[英]Dockerized nginx failing in ssl mode
我在nginx
上使用docker
: https://hub.Z05B6053C41A2130AFDZ6FC3B_nginx1/
我的Dockerfile
,在images/nginx
目录中:
FROM nginx
COPY nginx.conf /etc/nginx/conf.d/default.conf
COPY self-signed.crt /etc/ssl/private
COPY self-signed.key /etc/ssl/private
我的docker-compose.yml
:
version: '3.5'
services:
nginx:
build: images/nginx
restart: on-failure
ports:
- 9080:80
这是我的配置:
server {
listen 443 ssl;
# listen 80; <---- This works!
server_name localhost;
ssl_certificate /etc/ssl/private/self-signed.crt;
ssl_certificate_key /etc/ssl/private/self-signed.key;
location /api/ {
set $gateway api:1234;
include uwsgi_params;
uwsgi_pass $gateway;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
这是我的nginx
:
root@68f9026bb4fd:/# nginx -V
nginx version: nginx/1.19.4
built by gcc 8.3.0 (Debian 8.3.0-6)
built with OpenSSL 1.1.1d 10 Sep 2019
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.19.4/debian/debuild-base/nginx-1.19.4=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'
当使用http
版本时, listen 80
有效,它可以工作:
» http --headers http://localhost:9080/api/status
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 21
Content-Type: application/json
Date: Thu, 26 Nov 2020 10:55:11 GMT
Server: nginx/1.19.4
ngnix
容器也有日志条目:
nginx_1 | 172.24.0.1 - - [26/Nov/2020:10:55:11 +0000] "GET /api/status HTTP/1.1" 200 21 "-" "HTTPie/2.2.0" "-"
但是,如果我现在启用listen 443 ssl
指令,并禁用listen 80
,则不再有效:
» http --headers --verify no https://localhost:9080/api/status
http: error: ConnectionError: ('Connection aborted.', ConnectionResetError(104, 'Connection reset by peer')) while doing a GET request to URL: https://localhost:9080/api/status
并且nginx
容器绝对没有日志条目。 没有什么。 纳达!
我的证书/密钥在那里,具有正确的权限(我认为):
root@805e850405b1:/# ls -lrt /etc/ssl/private/
total 8
-rw------- 1 root root 3272 Nov 26 10:07 self-signed.key
-rw-rw-r-- 1 root root 1870 Nov 26 10:07 self-signed.crt
这里发生了什么? nginx
是否接收请求? 如果不是,为什么不呢? 如果是,为什么我没有看到任何日志条目? 为什么没有正确回复?
因此,显然 docker 组合中的端口映射对于ssl
是错误的。
它应该是:
version: '3.5'
services:
nginx:
build: images/nginx
restart: on-failure
ports:
- 9080:80
- 9443:443
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.