首页
学习
活动
专区
圈层
工具
发布
社区首页 >问答首页 >码头工人群与网络过滤器

码头工人群与网络过滤器
EN

Server Fault用户
提问于 2020-01-15 22:45:53
回答 1查看 191关注 0票数 1

我已经在我的VPS上部署了一个Docker群服务器,以处理Asp.Net核心应用程序。我想通过Nginx网络服务器提供这个应用程序。

假设我的web应用程序是我通过.Net Core命令创建的普通应用程序:

代码语言:javascript
复制
dotnet new webapp mywebapp

Dockerfile (简化):

代码语言:javascript
复制
FROM mcr.microsoft.com/dotnet/core/sdk:3.0-alpine as builder
WORKDIR /app
COPY . .
RUN dotnet publish -c Release -o publish
WORKDIR /app/publish
ENTRYPOINT ["dotnet", "MyWebApp.dll"]

我的docker-compose.yml看起来如下(简化):

代码语言:javascript
复制
version: '3'

services:
  app:
    image: edouard/mywebapp:latest
    ports:
      - 9000:80

我的nginx配置如下所示:

代码语言:javascript
复制
server {
    listen 443 ssl;
    server_name myservername.com;

    ssl_certificate     /path/to/ssl_certificate;
    ssl_certificate_key /path/to/ssl_certificate_key;

   location / {
        proxy_pass         http://localhost:9000;
        proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection keep-alive;
        proxy_set_header   Host $host;
        proxy_cache_bypass $http_upgrade;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
    } 

}
server {
    listen 80;
    server_name myservername.com;
    return 301 https://$host$request_uri;
}

如您所见,我使用Nginx作为反向代理服务器,将所有HTTP/HTTPS流量从80和443端口重定向到本地9000端口,Docker Swarm正在映射到容器内的80端口,Kestrel服务器正在该端口上运行。

https://myservername.com上,一切都很好。但是事情是这样的:人们也可以在http://myservername.com:9000上访问我的网络应用程序!这是我不想要的。

我想我必须配置防火墙,使我只允许流量到80和443端口(照顾让22端口的SSH,等等)。我已经阅读了一些教程来了解如何做到这一点,然而,Docker也在处理防火墙!

当我启动sudo iptables -L -v时:

代码语言:javascript
复制
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 3417  873K DOCKER-USER  all  --  any    any     anywhere             anywhere            
 3417  873K DOCKER-INGRESS  all  --  any    any     anywhere             anywhere            
   31  9043 DOCKER-ISOLATION-STAGE-1  all  --  any    any     anywhere             anywhere            
    0     0 ACCEPT     all  --  any    docker0  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  any    docker0  anywhere             anywhere            
    0     0 ACCEPT     all  --  docker0 !docker0  anywhere             anywhere            
    0     0 ACCEPT     all  --  docker0 docker0  anywhere             anywhere            
   18  7620 ACCEPT     all  --  any    docker_gwbridge  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  any    docker_gwbridge  anywhere             anywhere            
   13  1423 ACCEPT     all  --  docker_gwbridge !docker_gwbridge  anywhere             anywhere            
    0     0 DROP       all  --  docker_gwbridge docker_gwbridge  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  anywhere             anywhere            
   13  1423 DOCKER-ISOLATION-STAGE-2  all  --  docker_gwbridge !docker_gwbridge  anywhere             anywhere            
   31  9043 RETURN     all  --  any    any     anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    docker0  anywhere             anywhere            
    0     0 DROP       all  --  any    docker_gwbridge  anywhere             anywhere            
   13  1423 RETURN     all  --  any    any     anywhere             anywhere            

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 3417  873K RETURN     all  --  any    any     anywhere             anywhere            

Chain DOCKER-INGRESS (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 1567  101K ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:9000
 1270  698K ACCEPT     tcp  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED tcp spt:9000
   31  9043 RETURN     all  --  any    any     anywhere             anywhere            

我应该如何配置防火墙,使其不与Docker交互?我找到了一些部分的答案:

然而,我发现它相当复杂,我感到惊讶的是,在Docker的博客上没有这个问题的官方答案。

版本:

  • 副总裁: Debian 10.2
  • 码头发动机: 19.03.5
  • Nginx: 1.16.1
  • 表: 1.8.2

谢谢你的帮助。

EN

回答 1

Server Fault用户

发布于 2020-01-26 20:36:17

您可以尝试绑定localhost而不是默认的0.0.0.0地址:

代码语言:javascript
复制
services:
  app:
    image: edouard/mywebapp:latest
    ports:
      - '127.0.0.1:9000:80'

https://docs.docker.com/compose/compose-file/#ports

票数 0
EN
页面原文内容由Server Fault提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://serverfault.com/questions/999140

复制
相关文章

相似问题

领券
问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档