nginx重定向到docker容器 [英] nginx redirect to docker container
问题描述
在发布我的问题之前,我想知道是否有可能实现我想要的目标.
可以说,我的myserver.com与nginx& letencrypt.在同一台服务器上还有2个运行网站的Docker容器.
目前所有重定向都正确,因此www.myserver.com转到docker 1,site2.myserver.com转到docker 2.
我希望所有通信都通过HTTPS运行,但这会带来麻烦. 所以,我的问题是:使用nginx和letsencrypt的docker是否可以使用来于letsencrypt的证书连接到另一个docker? 对我来说,这似乎是某种中间人的攻击". 多一点原理图:
浏览到http://site2.myserver.com-> nginx重定向到https://site2.myserver.com->在端口80上连接到容器2(192.168.0.10). 或另一个选择: 浏览到http://site2.myserver.com-> nginx重定向到https://site2.myserver.com->连接到具有site2.myserver.com证书的端口443上的容器2(192.168.0.10).
如果无法解决,那么解决方案是什么?将证书复制到Docker容器并使其运行https,以便将http请求重定向到该容器的https端口?
浏览到http://site2.myserver.com-> nginx转发请求->连接到具有site2.myserver.com证书的端口443上的容器2(192.168.0.10).
谢谢, 灰蒙蒙的
据我所知,您的nginx反向代理与容器位于同一网络上,因此,无需过多地使用TLS保护它们之间的连接(如这是一个专用网络,如果攻击者可以访问该网络,那么他也将可以访问服务器以及所有未加密的数据.
如果您绝对希望有效的证书来保护本地网络上的连接,则可以创建其他解析为本地IP的子域.然后,您将需要使用手动DNS选项来获取证书(这是certbot选项,您需要在其中手动输入密钥作为域的TXT条目).
示例Nginx配置将http重定向到https
server {
listen 80;
server_name example.com;
return 301 https://example.com/;
}
server{
listen 443 ssl http2;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
location / {
proxy_pass http://container:8080/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
include tls.conf;
}
before posting my issue, I would like to know if it is even possible to achieve what I want.
I have, lets say, myserver.com running a docker container with nginx & letsencrypt. On the same server are 2 more docker containers running websites.
For now all is redirected fine, so www.myserver.com goes to docker 1 and site2.myserver.com goes to docker 2.
I would like to have all communication running over HTTPS, but here starts the trouble. So, my question is: is it possible for the docker with nginx and letsencrypt to connect to another docker using the certificates from letsencrypt? To me it seems to be some kind of man-in-the-middle "attack". A bit more schematic:
Browse to http:// site2.myserver.com -> nginx redirects to https:// site2.myserver.com -> connect to container 2 (192.168.0.10) on port 80. Or another option: Browse to http:// site2.myserver.com -> nginx redirects to https:// site2.myserver.com -> connect to container 2 (192.168.0.10) on port 443 having the site2.myserver.com certificates.
If it can't be done, what is the solution then? Copying the certificates to the docker containers and make them run https, so that a http request gets redirected to the https port of that container?
Browse to http:// site2.myserver.com -> nginx forwards request -> connect to container 2 (192.168.0.10) on port 443 having the site2.myserver.com certificates.
Thanks, Greggy
As I understand it your nginx reverse proxy is on the same network as the containers, so there is not much need to secure the connection between them with TLS (as this is a private network and if an attacker has access to that network he would have access to the server, too, and all the unencrypted data).
If you absolutely want valid certificates to secure the connections on your local network you could create additional sub-domains that resolve to the local IPs. Then you will need to use the manual DNS option to get your certificate (this is a certbot option where you need to manually enter a key as a TXT entry for your domain).
Example Nginx configuration to redirect http to https
server {
listen 80;
server_name example.com;
return 301 https://example.com/;
}
server{
listen 443 ssl http2;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
location / {
proxy_pass http://container:8080/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
include tls.conf;
}
这篇关于nginx重定向到docker容器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
