使用Docker在Windows上进行反向代理-Nginx不会将https转发到IIS

时间:2019-01-31 12:59:00

标签: docker ssl nginx iis nginx-reverse-proxy

我有一个win10框,在其中运行docker和两个带有Windows的容器,如下图所示,其中一个正在运行Nginx,并充当另一个运行IIS的容器的反向代理。 对于http,它工作正常,但对于https,从nginx重定向到IIS失败。

各个容器自己接受https,因此我知道证书已正确安装。我使用自签名证书。 我认为nginx.conf中可能有一个我不知道是由它引起的设置。

我可以做到

+---------------------------+--------------------------+------+
| https://localhost         | points to nginx          | OK   | 
+---------------------------|--------------------------|------|
| https://localhost:5003    | points to iis            | OK   |
+---------------------------|--------------------------|------|
| https://localhost/mysite  | points to iis via nginx  | FAIL |
+---------------------------+--------------------------+------+

enter image description here

错误:

enter image description here

有问题,例如thisthis,但它们仅引用http。 DigitalOcean上有一个tutorial,其中描述了如何使用https设置nginx,我已经在很大程度上遵循了它,但是仍然无法正常工作。

Nginx-access.log:

"GET /mysite HTTP/1.1" 504 585 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36"

Nginx-error.log:

*5 upstream timed out (10060: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond) while connecting to upstream, client: 172.18.0.1, server: localhost, request: "GET /mysite HTTP/1.1", upstream: "https://172.18.0.2:5003/", host: "localhost"

IIS日志:

C:\ inetpub \ logs为空

问题

如何使nginx将https转发到IIS容器?


设置

设置docker网络: docker network create -d nat --subnet=172.18.0.0/16 nginx-proxy-network

构建命令:

cd nginx-proxy
docker build -t nginx-proxy .
Cd ..\iis
Docker build -t iis .

启动nginx容器: docker run -d -p 80:80 -p 443:443 --network nginx-proxy-network --ip 172.18.0.3 nginx-proxy

启动iis容器: docker run -d -p 5002:80 -p 5003:443 --network nginx-proxy-network --ip 172.18.0.2 iis

Nginx

为nginx 1 生成证书: C:\openssl\openssl.exe genrsa -des3 -out localhost.key 2048

C:\openssl\openssl.exe req -new -key localhost.key -out localhostcsr -config C:\openssl\openssl.conf

C:\openssl\openssl.exe x509 -req -days 365 -in localhost.csr -signkey localhost.key -out localhost.crt

它要求输入密码,然后将其存储在txt文件中。

Nginx.conf:

worker_processes 1;
events {
    worker_connections 1024;
}

http {
    include mime.types;
    default_type application/octet-stream;
    sendfile on;
    keepalive_timeout 65;
    server {
        listen 80;
        server_name localhost ; 

        location /mysite {
            proxy_pass http://172.18.0.2/; 
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }
        location / {
            root html;
            index index.html index.htm;
        }
# redirect server error pages to the static page /50x.html
#
        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
            root html;
        }
}
# HTTPS server
    server {
        listen *:443 ssl;
        server_name localhost ;
        ssl on;
        ssl_password_file C:\cert\pwdcert.txt; 
        ssl_certificate C:\cert\localhost.crt; 
        ssl_certificate_key C:\cert\localhost.key;
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout 5m;
        ssl_ciphers HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;
        add_header Strict-Transport-Security "max-age=63072000;        includeSubdomains; preload";
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
        add_header X-Frame-Options "SAMEORIGIN";

        location /mysite {
            proxy_pass https://172.18.0.2:5003/;
            # proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }

        location / {
            root html;
            index index.html index.htm;
        }
    }
}

Nginx-Docker文件:

FROM microsoft/windowsservercore
COPY nginx/ /nginx
RUN mkdir "C:\\cert" 
COPY *.crt /cert
COPY *.key /cert
COPY pwdcert.txt /cert
WORKDIR /nginx
CMD ["nginx"]

IIS

IIS Docker文件:

FROM microsoft/aspnet
COPY iisscripts.ps1 /
RUN powershell -noexit "C:\iisscripts.ps1"
COPY mysite/ /inetpub/wwwroot/

iisscripts.ps1:

$cert = New-SelfSignedCertificate -DnsName "localhost" -    CertStoreLocation cert:\LocalMachine\My
New-WebBinding -Name "Default Web Site" -IP "*" -Port 443 -Protocol https
new-item -path IIS:\SslBindings\0.0.0.0!443 -Value $cert

2 个答案:

答案 0 :(得分:0)

您是否可以从运行nginx的容器中卷曲IIS URL?

使用ssh执行到nginx容器,然后:-

https://[my域或IP地址]

答案 1 :(得分:0)

就像我想的那样。由于您在IIS容器中安装的证书不受运行NGINX的容器信任,因此它不会代理连接。您需要通过将以下内容添加到NGINX配置中来告诉NGINX不要验证ssl。

ssl_verify_client关

或使用受信任的证书。