Dockernetworking问题与nginx代理容器

我目前正在尝试设置一个基于docker的jira和confluence平台,由nginx代理并运行到某种路由和networking问题。

基本设置由三个docker容器组成–nginx conatainer处理特定域名(如jira.mydomain.com,confluence.mydomain.com)的https请求,并将请求redirect到(proxy_pass)jira和confluence的特定容器。

这个设置通常是可行的 – 我可以通过在浏览器中打开https://confluence.mydomain.com打开https://jira.mydomain.com和confluence实例来访问jira实例。

login到jira时遇到的问题变得可见: 在这里输入图像说明

然后在Find-out-more-link: JIRA健康检查

所提供的JIRA健康检查链接中的build议解决scheme不利于我发现和解决问题。 相反,日志文件中的一些例外会导致更多的问题提示 :

2017-06-07 15:04:26,980 http-nio-8080-exec-17 ERROR christian.schlaefcke 904x1078x1 eqafq3 84.141.114.234,172.17.0.7 /rest/applinks/3.0/applicationlinkForm/manifest.json [caacrest.ui.CreateApplicationLinkUIResource] ManifestNotFoundException thrown while retrieving manifest ManifestNotFoundException thrown while retrieving manifest com.atlassian.applinks.spi.manifest.ManifestNotFoundException: java.net.NoRouteToHostException: No route to host (Host unreachable) ... Caused by: java.net.NoRouteToHostException: No route to host (Host unreachable)

当我按照这个Atlassian知识库文章的提示,从JIRA容器中运行这个curl语句时:

curl -H "Accept: application/json" https://jira.mydomain.com/rest/applinks/1.0/manifest -v

我终于得到这个错误:

* Trying <PUBLIC_IP>... * connect to <PUBLIC_IP> port 443 failed: No route to host * Failed to connect to jira.mydomain.com port 443: No route to host * Closing connection 0 curl: (7) Failed to connect to jira.mydomain.com port 443: No route to host

编辑:外部URL jira.mydomain.com可以ping从容器内:

root@c9233dc17588:# ping jira.mydomain.com PING jira.mydomain.com (<PUBLIC_IP>) 56(84) bytes of data. 64 bytes from rs226736.mydomain.com (<PUBLIC_IP>): icmp_seq=1 ttl=64 time=0.082 ms 64 bytes from rs226736.mydomain.com (<PUBLIC_IP>): icmp_seq=2 ttl=64 time=0.138 ms 64 bytes from rs226736.mydomain.com (<PUBLIC_IP>): icmp_seq=3 ttl=64 time=0.181 ms

从JIRA容器的外部(例如docker主机或其他机器),curl语句正常工作!

我一般对linux有很好的使用经验,但是我对networking,路由和iptables的知识还是比较有限的。 Docker运行当前的17.03.1-ce版本,结合docker在一个centos 7系统上组合:

~]# uname -a Linux rs226736 3.10.0-514.21.1.el7.x86_64 #1 SMP Thu May 25 17:04:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

目前我什至不明白什么样的问题(iptables?,路由,docker?),这实际上是如何debugging这个:-(

我玩了一些iptables和nginx相关的提示,通过谷歌发现 – 都没有成功。 任何暗示指向我正确的方向将非常感激。

请求configuration:

NGINX docker-compose.yml 

 nginx: image: nginx container_name: nginx ports: - 80:80 - 443:443 external_links: - my_domain-jira - my_domain-confluence volumes: - /opt/docker/logs/nginx:/var/log/nginx - ./nginx.conf:/etc/nginx/nginx.conf - ./certs/jira.mydomain.com.crt:/etc/ssl/certs/jira.mydomain.com.crt - ./certs/jira.mydomain.com.key:/etc/ssl/private/jira.mydomain.com.key - ./certs/confluence.mydomain.com.crt:/etc/ssl/certs/confluence.mydomain.com.crt - ./certs/confluence.mydomain.com.key:/etc/ssl/private/confluence.mydomain.com.key

JIRA docker-compose.yml(Confluence类似): 

 jira: container_name: my_domain-jira build: . external_links: - postgres volumes: - ./inst/conf/server.xml:/opt/jira/conf/server.xml - ./inst/bin/setenv.sh:/opt/jira/bin/setenv.sh - /home/jira:/opt/atlassian-home - /opt/docker/logs/jira:/opt/jira/logs - /etc/localtime:/etc/localtime:ro

NGINX – nginx.conf 

 upstream jira { server my_domain-jira:8080; } # begin jira configuration server { listen 80; server_name jira.mydomain.com; client_max_body_size 500M; rewrite ^ https://$server_name$request_uri? permanent; } server { listen 443 ssl; server_name jira.mydomain.com; ssl on; ssl_certificate /etc/ssl/certs/jira.mydomain.com.crt; ssl_certificate_key /etc/ssl/private/jira.mydomain.com.key; ssl_session_timeout 5m; ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK'; server_tokens off; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; client_max_body_size 500M; location / { proxy_pass http://jira/; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_cache_bypass $http_upgrade; } }

想法(nginx / proxy_pass /上游)主要从以下select:

  • https://www.digitalocean.com/community/tutorials/docker-explained-how-to-containerize-and-use-nginx-as-a-proxy

  • Nginx for serving multiple sites in docker

  • https://wiki.jenkins-ci.org/display/JENKINS/Jenkins+behind+an+NGinX+reverse+proxy

经过与虚拟服务器提供商的讨论后发现,plesk防火墙和iptables之间的防火墙规则冲突导致了这个问题。 在供应商解决冲突之后,可以访问容器。

现在解决了这个问题 – 感谢所有参与的人!

Interesting Posts

从Docker容器通过networking访问KVM VM

在Docker容器中更改默认路由

转发域到docker集装箱

Docker – 无法从Container中Ping服务器IPv6或外部IPv6地址

将主机dynamic路由到docker

Docker:如何configurationInternet – >防火墙容器 – > webserver容器

Docker 1.5仅支持IPv6

多个DockerContainers WebUI在单个IP和端口上

docker路由没有iptables

如何使用Windows vitrualbox guesttestingDocker提供的HTML页面?