NGINX 反向代理到 .net 核心应用程序提供了错误的网关 502

Question

我对反向代理的 Nginx 配置有疑问。我尝试使用端口 http://localhost:5002/ 到达后端，但它提供了错误的网关。带有 Nginx 的容器是 HTTPS 安全的，Angular 应用程序可以工作，我可以从服务器外部访问它。

    # Expires map
map $sent_http_content_type $expires {
    default                    off;
    text/html                  epoch;
    text/css                   max;
    application/javascript     max;
    ~image/                    max;
}


server {
  listen              443 ssl http2;
  listen              [::]:443 ssl http2;
  server_name         XXX.app *.XXX.app;
  ssl_certificate     /etc/nginx/conf.d/XXX.app.pem;
  ssl_certificate_key /etc/nginx/conf.d/XXX.app.key;
  ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers         HIGH:!aNULL:!MD5;
  sendfile            on;
  default_type        application/octet-stream;
    
  root /usr/share/nginx/html;
  index index.html;
  try_files $uri $uri$args $uri$args/ $uri/ /index.html;

  error_log /var/log/nginx/angular4_error.log;
  access_log /var/log/nginx/angular4_access.log;
  
  location /api {
    proxy_pass http://localhost:5002;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection keep-alive;
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  }
  
  gzip on;
  gzip_http_version 1.0;
  gzip_disable      "MSIE [1-6]\.";
  gzip_min_length   256;
  gzip_vary         on;
  gzip_proxied      expired no-cache no-store private auth;
  gzip_types        text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;
  gzip_comp_level   9;
}

这是我在登录时遇到的错误，例如

2021/06/01 13:10:54 [error] 6#6: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 86.124.XXX.XX ,server: XXX.app, request: "POST /api/login HTTP/2.0", upstream: "http://127.0.0.1:5002/api/login", host: "XXX.app", referrer: "https://XXX.app/auth/login"

Nginx 托管在带有 Angular 应用程序的容器中，而后端位于不同的容器中。 我想要实现的是使用反向代理连接到后端，并将包含https://XXX.app/api 的所有内容重定向到后端。

Tnx！

稍后编辑：这是我的 docker-compose.yml

version: '3.4'

services:
  XXX-db:
    image: postgres:10.5
    container_name: XXX-db
    restart: always
    command: postgres -c 'max_connections=200'
    ports:
      - 5432:5432
    environment:
        POSTGRES_USER: x
        POSTGRES_PASSWORD: x
        POSTGRES_DB: x
    volumes:
      - pgdata:/var/lib/postgresql/data
    networks:
      - main

  app.api:
    image: xx/xx:api-dev
    container_name: XXX-web-api
    build:
      context: .
      dockerfile: Dockerfile
    volumes:
      - logs:/app/Logs
      - templates:/app/wwwroot/templates
      - feedbacks:/app/wwwroot/feedbacks
    links:
      - XXX-db
    depends_on:
      - "XXX-db"
    ports:
      - 5002:5002
    networks:
      - main

  app.web:
    build:      
      context: .
      dockerfile: Dockerfile
    volumes:
      - certs:/etc/nginx/certs
    image: xx/xx:web-dev
    container_name: XXX-web
    ports:
      - 80:80
      - 443:443
    networks:
      - main

volumes:
  pgdata:
  logs:
  templates:
  feedbacks:
  certs:

networks:
  main:
    driver: bridge

Answer 1

无法访问localhost:5002的原因是nginx容器网络默认是Bridge。

运行你的 nginx 容器时，将网络设置为 Host，如下所示：

docker run -d --network=host [your_nginx_docker_tag]

虽然，如果两个容器是同一个 docker-compose 文件中的服务，如下所示：

version: "3"
services:
  backend-api:
    image: backend-api
    ports:
      - "5002:${INSIDE_API_PORT}"


  nginx:
    image: nginx:latest
    ports:
      - "443:443"

您将能够使用以下服务名称访问 backend-api 容器（nginx.conf 文件）

location /api {
    proxy_pass http://backend-api:[put the INSIDE_API_PORT here];
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection keep-alive;
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

}