Nginx负载均衡器上游SSL和Docker

时间:2016-07-07 19:55:11

标签: ssl nginx docker

我正在尝试在不同的Docker容器之间取得平衡,每个Docker容器都有一个Nginx,而Web服务器都有一个SSL证书。

$ docker ps

CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                   NAMES
b1364b46632c        web         "/usr/bin/supervisord"   22 minutes ago      Up 21 minutes       0.0.0.0:8001->443/tcp   webserver01
b1364b46632c        web         "/usr/bin/supervisord"   22 minutes ago      Up 21 minutes       0.0.0.0:8002->443/tcp   webserver02

我的Nginx负载均衡器配置/etc/nginx/conf.d/default.conf

upstream pool_webservers {
    server localhost:8001;
    server localhost:8002;
}

server {
    listen 443;
    location / {
        proxy_pass https://pool_webservers;
    }
}

如果我使用SSL证书运行curl -vvv https://localhost:8001curl -vvv https://localhost:8002服务器响应,但我无法使其正常工作,但如果运行curl -vvv https://localhost:443,则返回

$ curl -vvv https://localhost:443
* Rebuilt URL to: https://localhost:443/
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -12263 (SSL_ERROR_RX_RECORD_TOO_LONG)
* SSL received a record that exceeded the maximum permissible length.
* Closing connection 0
curl: (35) SSL received a record that exceeded the maximum permissible length.

谢谢!

更新1: 我正在阅读并且是最好的解决方案,它在负载均衡器一侧添加SSL证书,在没有证书的情况下添加Docker容器(nginx web服务器)。

像这样:

$ docker ps

CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                           NAMES
ec14fa21ef3d    dignajar/bludit   "/usr/bin/supervisord"       2 hours ago         Up 2 hours          0.0.0.0:8001->80/tcp          webserver01
ac14fa21ef1a    dignajar/bludit   "/usr/bin/supervisord"       2 hours ago         Up 2 hours          0.0.0.0:8002->80/tcp          webserver02

这是我的Nginx虚拟主机,具有mydomain的SSL证书。

upstream pool_webservers {
    server localhost:8001;
    server localhost:8002;
}

server {
    listen 443 ssl;
    server_name mydomain.here.com;

    ssl_certificate         /etc/...;
    ssl_certificate_key     /etc/...;
    ....

    location / {
        proxy_pass http://pool_webservers;
    }
}

PD:让同一台服务器上的所有东西都不是好主意,只是为了这个例子。

1 个答案:

答案 0 :(得分:2)

更改listen行以指定ssl?

listen 443 ssl;