Docker nginx代理,打开ldap和phpldapadmin -无法通过nginx访问ldap管理。
我想我在我的环境中有错误配置问题,我想听听你对此的看法。解决这个问题的建议或帮助是非常受欢迎的。
描述:使用jwilder/nginx代理容器访问LDAP (通过虚拟主机名访问)有问题,而通过带有暴露端口的真实linux进行访问很好。使用有效的通配符证书访问HTTPS。
环境:我正在linux上运行 (CentOS 7),我想设置一个带有jwilder/nginx代理的对接容器和另外两个对接容器:一个用于openLdap,另一个用于phpLdapAdmin。因此,对我的ldapadmin的访问将通过nginx进行,而不公开端口。
迄今已采取的步骤:
1.创建容器- nginx代理
docker run -d -p 80:80 -p 443:443 \
-v /home/admin/nginx/certs:/etc/nginx/certs \
-v /var/run/docker.sock:/tmp/docker.sock:ro \
--name proxy \
jwilder/nginx-proxy2.创建容器- ldap
docker run --name ldap -p 636:636 \
-v /home/admin/nginx/certs:/container/service/slapd/assets/certs \
-v /data/slapd/database:/var/lib/ldap \
-v /data/slapd/config:/etc/ldap/slapd.d \
--hostname ldap.company.com \
--add-host=ldap.company.com:192.168.168.168 \
--env LDAP_ORGANISATION='Company ltd' \
--env LDAP_DOMAIN='company.com' \
--env LDAP_ADMIN_PASSWORD='Password' \
--detach osixia/openldap:1.2.2 \而不是"192.168.168.168“是我真正的公共IP地址
然后成功地搜索LDAP
docker exec ldap \
ldapsearch -x -H ldap://ldap.company.com \
-b dc=company,dc=com \
-D "cn=admin,dc=company,dc=com" \
-w Password\3.创建容器phpldapadmin
docker run \
--name ldapadmin \
--env PHPLDAPADMIN_LDAP_HOSTS=ldap.company.com \
--expose 389 \
-e VIRTUAL_HOST=ldap.company.com \
-e VIRTUAL_PORT=389 \
--volume /home/admin/nginx/certs:/container/service/phpldapadmin/assets/apache2/certs \
--env PHPLDAPADMIN_HTTPS_CRT_FILENAME=ldap.company.com.crt \
--env PHPLDAPADMIN_HTTPS_KEY_FILENAME=ldap.company.com.key \
--env PHPLDAPADMIN_HTTPS_CA_CRT_FILENAME=ldap.company.com.crt \
--detach osixia/phpldapadmin:0.7.2最后,重新启动nginx代理容器,将ldap和ldapadmin自动添加到nginx配置中。
码头重启代理
然后我得到了暴露的端口:
图像端口名称
osixia/phpldapadmin:0.7.2 80/tcp,389/tcp,443/tcp ldapadmin
osixia/openldap:1.2.2 389/tcp,0.0.0:636->636/tcp ldap
现在出现了奇怪的部分,我的Linux服务器的主机名是带有一些公共地址的dev.company.com,我可以使用https://dev.company.com:6443访问ldapadmin,但是我不能通过URL: ldap.company.com访问,而不公开端口。我不能在Linux主机上平ldap.company.com.key。
注意:,我也为Jenkins做过同样的事情:
docker run -d --rm -u root -v /var/run/docker.sock:/var/run/docker.sock -v jenkins-data:/var/ jenkins _home -v "$HOME":/home -e VIRTUAL_HOST=jenkins.company.com -e VIRTUAL_PORT=8080 -- nj jenkins
对于工匠来说:
船坞运行-名称为-d -d -v -e VIRTUAL_HOST=artifactory.company.com -e VIRTUAL_PORT=8081
对于这两个我都有可点击的URL,它们返回我的公共IP地址,我成功地通过浏览器: jenkins.company.com和artifactory.company.com访问它们
我不能在Linux主机上平ldap.company.com.key。
回答 3
Stack Overflow用户
发布于 2018-11-17 00:26:50
首先,如果jwilder/nginx-proxy实际收到任何请求,您可以检查它的日志:
docker logs -f CONTAINER_ID但是,如果您甚至不能ping ldap.company.com,则可能无法将域解析为IP地址,因为它没有DNS记录。您可以使用以下方法进行测试:
host ldap.company.com如果无法解析域,则在company.com DNS服务器中创建DNS A记录,将ldap.company.com指向主机的公共IP地址。
或者,您可以测试以前是否一切都正常,如果只向主机的公共IP地址(而不是ldap.company.com域)发出ldap.company.com请求。
Stack Overflow用户
发布于 2018-11-19 13:35:48
由于我无法在上面的注释中详细描述我的当前状态,所以当我在我的URL中指定端口时,我将把它写成部分答案,因为我可以访问它。我的环境概述如下:
1.创建容器- nginx代理
docker run -d -p 80:80 -p 443:443 \
-v /home/admin/nginx/certs:/etc/nginx/certs \
-v /var/run/docker.sock:/tmp/docker.sock:ro \
--name proxy \
jwilder/nginx-proxy2.创建容器-LDAP
