弹性魔豆怪异nginx的配置 [英] elastic beanstalk weird nginx configuration
问题描述
我试图按照nginx的弹性豆茎的配置,有些事情对不上号。
I am trying to follow the configuration of nginx on elastic beanstalk and some things do not add up.
-
该实例打开80端口的安全组,所以我想所有传入的通信是通过端口来了
The instance is opening port 80 in the security groups, so I assume all incoming traffic is coming through that port
在猫nginx的配置/etc/nginx/conf.d/00_elastic_beanstalk_proxy.conf规定:
The nginx configuration in cat /etc/nginx/conf.d/00_elastic_beanstalk_proxy.conf states:
server {
listen 8080;
location / {
proxy_pass http://nodejs;
proxy_set_header Connection "";
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
gzip on;
}
8080端口?哪里是从何而来?我试着惹它,这是工作的实际指令。
Port 8080? Where did that come from? I've tried to mess with it, this is the actual directive that is working.
服务器名丢失,但TT不要紧,你把它的东西。如果我把任何值在服务器名称自己,这台服务器规则仍将匹配的所有请求,甚至那些没有远程reseble的服务器名值。
server_name is missing, yet tt doesn't matter what you put in it. If I put any value in server_name myself, this server rule will still match all requests, even the ones that are not remotely reseble the server_name value.
在连接实例本身似乎两个端口都被服务的:
While connected to the instance itself it seems both ports are being served:
[EC2用户@ IP-172-31-45-222〜] $ sudo的netstat的-lnptu
[ec2-user@ip-172-31-45-222 ~]$ sudo netstat -lnptu
TCP 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 22506 / nginx的
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 22506/nginx
TCP 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 22506 / nginx的
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 22506/nginx
再次,8080是从来没有在安全组开,所以弹性负载平衡是通过内部端口获得80请问交通奇迹般地消失,从80到8080?任何想法是怎么回事?
Yet again, 8080 is never opened in the security group, so elastic load balanced is getting inside through port 80. Does traffic magically goes from 80 to 8080? Any ideas what is going on here?
推荐答案
正在忘了看那个nginx的配置的一部分:
You are forgetting to look at one part of that nginx config:
upstream nodejs {
server 127.0.0.1:8081;
keepalive 256;
}
这部分是告诉nginx的做一组服务器名为 nodejs ,你可以阅读有关的here 。
That part is telling nginx to make a group of servers called nodejs as you can read about here.
8081是NodeJS上运行(如果您使用示例应用程序为例)。
8081 is the port that NodeJS is running on (if you use the sample application for instance).
您可以通过查看弹性魔豆日志验证这一点:
You can verify this by looking at the Elastic Beanstalk logs:
-------------------------------------
/var/log/nodejs/nodejs.log
-------------------------------------
Server running at http://127.0.0.1:8081/
那么,如果我们在nginx.conf中的文件继续,我们可以看到你已经发布的:
Then if we continue in the nginx.conf file we can see what you already posted:
server {
listen 8080;
location / {
proxy_pass http://nodejs;
proxy_set_header Connection "";
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
这告诉nginx使用通过所有从端口8080到代理通模块我们上游组 nodejs 这是在端口8081上运行这意味着端口8081是只为本地访问,但端口8080是什么让我们的外部实体聊到nginx的,然后穿过东西到nodejs。
This tells nginx to use the proxy pass module to pass all from port 8080 to our upstream group nodejs which is running on port 8081. This means that port 8081 is just for accessing it locally but port 8080 is what let's outside entities talk to the nginx which then passes stuff onto nodejs.
有些道理不直接暴露的NodeJS可以发现这个StackOverflow的答案。
Some of the reasoning for not exposing NodeJS directly can be found in this StackOverflow answer.
端口8080的使用,因为它是在 HTTP备用端口的是通常用于Web代理和缓存服务器,或运行一个Web服务器作为非root用户。
Port 8080 is used because it is the HTTP alternate port that is "commonly used for Web proxy and caching server, or for running a Web server as a non-root user."
这解释了端口。现在,ELB以及事物的问题都互相交谈。
That explains the ports. Now the issue of ELB and how things are talking to each other.
由于安全组只允许80端口上的访问,还有一个iptables规则是设置转发80端口到端口8080。这使得非根绑定端口8080,因为较低的端口号需要root权限。
Since the security group is only allowing access on port 80, there is an iptables rule that is setup to forward port 80 to port 8080. This allows non-root to bind to port 8080 because lower port numbers require root privileges.
您可以通过运行以下验证这一点:
You can verify this by running the following:
[ec2-user@ip-xxx-xx-xx-x ~]$ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 8080
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 8080
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
因此,在总结,当你加载CNAME,负载均衡是重新路由的流量给定实例上的端口80,这是通过安全组允许的,那么iptables的转发,为8080端口,也就是端口nginx的是使用代理来传递流量,端口8081是NodeJS的本地端口。
So in summary, when you load your CNAME, the load balancer is rerouting the traffic to a given instance on port 80, which is allowed through the security group, then iptables is forwarding that to port 8080, which is the port that nginx is using a proxy to pass the traffic to port 8081 which is the local port of NodeJS.
希望帮助。
这篇关于弹性魔豆怪异nginx的配置的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
