docker_nginx反向代理多个容器实例

docker_nginx反向代理多个容器实例, 这里使用的是 qnap 中的 Container Station 跑的docker.
目的: 在使用同一个外网端口(443)的情况下, 通过反向代理 二级域名 到 多个容器的不同端口上. 同时使用 https 加持
例如: a.xx.com -> 实例a:3000, b.xx.com -> 实例a:4000

---

前置物料

1. 阿里云注册的域名, 及其免费证书.
2. 公网ip
3. docker 实例 , 这里是 gogs, 容器 web 端口是 3000

---

docker nginx 启动

1. 拉个官网镜像. docker pull nginx

2. https 正式丢到 DockerData/nginx/certs 下.

   • get到阿里云的免费证书，有效期是一年：参考这里：https://segmentfault.com/a/1190000009220479 , 下载 nginx 的证书

3. 跑起来, 这里用的是 qnap

   1. 链接了两个 docker 实例

      :gogs:3000
      :hexo:4000

   2. 端口映射, 主要是 443 https端口

      443:443
      32770:80

   3. 挂载文件

      DockerData/nginx/certs:/certs # 挂载 阿里云 下载的 nginx证书
      DockerData/nginx/conf:/etc/nginx/conf.d # 配置文件. 详细配置看这里 反向代理配置

      添加配置文件

      server
      {
        listen 443 ssl;
        server_name gogs.abc.com; # 阿里云域名
        ssl_certificate /certs/cert_gogs/214816825520979.pem; # 两个证书路径
        ssl_certificate_key /certs/cert_gogs/214816825520979.key;
        ssl_session_timeout 5m;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        location / {
            proxy_redirect off;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_pass http://gogs:3000; # 代理链接的gogs web端口
        }
        client_max_body_size 512M;
        access_log /var/log/nginx/gogs.abc.com.log;
      }

4. run 起来后访问
   

---

多域名绑定同一个ip

同一台机子绑定了多个二级域名, 将二级域名的记录值CNAME到主域名即可
参考: https://github.com/chenhw2/aliyun-ddns-cli/issues/10

---

hexo docker: https://hub.docker.com/r/ipple1986/hexo/

---

gogos 使用 https 及 二级域名 加持

需要修改gogs中修改两个参数, 才能https中显示正确, 并 clone

[server]
DOMAIN           = gogs.abc.com
ROOT_URL         = https://gogs.abc.com/

https://gogs.abc.com/yangxuan/ArtRes_ItsCharOld.git

---

开启 gzip

1. nginx代理所有都开启gzip, 修改配置文件 /etc/nginx/nginx.conf

   
   # vi /etc/nginx/nginx.conf # 加入以下配置
   
   ...
       #gzip  on;
       #启用gzip
       gzip on;
       #需要压缩文件的最小尺寸，单位是B
       gzip_min_length  1000;
       #gzip文件缓存大小
       gzip_buffers     4 8k; # 4和8之间有个空格的啊
       #gzip压缩文件格式，以下涵盖了一般所需的类型
       gzip_types       text/plain application/x-javascript text/css application/xml application/javascript application/json;
       #gzip压缩等级，数值越高压缩得越狠，也越占资源
       gzip_comp_level 3;
   ...

2. 重启nginx

3. 打开Chrome查看是否开启成功

---

相关详细配置

反向代理配置

自定义文件 /etc/nginx/conf.d/my_nginx.conf

# http conf
# server {
#     listen  80;
#     server_name  gogs.abc.com;
#     access_log /var/log/nginx/www.abc.access.log main;
#     error_log /var/log/nginx/www.abc.error.log error;
#     location / {
#         proxy_set_header  Host  $http_host;
#         proxy_set_header  X-Real-IP  $remote_addr;
#         proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
#         proxy_pass  http://gogs:3000;
#     }
# }

# http redirect to https
server {
    listen 80;
    server_name abc.com www.abc.com;
    rewrite ^(.*) https://$host$1 permanent;
}

# https conf
server
{
    listen 443 ssl;
    server_name www.abc.com;
    ssl_certificate /certs/cert_www/214597807690979.pem;
    ssl_certificate_key /certs/cert_www/214597807690979.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }
#    location / {
#        proxy_redirect off;
#        proxy_set_header Host $host;
#        proxy_set_header X-Real-IP $remote_addr;
#        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#        proxy_pass http://127.0.0.1;
#    }
    client_max_body_size 512M;
    access_log /var/log/nginx/www.abc.com.log;
}

server
{
    listen 443 ssl;
    server_name gogs.abc.com;
    ssl_certificate /certs/cert_gogs/214816825520979.pem;
    ssl_certificate_key /certs/cert_gogs/214816825520979.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    location / {
        proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://gogs:3000;
    }
    client_max_body_size 512M;
    access_log /var/log/nginx/gogs.abc.com.log;
}

server
{
    listen 443 ssl;
    server_name blog.abc.com;
    ssl_certificate /certs/cert_blog/214816925260979.pem;
    ssl_certificate_key /certs/cert_blog/214816925260979.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    location / {
        proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://hexo:4000;
    }
    client_max_body_size 512M;
    access_log /var/log/nginx/blog.abc.com.log;
}

# server {
#     listen  80;
#     server_name  gossh.abc.com;
#     access_log /var/log/nginx/www.abc.access.log main;
#     error_log /var/log/nginx/www.abc.error.log error;
#     location / {
#         proxy_set_header  Host  $http_host;
#         proxy_set_header  X-Real-IP  $remote_addr;
#         proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
#         proxy_pass  http://gogs:23522;
#     }
# }