Docker 环境,nginx 反向代理,本地或全局
[英]Docker environment, nginx reverse proxy, Local or global
问题描述
Some docker-compose solutions, uses nginx as reverse proxy for security reasons, when exposing the service to the internet.
一些 docker-compose 解决方案在将服务暴露给 Internet 时,出于安全原因使用 nginx 作为反向代理。 Would it be more correct to install multiple docker services, with there own nginx (reverse proxy) or create one dedicated container, holding the nginx service, and redirect to all the "local" containers?安装多个 docker 服务并拥有自己的 nginx(反向代理)或创建一个专用容器,保存 nginx 服务并重定向到所有“本地”容器会更正确吗?
1 个解决方案
解决方案1
0 2021-11-28 12:33:36
I'd almost always do this with only a single Nginx proxy, though more for simplicity than anything security-related.我几乎总是只使用一个 Nginx 代理来做到这一点,尽管更多的是为了简单而不是任何与安全相关的事情。
An especially important pattern is around browser front-ends.一个特别重要的模式是围绕浏览器前端。 Your React or Angular code runs in the browser, not in a container, so it can't use Docker networking;您的 React 或 Angular 代码在浏览器中运行,而不是在容器中,因此它不能使用 Docker 网络; but for both deploy-time configuration and CORS reasons it's much better if the code and the back-end application are served from the same host and port.但是对于部署时配置和 CORS 的原因,如果代码和后端应用程序从相同的主机和端口提供服务会更好。 If you can use /api/whatever as the back-end URL, without embedding a host name or port, it will work anywhere the service can be deployed.如果您可以使用/api/whatever作为后端 URL,而无需嵌入主机名或端口,那么它将在可以部署服务的任何地方工作。
That would bring you a Compose setup like so:这将为您带来这样的 Compose 设置:
version: '3.8'
services:
ingress:
image: nginx
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf:ro
ports:
- '8888:80' # <-- this is the only published port
frontend:
build: frontend
# no ports:, volumes:, networks:, container_name:, _etc._
backend:
build: backend
environment:
- PGHOST=db
db:
image: postgresql
environment: { ... }
volumes:
- pgdata:/var/lib/postgresql/data
volumes:
pgdata:
In this stack, the only thing you can reach from outside Docker is the ingress container;在这个堆栈中,您唯一可以从 Docker 外部访问的是ingress容器; nothing else has ports: .没有其他东西有ports: . That's the (production) setup you want.这就是您想要的(生产)设置。 (I tend to minimize differences between dev and prod Docker setups, but adding more ports: to e.g. directly access the database with psql and without docker exec is pretty helpful in non-prod.) (我倾向于尽量减少 dev 和 prod Docker 设置之间的差异,但添加更多ports:例如使用psql直接访问数据库而不docker exec在非 prod 中非常有帮助。)
The Nginx configuration then has all of the URL routing you need Nginx 配置则具有您需要的所有 URL 路由
upstream backend { server backend:3000 }
upstream frontend { server frontend:3000 }
server {
location / {
proxy_pass http://frontend;
}
location /api {
proxy_pass http://backend;
}
}
You can do other things in this configuration like providing (unified) authentication checking, hiding .../admin/... routes, and integrate other services into your API.您可以在此配置中执行其他操作,例如提供(统一)身份验证检查、隐藏.../admin/...路由,并将其他服务集成到您的 API 中。 All of this is much harder to do consistently if you have many separate Nginxes.如果您有许多单独的 Nginx,那么所有这些都很难始终如一地完成。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.