我正在尝试使用nginx
作为传统服务的反向代理,并使用traefik
将流量路由到容器。某些服务通过nginx-ldap-auth
进行了身份验证。
这是用于容器设置的docker-compose
文件:
---
version: '3.7'
networks:
backend: {}
services:
ldap_auth:
command: >-
python /usr/src/app/nginx-ldap-auth-daemon.py
--host 0.0.0.0
--url ldap://ldap.jumpcloud.com:389
--starttls starttls
-b "${LDAP_BASEDN}"
-D "${LDAP_BINDDN}"
-w "${LDAP_PASS}"
--filter "uid=%(username)s"
expose:
- "8888"
image: nginx-ldap-auth
labels:
traefik.port: "8888"
traefik.backend: "nginx-ldap-auth"
traefik.frontend.rule: "Host:dock.${DOMAIN};PathPrefix:/auth"
networks:
- backend
restart: unless-stopped
traefik:
command:
- --accesslog
- --api # defaults to port 8080
# docker
- --docker
- --docker.domain=dock.${DOMAIN}
- --docker.network=${COMPOSE_PROJECT_NAME}_backend
# acme
- --acme.acmelogging=true
- --acme.dnschallenge.provider=ovh
- --acme.dnschallenge=true
- --acme.domains=*.${DOMAIN},${DOMAIN}
- --acme.email=${EMAIL}
- --acme.entrypoint=https
- --acme.storage=/etc/traefik/acme.json
- --acme=true
# - --acme.onhostrule=true # not usable with wildcard certs
# entrypoints
- --defaultentrypoints=http,https
- --entryPoints=Name:http Address::80 Redirect.EntryPoint:https
- --entryPoints=Name:https Address::443 Compress:true TLS Tls.minVersion:VersionTLS12
# others
- --keeptrailingslash=true
# - --debug
env_file:
- ovh.env
image: traefik:maroilles-alpine
labels:
traefik.api.port: "8080"
traefik.api.frontend.entrypoints: "traefik"
traefik.api.frontend.rule: "Host:dock.${DOMAIN};PathPrefixStrip:/traefik"
traefik.frontend.auth.forward.address: "https://dock.${DOMAIN}/auth" # LDAP
networks:
- backend
- default
ports:
# - "80:80" # The HTTP port
- "4433:443" # The HTTPS port
# - "8080:8080" # The Web UI (enabled by --api)
restart: unless-stopped
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro" # So that Traefik can listen to the Docker events
- "${MOUNT}/docker/traefik:/etc/traefik"
这是其余服务的当前dock.conf
:
server {
listen 80;
server_name dock.domain.com;
return 301 https://dock.domain.com$request_uri;
}
server {
listen 443;
server_name dock.domain.com;
ssl on;
include ssl/ssl.conf;
root /var/www;
location = / {
try_files /dev/null @traefik; # no better way to solve this
}
location / {
try_files $uri $uri/ @traefik;
}
location @traefik {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://localhost:4433;
}
location /otherlocation/ {
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_cache_bypass $http_upgrade;
proxy_pass http://localhost:3000/;
}
但是,该设置在转发给traefik并需要身份验证的任何位置返回500错误。
我该怎么解决?