我正在尝试使用nginx构建反向代理,以使项目中的所有Is都可以从单个地址访问。 对于单一服务,以下配置可以正常工作
/etc/nginx/sites-enabled/reverse-proxy.conf
server {
listen 80;
listen [::]:80;
location / {
resolver 127.0.0.1;
allow "x.x.x.x";
deny all;
proxy_pass http://consul:8500;
}
}
因此,当我在浏览器中调用服务器的IP x.x.x.x时,我会看到Consul UI和显示x.x.x.x/ui/dc1的URL。除此之外,我看到用户界面成功地请求了资产文件。
我的问题;是否有可能在同一台服务器上托管两个不同的服务,而只是引用不同位置的服务?例如,如果我想包括Vault UI,那么我会考虑做这样的事情:
server {
listen 80;
listen [::]:80;
location /consul {
resolver 127.0.0.1;
allow "x.x.x.x";
deny all;
proxy_pass http://consul:8500;
}
location /vault {
resolver 127.0.0.1;
allow "x.x.x.x";
deny all;
proxy_pass http://vault:8200;
}
}
但是我不确定是否可以通过这种方式完成。我得到的最好的办法是打开Consul UI,并找到所有其他未找到的子请求(即加载资产)。
更新
我认为我的问题是我错误地使用了location和proxy_pass
观察第一个配置(正在运行)
server {
listen 80;
listen [::]:80;
location / {
resolver 127.0.0.1;
allow "x.x.x.x";
deny all;
proxy_pass http://consul:8500;
}
}
如果我看一下curl命令curl localhost -L -vvvv
* Trying 127.0.0.1:80...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET / HTTP/1.1
> Host: localhost
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Server: nginx/1.18.0 (Ubuntu)
< Date: Fri, 10 Jul 2020 16:24:38 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 39
< Connection: keep-alive
< Location: /ui/
<
* Ignoring the response-body
* Connection #0 to host localhost left intact
* Issue another request to this URL: 'http://localhost/ui/'
* Found bundle for host localhost: 0x557b754549e0 [serially]
* Can not multiplex, even if we wanted to!
* Re-using existing connection! (#0) with host localhost
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET /ui/ HTTP/1.1
> Host: localhost
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx/1.18.0 (Ubuntu)
< Date: Fri, 10 Jul 2020 16:24:38 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 7806
< Connection: keep-alive
< Accept-Ranges: bytes
< Last-Modified: Fri, 10 Jul 2020 07:37:44 GMT
<
<!DOCTYPE html>
<html lang="en" class="ember-loading">
...
,我已经可以看到html了。但是,如果我将conf文件更改为此:
server {
listen 80;
listen [::]:80;
location /consul/ {
resolver 127.0.0.1;
allow "x.x.x.x";
deny all;
proxy_pass http://consul:8500;
}
}
然后尝试像curl localhost/consul -L -vvvv那样调用它,我得到以下信息:
* Trying 127.0.0.1:80...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET /consul HTTP/1.1
> Host: localhost
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Server: nginx/1.18.0 (Ubuntu)
< Date: Fri, 10 Jul 2020 16:32:35 GMT
< Content-Type: text/html
< Content-Length: 178
< Location: http://localhost/consul/
< Connection: keep-alive
<
* Ignoring the response-body
* Connection #0 to host localhost left intact
* Issue another request to this URL: 'http://localhost/consul/'
* Found bundle for host localhost: 0x55ba7959f9e0 [serially]
* Can not multiplex, even if we wanted to!
* Re-using existing connection! (#0) with host localhost
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET /consul/ HTTP/1.1
> Host: localhost
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
< Server: nginx/1.18.0 (Ubuntu)
< Date: Fri, 10 Jul 2020 16:32:35 GMT
< Content-Length: 0
< Connection: keep-alive
对于这个问题的任何想法,我将不胜感激
答案 0 :(得分:1)
您是对的,您在错误地使用location和proxy_pass。当您使用
location /vault {
proxy_pass http://vault:8200;
}
构造中,您将URI原样传递到上游,而您最有可能希望从中剥离/vault前缀。为此,您应该使用以下命令:
location /vault/ {
proxy_pass http://vault:8200/;
}
您可以详细了解第一个here和第二个的区别。但是,这仍然会阻止资产正确加载。
这个问题-如何在某些URI前缀下代理某些Web应用程序-在stackoverflow上一再被问到。唯一正确的方法是让代理的应用仅通过相对URL(考虑使用assets/script.js而不是/assets/script.js或使用正确的前缀(/vault/assets/script.js)来请求其资产。一些编写精良的应用程序能够检测是否在这样的URI前缀下使用它们,并在生成资产链接时使用它;一些应用程序允许通过某些设置进行指定,但有些应用程序根本不适合此类使用。如果不满足这些要求,Web应用程序将无法运行的原因非常明显-任何未以/vault开头的URL都不会与您的location /vault/ { ... }块匹配,而是会通过主location块提供代替。因此,最好的方法是修复您的Web应用程序,但是,如果您确实无法解决问题,则可以使用多种解决方法。
某些Web框架已经使用相对URL构建其Web应用程序,但是在<base href="/">的开头部分使用了index.html。例如,React或Angular使用此方法。如果您的Web应用程序根目录index.html中有这样一行,只需将其更改为<base href="/vault/">。
使用基于HTTP Referer标头值的条件路由。这种方法对于单页加载资产的应用程序效果很好,但是,如果一个Web应用程序包含多个页面,则该方法将不起作用,因此,正确的上游检测逻辑将在从一个页面跳转到另一个页面的第一个跳转之后中断。这是一个示例:
map $http_referer $prefix {
~https?://[^/]+/vault/ vault;
# other webapps prefixes could be defined here
# ...
default base;
}
server {
# listen port, server name and other global definitions here
# ...
location / {
# "unconditional" jump-to-location idea taken from this answer:
# https://serverfault.com/questions/908086/nginx-directly-send-from-location-to-another-named-location/965779#965779
try_files /dev/null @$prefix;
}
location /vault/ {
# proxy request to the vault upstream, remove "/vault" part from the URI
proxy_pass http://vault:8200/;
}
location @vault {
# proxy request to the vault upstream, do not change the URI
proxy_pass http://vault:8200;
}
location @base {
# default "root" location
proxy_pass http://consul:8500;
}
}
使用ngx_http_sub_module中的sub_filter伪指令重写响应主体内的链接。这是最丑陋的,但仍可以用作最后一个可用选项。这种方法具有明显的性能影响。重写模式应从上游响应主体确定。通常,这种类型的配置看起来像
location /vault/ {
proxy_pass http://vault:8200/;
sub_filter_types text/css application/javascript;
sub_filter_once off;
sub_filter 'href="/' 'href="/vault/';
sub_filter "href='/" "href='/vault/";
sub_filter 'src="/' 'src="/vault/';
sub_filter "src='/" "src='/vault/";
sub_filter 'url("/' 'url("/vault/';
sub_filter "url('/" "url('/vault/";
sub_filter "url(/" "url(/vault/";
}