docker run --name ldap \
-v /home/admin/nginx/certs:/container/service/slapd/assets/certs \
-v /data/slapd/database:/var/lib/ldap -v /data/slapd/config:/etc/ldap/slapd.d \
--hostname ldap.company.com --add-host=ldap.company.com:192.168.168.168 \
--expose 443 \
--env LDAP_ORGANISATION='Company ltd' \
--env LDAP_DOMAIN='company.com' \
--env LDAP_ADMIN_PASSWORD='Password' \
-e VIRTUAL_HOST=ldap.company.com \
-e VIRTUAL_PORT=443 \
--detach osixia/openldap:1.2.23.创建容器- PHPLDAPADMIN
docker run --name ldapadmin \
-p 6443:443 \
--env PHPLDAPADMIN_LDAP_HOSTS=ldap.company.com \
-e VIRTUAL_HOST=ldap.company.com \
-e VIRTUAL_PORT=443 \
--expose 443 \
--hostname ldap.company.com \
--volume /home/admin/nginx/certs:/container/service/phpldapadmin/assets/apache2/certs \
--env PHPLDAPADMIN_HTTPS_CRT_FILENAME=ldap.company.com.crt \
--env PHPLDAPADMIN_HTTPS_KEY_FILENAME=ldap.company.com.key \
--env PHPLDAPADMIN_HTTPS_CA_CRT_FILENAME=ldap.company.com.crt \
--detach osixia/phpldapadmin:0.7.2\nginx中的配置: cat /etc/nginx/con.d/default.conf
# ldap.company.com
upstream ldap.company.com {
## Can be connected with "bridge" network
# ldapadmin
server 172.17.0.5:443;
## Can be connected with "bridge" network
# ldap
server 172.17.0.4:443;
}
server {
server_name ldap.company.com;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
return 301 https://$host$request_uri;
}
server {
server_name ldap.company.com;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-******************';
ssl_prefer_server_ciphers on;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/ldap.company.com.crt;
ssl_certificate_key /etc/nginx/certs/company.com.key;
add_header Strict-Transport-Security "max-age=31536000" always;
location / {
proxy_pass http://ldap.company.com;
}
}正在运行的集装箱:
[admin@dev ~]$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4c021b9f85e4 osixia/phpldapadmin:0.7.2 "/container/tool/run" 9 minutes ago Up 9 minutes 80/tcp, 0.0.0.0:6443->443/tcp ldapadmin
53963bfe8fdc osixia/openldap:1.2.2 "/container/tool/run" 10 minutes ago Up 10 minutes 389/tcp, 443/tcp, 636/tcp ldap
c9576b8c1b72 jwilder/nginx-proxy "/app/docker-entrypo…" 10 days ago Up 21 minutes 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp proxy当我在浏览器中调用http://ldap.company.com/:-失败时,从nginx登录
nginx.1 | 2018/11/19 12:46:11 [error] 32#32: *1 upstream prematurely closed connection while reading response header from upstream, client: X:X:X:X, server: ldap.company.com, request: "GET / HTTP/2.0", upstream: "http://172.17.0.5:443/", host: "ldap.company.com"
nginx.1 | 2018/11/19 12:46:11 [error] 32#32: *1 connect() failed (111: Connection refused) while connecting to upstream, client: X:X:X:X, server: ldap.company.com, request: "GET / HTTP/2.0", upstream: "http://172.17.0.4:443/", host: "ldap.company.com"当我在browser - SUCCESS中调用时,从nginx登录
nginx.1 | ldap.company.com X:X:X:X - - [19/Nov/2018:12:46:11 +0000] "GET / HTTP/2.0" 502 575 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36"admin@dev ~$
我脑海中闪现的问题是:
- 我用正确的方式创造容器吗?
