与nginx代理容器

Question

我目前正在尝试设置一个基于docker的jira和confluence平台，由nginx代理并遇到某种路由和网络问题。

基本设置包含三个docker容器 - nginx conatainer处理特定域名的https请求（例如jira.mydomain.com，confluence.mydomain.com）并将请求重定向（proxy_pass）到jira的特定容器和汇合。

此设置通常有效 - 我可以通过在浏览器中打开https://jira.mydomain.com打开https://confluence.mydomain.com和confluence实例来访问jira实例。

登录jira时，我遇到的问题变得可见：

按照查找更多链接：

遗憾的是，所提供的JIRA health check link提出的决议并没有帮助我找出并解决问题。相反，日志文件中的一些例外导致some more hints问题：

2017-06-07 15:04:26,980 http-nio-8080-exec-17 ERROR christian.schlaefcke 904x1078x1 eqafq3 84.141.114.234,172.17.0.7 /rest/applinks/3.0/applicationlinkForm/manifest.json [c.a.a.c.rest.ui.CreateApplicationLinkUIResource] ManifestNotFoundException thrown while retrieving manifest ManifestNotFoundException thrown while retrieving manifest com.atlassian.applinks.spi.manifest.ManifestNotFoundException: java.net.NoRouteToHostException: No route to host (Host unreachable) ... Caused by: java.net.NoRouteToHostException: No route to host (Host unreachable)

当我按照this Atlassian knowledge base article中的提示并从JIRA容器内部运行此curl语句时：

curl -H "Accept: application/json" https://jira.mydomain.com/rest/applinks/1.0/manifest -v

我终于得到了这个错误：

* Trying <PUBLIC_IP>... * connect to <PUBLIC_IP> port 443 failed: No route to host * Failed to connect to jira.mydomain.com port 443: No route to host * Closing connection 0 curl: (7) Failed to connect to jira.mydomain.com port 443: No route to host

编辑： 可以从容器内部ping到外部URL jira.mydomain.com：

root@c9233dc17588:# ping jira.mydomain.com PING jira.mydomain.com (<PUBLIC_IP>) 56(84) bytes of data. 64 bytes from rs226736.mydomain.com (<PUBLIC_IP>): icmp_seq=1 ttl=64 time=0.082 ms 64 bytes from rs226736.mydomain.com (<PUBLIC_IP>): icmp_seq=2 ttl=64 time=0.138 ms 64 bytes from rs226736.mydomain.com (<PUBLIC_IP>): icmp_seq=3 ttl=64 time=0.181 ms

从JIRA容器外部（例如泊坞主机或其他机器）卷曲声明工作正常！

我对linux有一个很好的经验，但我对网络，路由和iptables的了解相当有限。 Docker在centos 7系统上运行当前的17.03.1-ce版本和docker compose：

~]# uname -a Linux rs226736 3.10.0-514.21.1.el7.x86_64 #1 SMP Thu May 25 17:04:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

目前我甚至不知道究竟是什么样的问题（iptables？，路由，docker？），以及如何调试： - （

我玩了一些通过谷歌找到的iptables和nginx相关提示 - 都没有成功。任何暗示我指向正确方向的提示都会非常感激。

请求的配置：

NGINX docker-compose.yml

nginx:
  image: nginx
  container_name: nginx
  ports:
    - 80:80
    - 443:443
  external_links:
    - my_domain-jira
    - my_domain-confluence
  volumes:
    - /opt/docker/logs/nginx:/var/log/nginx
    - ./nginx.conf:/etc/nginx/nginx.conf
    - ./certs/jira.mydomain.com.crt:/etc/ssl/certs/jira.mydomain.com.crt
    - ./certs/jira.mydomain.com.key:/etc/ssl/private/jira.mydomain.com.key
    - ./certs/confluence.mydomain.com.crt:/etc/ssl/certs/confluence.mydomain.com.crt
    - ./certs/confluence.mydomain.com.key:/etc/ssl/private/confluence.mydomain.com.key

JIRA docker-compose.yml（Confluence类似）：

jira:
  container_name: my_domain-jira
  build: .
  external_links:
   - postgres
  volumes:
   - ./inst/conf/server.xml:/opt/jira/conf/server.xml
   - ./inst/bin/setenv.sh:/opt/jira/bin/setenv.sh
   - /home/jira:/opt/atlassian-home
   - /opt/docker/logs/jira:/opt/jira/logs
   - /etc/localtime:/etc/localtime:ro

NGINX - nginx.conf

upstream jira {
    server my_domain-jira:8080;
}

# begin jira configuration
server {
    listen 80;
    server_name  jira.mydomain.com;

    client_max_body_size 500M;
    rewrite ^ https://$server_name$request_uri? permanent;
}

server {
    listen       443 ssl;
    server_name  jira.mydomain.com;

    ssl          on;
    ssl_certificate      /etc/ssl/certs/jira.mydomain.com.crt;
    ssl_certificate_key  /etc/ssl/private/jira.mydomain.com.key;

    ssl_session_timeout  5m;

    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK';

    server_tokens off;
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";

    client_max_body_size 500M;

    location / {
        proxy_pass http://jira/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP  $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_cache_bypass $http_upgrade;
    }
}

创意（nginx / proxy_pass / upstream）主要来自：

• https://www.digitalocean.com/community/tutorials/docker-explained-how-to-containerize-and-use-nginx-as-a-proxy

• http://blog.nbellocam.me/2016/03/01/nginx-serving-multiple-sites-docker/

• https://wiki.jenkins-ci.org/display/JENKINS/Jenkins+behind+an+NGinX+reverse+proxy

Answer 1

经过与虚拟服务器提供商的讨论后，plesk防火墙和iptables之间的防火墙规则冲突导致了这个问题。在提供者修复冲突之后，可以访问容器。

现在这个问题已经解决了 - 感谢所有参与的人！