通过Nginx代理HTTPS向docker-compose中的gunicorn django提供静态文件

时间:2019-05-10 07:51:23

标签: django docker nginx docker-compose

我正在使用docker-compose将Django / Nginx / Gunicorn Webapp部署到EC2实例。 EC2实例具有mywebapp.com / www.mywebapp.com指向的静态IP,我已经完成certbot验证(站点在HTTP上的端口80上工作),但现在尝试通过SSL进行工作。

现在,HTTP(包括加载静态文件)正在为我工​​作,而HTTPS动态内容(来自Django)正在工作,但静态文件却没有。我认为我的nginx配置很奇怪。

我尝试将location /static/块复制到nginx conf文件中的SSL服务器上下文中,但这导致SSL完全停止工作,而不仅仅是SSL上的静态文件。

这是最终的docker-compose.yml:

services:
  certbot:
    entrypoint: /bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h &
      wait $${!}; done;'
    image: certbot/certbot
    volumes:
      - /home/ec2-user/certbot/conf:/etc/letsencrypt:rw
      - /home/ec2-user/certbot/www:/var/www/certbot:rw
  nginx:
    command: /bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done
      & nginx -g "daemon off;"'
    depends_on:
      - web
    image: xxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/xxxxxxxx:latest
    ports:
      - 80:80/tcp
      - 443:443/tcp
    volumes:
      - /home/ec2-user/certbot/conf:/etc/letsencrypt:rw
      - static_volume:/usr/src/app/public:rw
      - /home/ec2-user/certbot/www:/var/www/certbot:rw
  web:
    entrypoint: gunicorn mywebapp.wsgi:application --bind 0.0.0.0:7000"
    image: xxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/xxxxxxxx:latest
    volumes:
      - static_volume:/usr/src/app/public:rw
version: '3.0'
volumes:
  static_volume: {}

nginx.prod.conf

upstream mywebapp {
    # web is the name of the service in the docker-compose.yml
    # 7000 is the port that gunicorn listens on
    server web:7000;
}

server {
    listen 80;
    server_name mywebapp;
    location / {
        proxy_pass       http://mywebapp;
        proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
        proxy_set_header Host               $host;
        proxy_redirect   off;
    }
    location /static/ {
        alias /usr/src/app/public/;
    }
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }
}

server {
    # https://github.com/wmnnd/nginx-certbot/blob/master/data/nginx/app.conf
    listen 443    ssl;
    server_name   mywebapp;
    server_tokens off;

    location / {
        proxy_pass          http://mywebapp;
        proxy_set_header    Host                $http_host;
        proxy_set_header    X-Real-IP           $remote_addr;
        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    }

    # generated with help of certbot
    ssl_certificate     /etc/letsencrypt/live/mywebapp.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mywebapp.com/privkey.pem;
    include             /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam         /etc/letsencrypt/ssl-dhparams.pem;
}

最后是Nginx服务Dockerfile:

FROM nginx:1.15.12-alpine

RUN rm /etc/nginx/conf.d/default.conf
COPY ./nginx.prod.conf /etc/nginx/conf.d

我只是构建,先推送到本地计算机上的ECR,然后docker-compose pull并在EC2实例上与docker-compose up -d一起运行。

我在docker-compose logs中看到的错误是:

nginx_1    | 2019/05/09 02:30:34 [error] 8#8: *1 connect() failed (111: Connection refused) while connecting to upstream, client: xx.xx.xx.xx, server: mywebapp, request: "GET / HTTP/1.1", upstream: "http://192.168.111.3:7000/", host: "ec2-xxx-xxx-xxx-xxx.compute-1.amazonaws.com"

我不确定发生了什么问题。我正在尝试使用生成和验证的证书在HTTPS下正确获取动态内容(gunicorn)和静态内容(来自:/ usr / src / app / public)。

有人知道我在做什么错吗?

1 个答案:

答案 0 :(得分:1)

使用nginx -T检查您的配置文件-您看到正确的配置了吗?您的构建过程是否引入了正确的conf?

仅在远程计算机上进行调试很有帮助-docker-compose exec nginx sh进入内部并从那里和nginx -s reload调整conf。这将加快调试SSL问题的迭代周期。