- 在创建ldap容器期间,是否需要指定某些端口( -p XXX:XX )?
- 我是否也需要像使用-expose交换机那样在ldap和ldapadmin上导出端口?
- 我做错什么了?
提前感谢所有能帮助和特别帮助你的人,谢谢你的时间和宝贵的意见。
附加信息:
在NGINX容器上,我得到以下错误:
nginx.1 | ldap.bitconex.de 62.216.206.17 - - [20/Nov/2018:15:52:49 +0000] "GET / HTTP/2.0" 403 209 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36"因为我在ldapadmin上得到了错误:
[Tue Nov 20 15:18:23.807278 2018] [authz_core:error] [pid 1019:tid 140081490781952] [client 172.17.0.3:59916] AH01630: client denied by server configuration: /var/www/html
172.17.0.3 - - [20/Nov/2018:15:18:23 +0000] "GET / HTTP/1.1" 403 373 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36"我搜索了ldap-admin容器,以检查在哪些文件中提到了/var/www/html,并且我发现在两个地方提到了taht:
1.
root@d65a1005d5aa:/# grep -rnw '/var/' -e '/var/www/html'
/var/lib/dpkg/info/apache2.postinst:111: for dir in /var/www
/var/www/html ; do
/var/lib/dpkg/info/apache2.postinst:124: cp
/usr/share/apache2/default-site/index.html /var/www/html/index.html
/var/lib/dpkg/info/apache2.postinst:128: for dir in /var/www
/var/www/html ; do
/var/lib/dpkg/info/apache2.postrm:70: if is_default_index_html
/var/www/html/index.html ; then
/var/lib/dpkg/info/apache2.postrm:71: rm -f
/var/www/html/index.html
/var/lib/dpkg/info/apache2.list:223:/var/www/html2.
root@d65a1005d5aa:/container/service/:apache2/assets/sites-available#
ls
000-default.conf
root@d65a1005d5aa:/container/service/:apache2/assets/sites-available#
cat 000-default.com
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
<Directory /var/www/html >
Require all granted
</Directory>
</VirtualHost>因此,我不确定是否需要手动创建这个html文件夹,还是在第二个位置编辑这个文件,并将路径放置到phpadmin配置文件: root@d65a1005d5aa:/container/service/phpldapadmin/assets/config# ls config.php README.md。
或者将路径放置到/var/www/phpldapadmin_ path /htdocs?
Stack Overflow用户
发布于 2019-09-07 19:46:22
对于那些在黑暗中跌跌撞撞的人:由于代理正在处理HTTPS的内容,因此您不需要apache,因此您可以使用以下env变量运行phpldapadmin:
environment:
- PHPLDAPADMIN_TRUST_PROXY_SSL=true
- PHPLDAPADMIN_HTTPS=false当nginx代理在内部处理所有网络时,您不会公开坞映像的任何端口。
是有同样的问题,但这个问题解决了,考虑这样做,因为这是让加密代理同伴建立“高级设置”的方式。
https://stackoverflow.com/questions/53340099
复制相似问题
腾讯云开发者
