【发布时间】:2020-09-23 10:21:25
【问题描述】:
我想使用 docker-compose 文件设置 nginx 服务器,使用letsencrypt 在我的 AWS EC 2 实例上启用 https。
但是端口 80 和端口 443 似乎已关闭。
应用程序本身在端口 5000 下运行,该端口可以是 reached,但是没有启用 https。
编辑
这是(几乎)完整的 docker-compose.yml,我只添加了名为 letsencrypt 的“服务”下的最后一部分。遗漏标记为([...]):
version: "3"
volumes:
mongodb_data:
external: false
networks:
cocoannotator:
external: false
services:
webserver:
image: jsbroks/coco-annotator:webserver-stable
container_name: annotator_webclient
restart: always
ports:
- "5000:5000"
[...]
depends_on:
- database
- workers
networks:
- cocoannotator
workers:
container_name: annotator_workers
image: jsbroks/coco-annotator:workers-stable
[...]
depends_on:
- messageq
- database
networks:
- cocoannotator
messageq:
image: rabbitmq:3
container_name: annotator_message_q
[...]
networks:
- cocoannotator
database:
image: mongo:4.0
container_name: annotator_mongodb
restart: always
[...]
networks:
- cocoannotator
letsencrypt:
image: linuxserver/letsencrypt
container_name: letsencrypt
network_mode: host
restart: always
ports:
- 80:80
- 443:443
volumes:
- ./config:/config
environment:
# Domain name
- URL=my-website-name.com
- TZ=America/New_York
- PGID=1000
- PUID=1000
# Subdomains to encrypt
- SUBDOMAINS=www,annotator
cap_add:
- NET_ADMIN
它在本地文件夹./config/nginx/site-confs/default中生成一个nginx配置文件
默认配置什么都不做,所以按照author的建议,我像这样覆盖了文件:
server {
listen 80;
server_name my-website-name.com www.my-website-name.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name _;
root /config/www;
include /config/nginx/ssl.conf;
location / {
index index.html index.htm;
include /config/nginx/proxy.conf;
}
}
server {
listen 443 ssl;
server_name annotator.*;
include /config/nginx/ssl.conf;
location / {
include /config/nginx/proxy.conf;
proxy_pass http://localhost:5000/;
}
location /socket.io {
include /config/nginx/proxy.conf;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_pass http://localhost:5000/socket.io;
}
}
我在docker-compose.yml 和conf 中编辑的唯一一行是添加我自己的网站名称(my-website-name.com)。
conf 文件似乎暴露了http://localhost:5000/,这是正确的。
我不确定我错过了什么。我找不到任何防火墙等。
>$ sudo ufw status
Status: inactive
更新:
这是netstat -anp | grep -i listen的输出
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::5000 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
unix 2 [ ACC ] STREAM LISTENING 147252 - @/containerd-shim/moby/237614275f32621bfd15c8687fca24c735e48daeffd655ee6fe00fad5ca5d9ca/shim.sock@
unix 2 [ ACC ] SEQPACKET LISTENING 12687 - /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 123417 31697/systemd /run/user/1000/systemd/private
unix 2 [ ACC ] STREAM LISTENING 123421 31697/systemd /run/user/1000/gnupg/S.gpg-agent.extra
unix 2 [ ACC ] STREAM LISTENING 123422 31697/systemd /run/user/1000/snapd-session-agent.socket
unix 2 [ ACC ] STREAM LISTENING 123423 31697/systemd /run/user/1000/gnupg/S.gpg-agent.ssh
unix 2 [ ACC ] STREAM LISTENING 123424 31697/systemd /run/user/1000/gnupg/S.gpg-agent.browser
unix 2 [ ACC ] STREAM LISTENING 123425 31697/systemd /run/user/1000/gnupg/S.dirmngr
unix 2 [ ACC ] STREAM LISTENING 123426 31697/systemd /run/user/1000/gnupg/S.gpg-agent
unix 2 [ ACC ] STREAM LISTENING 141776 - @/containerd-shim/moby/b943888c331bf79cd6c1e2f7171a5961dddbb9ae163cfa1f27d2e7b6d4662444/shim.sock@
unix 2 [ ACC ] STREAM LISTENING 17631 - @irqbalance924.sock
unix 2 [ ACC ] STREAM LISTENING 141767 - @/containerd-shim/moby/6422696dfae2f404290918b4afff5a9e65155ed1ec333bc0e72994b565e702d5/shim.sock@
unix 2 [ ACC ] STREAM LISTENING 145693 - @/containerd-shim/moby/fb9846bebcc81350c98c47f2c15811526cca22c30a0945ae7c227f921a305cce/shim.sock@
unix 2 [ ACC ] STREAM LISTENING 16691 - /var/lib/lxd/unix.socket
unix 2 [ ACC ] STREAM LISTENING 16571 - /var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 16645 - /run/uuidd/request
unix 2 [ ACC ] STREAM LISTENING 16647 - /run/snapd.socket
unix 2 [ ACC ] STREAM LISTENING 16649 - /run/snapd-snap.socket
unix 2 [ ACC ] STREAM LISTENING 16651 - /run/acpid.socket
unix 2 [ ACC ] STREAM LISTENING 16653 - @ISCSIADM_ABSTRACT_NAMESPACE
unix 2 [ ACC ] STREAM LISTENING 141079 - @/containerd-shim/moby/31e14e9fa86fef5166d10363c9a4dd136af9f67f8c0d6f4bf79ebac50a474452/shim.sock@
unix 2 [ ACC ] STREAM LISTENING 12676 - /run/systemd/private
unix 2 [ ACC ] STREAM LISTENING 12690 - /run/lvm/lvmpolld.socket
unix 2 [ ACC ] STREAM LISTENING 12702 - /run/systemd/journal/stdout
unix 2 [ ACC ] STREAM LISTENING 43836 - /run/containerd/containerd.sock
unix 2 [ ACC ] STREAM LISTENING 44186 - /var/run/docker.sock
unix 2 [ ACC ] STREAM LISTENING 44343 - /var/run/docker/metrics.sock
unix 2 [ ACC ] STREAM LISTENING 45208 - /var/run/docker/libnetwork/ef4bf6e21227.sock
unix 2 [ ACC ] STREAM LISTENING 12891 - /run/lvm/lvmetad.socket
【问题讨论】:
-
您是否在从同一台机器或从 AWS 外部访问时遇到问题?如果是后者,您是否已将实例安全组配置为允许流量?
-
我可以从外部和内部访问端口 5000。我无法从外部或内部访问端口 80 或 443。
-
所以,“是的”机器可以从外部到达。 “是的”我已经编辑了安全组以允许来自任何地方的所有流量
-
好的;安全组始终是询问有连接问题的人的第一个问题。我不熟悉您正在使用的图像,因此无法给出具体的指示,但通常我会在主机上使用
netstat -anp | grep -i listen来验证 Docker 是否正在侦听端口,如果是,则执行到容器中查看 nginx 日志。 -
我在上面添加了 netstat 的输出。也许 docker-compose 文件中的各个服务无法相互通信?但我不确定如何检查这个?我可以发布整个 docker-compose.yml 但它可能不会考虑“最小的工作示例”
标签: amazon-web-services docker nginx lets-encrypt