个命令docker service update --replicas 3 <servicename>
来扩展容器
The problem is I am not able to understand How to use implement the Nginx container in this scenario, Docker Swarm provides its load balancing so I did not need Nginx for that but Nginx is still needed for SSL certificates. The problem is I am not able to understand How to use implement the Nginx container in this scenario, Docker Swarm provides its load balancing so I did not need Nginx for that but Nginx is still needed for SSL certificates. So how do I implement Nginx in Swarm so it would provide SSL certificates for all nodes and reverse proxy to Django containers?那么如何在 Swarm 中实现 Nginx 以便它为所有节点提供 SSL 证书并反向代理到 Django 容器? I only used Nginx before for reverse proxying so I am not able to figure how to write the Nginx conf and make the Nginx Container work with the Django Container with SSL included all inside a Docker Swarm. I only used Nginx before for reverse proxying so I am not able to figure how to write the Nginx conf and make the Nginx Container work with the Django Container with SSL included all inside a Docker Swarm.
####################
# docker-stack.yml #
####################
version: '3.7'
services:
web:
image: 127.0.0.1:5000/django-image
deploy:
replicas: 3
command: gunicorn mydjangoapp.wsgi:application --bind 0.0.0.0:8000
expose:
- 8000
depends_on:
- nginx
nginx:
image: 127.0.0.1:5000/nginx-image
deploy:
replicas: 2
ports:
- 80:80
depends_on:
- web
nginx.conf that I used for compose-file for pointing towards one Django Container nginx.conf 我用于撰写文件以指向一个 Django 容器
upstream django {
server web:8000; #web is name of django service
}
server {
#SSL STUFF
listen 80;
location / {
proxy_pass http://django;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
}
}
So, between nginx and the world you can choose to let dockers ingress loadbalance to your nginx instances, or use an external loadbalancer.因此,在 nginx 和世界之间,您可以选择让 docker 将负载平衡输入到您的 nginx 实例,或使用外部负载平衡器。 If you had a fixed set of nodes that an external loadbalancer was pointing to then如果您有一组外部负载均衡器指向的固定节点,那么
nginx:
image: 127.0.0.1:5000/nginx-image
ports:
- 443:443
networks:
- proxy
deploy:
mode: global
placement:
constraints:
- node.labels.myorg.lb==true
and label the corresponding nodes with myorg.lb=true
和 label 对应的节点myorg.lb=true
Next, as to your service, docker basically has 2 ways of advertizing replicated services: vip and dnsrr.接下来,关于你的服务,docker 基本上有两种广告复制服务的方式:vip 和 dnsrr。 With vip
mode - the default - docker will assign a single ip address to the name "web" - which is what you give to the nginx replicas, and then it will loadbalance traffic between that.使用vip
模式 - 默认值 - docker 会将单个 ip 地址分配给名称“web” - 这是您为 nginx 副本分配的地址,然后它将在该副本之间进行负载平衡。 You can switch a service to dnsrr mode, in which case dns queries on web will be a dynamic changing list of the current ips of all the service replicas.您可以将服务切换到 dnsrr 模式,在这种情况下,dns 对 web 的查询将是所有服务副本的当前 ips 的动态变化列表。 Alternatively, you can use the explicit name tasks.<service>
to get the same dnsrr entry.或者,您可以使用显式名称tasks.<service>
来获取相同的 dnsrr 条目。
Now.现在。 I dont know if nginx supports loadbalancing to dnsrr out the box.我不知道 nginx 是否支持负载平衡到 dnsrr 开箱即用。 but I do know that it caches entries for a long time and so you will want to setup nginx with an explicit resolver (127.0.0.11) with a short refresh interval.但我知道它会长时间缓存条目,因此您需要使用显式解析器 (127.0.0.11) 设置 nginx,刷新间隔较短。
web:
image: 127.0.0.1:5000/django-image
command: gunicorn mydjangoapp.wsgi:application --bind 0.0.0.0:8000
networks:
- proxy
deploy:
replicas: 3
endpoint_mode: dnsrr
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.