There are several different website containers running on a Docker host. How to correctly forward the 80 and 443 port traffic to the corresponding containers?
PHP中文网
PHP中文网 2017-06-20 10:05:52
0
2
1384

Help. . If there is a tutorial written by Dalao, you can also post the link to the article. . After a round of Baidu, I fell into coma. .

PHP中文网
PHP中文网

认证高级PHP讲师

reply all(2)
習慣沉默

折腾了一个下午,找到了docker的解决方案
github:https://github.com/JrCs/docke...

把重要重点部分摘出来

Separate Containers (recommended method)

nginx proxy can also be run as two separate containers using the jwilder/docker-gen
image and the official nginx image.

You may want to do this to prevent having the docker socket bound to a publicly exposed container service (avoid to mount the docker socket in the nginx exposed container). It's better in a security point of view.

To run nginx proxy as a separate container you'll need:

1) To mount the template file nginx.tmpl into the docker-gen container. You can get the latest official nginx.tmpl with a command like:

curl https://raw.githubusercontent.com/jwilder/nginx-proxy/master/nginx.tmpl > /path/to/nginx.tmpl

2) Set the NGINX_DOCKER_GEN_CONTAINER environment variable to the name or id of the docker-gen container.

Examples:

  • First start nginx (official image) with volumes:

$ docker run -d -p 80:80 -p 443:443 \
    --name nginx \
    -v /etc/nginx/conf.d  \
    -v /etc/nginx/vhost.d \
    -v /usr/share/nginx/html \
    -v /path/to/certs:/etc/nginx/certs:ro \
    --label com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy=true \
    nginx
  • Second start the docker-gen container with the shared volumes and the template file:

$ docker run -d \
    --name nginx-gen \
    --volumes-from nginx \
    -v /path/to/nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl:ro \
    -v /var/run/docker.sock:/tmp/docker.sock:ro \
    jwilder/docker-gen \
    -notify-sighup nginx -watch -wait 5s:30s /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf
  • Then start this container (NGINX_DOCKER_GEN_CONTAINER variable must contain the docker-gen container name or id):

$ docker run -d \
    --name nginx-letsencrypt \
    -e "NGINX_DOCKER_GEN_CONTAINER=nginx-gen" \
    --volumes-from nginx \
    -v /path/to/certs:/etc/nginx/certs:rw \
    -v /var/run/docker.sock:/var/run/docker.sock:ro \
    jrcs/letsencrypt-nginx-proxy-companion

Then start any containers to be proxied as described previously.

  • If for some reason you can't use the docker --volumes-from option, you can specify the name or id of the nginx container with NGINX_PROXY_CONTAINER variable.

Let's Encrypt

To use the Let's Encrypt service to automatically create a valid certificate for virtual host(s).

Set the following environment variables to enable Let's Encrypt support for a container being proxied. This environment variables need to be declared in each to-be-proxied application containers.

  • LETSENCRYPT_HOST

  • LETSENCRYPT_EMAIL

The LETSENCRYPT_HOST variable most likely needs to be the same as the VIRTUAL_HOST variable and must be publicly reachable domains. Specify multiple hosts with a comma delimiter.

The following environment variables are optional and parameterize the way the Let's Encrypt client works.

  • LETSENCRYPT_KEYSIZE

The LETSENCRYPT_KEYSIZE variable determines the size of the requested key (in bit, defaults to 4096).

multi-domain (SAN) certificates

If you want to create multi-domain (SAN) certificates add the base domain as the first domain of the LETSENCRYPT_HOST environment variable.

test certificates

If you want to create test certificates that don't have the 5 certs/week/domain limits define the LETSENCRYPT_TEST environment variable with a value of true (in the containers where you request certificates with LETSENCRYPT_HOST). If you want to do this globally for all containers, set ACME_CA_URI as described below.

Automatic certificate renewal

Every hour (3600 seconds) the certificates are checked and every certificate that will expire in the next 30 days (90 days / 3) are renewed.

Example:
$ docker run -d \
    --name example-app \
    -e "VIRTUAL_HOST=example.com,www.example.com,mail.example.com" \
    -e "LETSENCRYPT_HOST=example.com,www.example.com,mail.example.com" \
    -e "LETSENCRYPT_EMAIL=foo@bar.com" \
    tutum/apache-php

Optional container environment variables

Optional letsencrypt-nginx-proxy-companion container environment variables for custom configuration.

  • ACME_CA_URI - Directory URI for the CA ACME API endpoint (default: https://acme-v01.api.letsencrypt.org/directory). If you set it's value to https://acme-staging.api.letsencrypt.org/directory letsencrypt will use test servers that don't have the 5 certs/week/domain limits. You can also create test certificates per container (see let's encrypt test certificates)

For example

$ docker run -d \
    -e "ACME_CA_URI=https://acme-staging.api.letsencrypt.org/directory" \
    -v /path/to/certs:/etc/nginx/certs:rw \
    --volumes-from nginx-proxy \
    -v /var/run/docker.sock:/var/run/docker.sock:ro \
    jrcs/letsencrypt-nginx-proxy-companion
  • DEBUG - Set it to true to enable debugging of the entrypoint script and generation of LetsEncrypt certificates, which could help you pin point any configuration issues.

  • The "com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy=true" label - set this label on the nginx-proxy container to tell the docker-letsencrypt-nginx-proxy-companion container to use it as the proxy.

  • ACME_TOS_HASH - Let´s you pass an alternative TOS hash to simp_le, to support other CA´s ACME implentation.

Examples:

If you want other examples how to use this container, look at:

  • Karl Fathi's Examples

  • More examples from Karl

  • George Ilyes' Examples

  • Dmitry's simple docker-compose example

注意,这里有个坑,也怪我自己没看清楚,如果镜像已经expose端口就设置VIRTUAL_HOST、LETSENCRYPT_HOST、LETSENCRYPT_EMAIL就行,如果没有就得在设置好三个环境变量之后自己加入--expose 容器内应用服务端口 参数启动。如果容器是discourse这样的,就得在app.yml内设置好环境变量之后把端口映射的80:80改为未占用端口:80,然后再保存重建启动。

大家讲道理

Since the container can only directly bind the port of the host, for example, I have 10 web containers, then these containers all need 80 or 443, so the -p parameter is not feasible, so either use a container as a gateway reverse proxy container, Use nginx, nginx container for -p, other web containers such as php-fpm and node, and access through nginx as a reverse proxy. The certificate is also directly handed over to the nginx server and 443 forwarding can be achieved.

Actually, these are the basics, but they have nothing to do with docker

This article is an lnmp environment,
/a/11...

If there are multiple php-fpm or node or python backend services, then nginx should be as follows

server{
  listen 80;
  server_name web1;
  location /{
    proxy_pass  ....
  }
}

server{
  listen 80;
  server_name web2;
  location /{
    proxy_pass  ....
  }

}

server{
  listen 80;
  server_name web3;
  location /{
    proxy_pass  ....
  }
}
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template