码头工人群与网络过滤器
我已经在我的VPS上部署了一个Docker群服务器,以处理Asp.Net核心应用程序。我想通过Nginx网络服务器提供这个应用程序。
假设我的web应用程序是我通过.Net Core命令创建的普通应用程序:
dotnet new webapp mywebappDockerfile (简化):
FROM mcr.microsoft.com/dotnet/core/sdk:3.0-alpine as builder
WORKDIR /app
COPY . .
RUN dotnet publish -c Release -o publish
WORKDIR /app/publish
ENTRYPOINT ["dotnet", "MyWebApp.dll"]我的docker-compose.yml看起来如下(简化):
version: '3'
services:
app:
image: edouard/mywebapp:latest
ports:
- 9000:80我的nginx配置如下所示:
server {
listen 443 ssl;
server_name myservername.com;
ssl_certificate /path/to/ssl_certificate;
ssl_certificate_key /path/to/ssl_certificate_key;
location / {
proxy_pass http://localhost:9000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server {
listen 80;
server_name myservername.com;
return 301 https://$host$request_uri;
}如您所见,我使用Nginx作为反向代理服务器,将所有HTTP/HTTPS流量从80和443端口重定向到本地9000端口,Docker Swarm正在映射到容器内的80端口,Kestrel服务器正在该端口上运行。
在https://myservername.com上,一切都很好。但是事情是这样的:人们也可以在http://myservername.com:9000上访问我的网络应用程序!这是我不想要的。
我想我必须配置防火墙,使我只允许流量到80和443端口(照顾让22端口的SSH,等等)。我已经阅读了一些教程来了解如何做到这一点,然而,Docker也在处理防火墙!
当我启动sudo iptables -L -v时:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3417 873K DOCKER-USER all -- any any anywhere anywhere
3417 873K DOCKER-INGRESS all -- any any anywhere anywhere
31 9043 DOCKER-ISOLATION-STAGE-1 all -- any any anywhere anywhere
0 0 ACCEPT all -- any docker0 anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- any docker0 anywhere anywhere
0 0 ACCEPT all -- docker0 !docker0 anywhere anywhere
0 0 ACCEPT all -- docker0 docker0 anywhere anywhere
18 7620 ACCEPT all -- any docker_gwbridge anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- any docker_gwbridge anywhere anywhere
13 1423 ACCEPT all -- docker_gwbridge !docker_gwbridge anywhere anywhere
0 0 DROP all -- docker_gwbridge docker_gwbridge anywhere anywhere
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 anywhere anywhere
13 1423 DOCKER-ISOLATION-STAGE-2 all -- docker_gwbridge !docker_gwbridge anywhere anywhere
31 9043 RETURN all -- any any anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any docker0 anywhere anywhere
0 0 DROP all -- any docker_gwbridge anywhere anywhere
13 1423 RETURN all -- any any anywhere anywhere
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
3417 873K RETURN all -- any any anywhere anywhere
Chain DOCKER-INGRESS (1 references)
pkts bytes target prot opt in out source destination
1567 101K ACCEPT tcp -- any any anywhere anywhere tcp dpt:9000
1270 698K ACCEPT tcp -- any any anywhere anywhere state RELATED,ESTABLISHED tcp spt:9000
31 9043 RETURN all -- any any anywhere anywhere 我应该如何配置防火墙,使其不与Docker交互?我找到了一些部分的答案:
然而,我发现它相当复杂,我感到惊讶的是,在Docker的博客上没有这个问题的官方答案。
版本:
- 副总裁: Debian 10.2
- 码头发动机: 19.03.5
- Nginx: 1.16.1
- 表: 1.8.2
谢谢你的帮助。
回答 1
Server Fault用户
发布于 2020-01-26 20:36:17
您可以尝试绑定localhost而不是默认的0.0.0.0地址:
services:
app:
image: edouard/mywebapp:latest
ports:
- '127.0.0.1:9000:80'https://serverfault.com/questions/999140
复制相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号