配置nginx反向代理使Docker采用域名远程访问API

docker使用Nginx反向代理

配置过docker开启2376采用远程访问,挺方便的,但是需要在服务器防火请放开2376端口(这是废话) 配置个nginx反向代理,直接采用域名443代理访问

配置nginx反向代理使Docker采用域名远程访问

该方案实现的功能与放开2376端口访问的效果是一毛一样的,区别在于使用代理

环境前期准备

环境

1
2
ubuntu 18.04
docker community 19.03

准备

概念

默认情况下,docker守护进程dockerd使用 Unix socket(/var/run/docker.sock)来进行本地进程通信,而不会监听任何端口。 如果想在其他主机上操作docker主机,就需要让docker守护进程dockerd打开一个HTTP Socket,这样才能实现远程通信。

在本地使用docker ps命令与 docker -H unix:///var/run/docker.sock ps命令效果一样

1
2
3
4
5
6
7
8
9
[email protected]:~$ docker ps
CONTAINER ID        IMAGE                        COMMAND                  CREATED             STATUS              PORTS                                      NAMES
6a60494e8756        jwilder/nginx-proxy:alpine   "/app/docker-entrypo…"   41 minutes ago      Up 41 minutes       0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp   nginx-proxy
72d843c3164f        portainer/portainer          "/portainer -H unix:…"   21 hours ago        Up 17 hours         9000/tcp                                   portainer
[email protected]:~$ docker -H unix:///var/run/docker.sock images
REPOSITORY            TAG                 IMAGE ID            CREATED             SIZE
jwilder/nginx-proxy   alpine              730317336993        2 days ago          54.4MB
portainer/portainer   latest              2b4ddf654e1c        6 weeks ago         77.7MB
[email protected]:~$ 

在使用nginx-proxy项目中其,也是使用的-v /var/run/docker.sock:/tmp/docker.sock:ro 把本机的docker.sock挂载到容器内部使用 那么思路很清晰,在nginx-proxy容器中反向代理/tmp/docker.sock即可

配置

conf.d下添加docker.weii.ink.conf配置 把证书文件放到certs中 路径是nginx-proxy容器中conf.d挂载的路径,参考上篇文章ngixn-proxy配置 以下配置是俺的

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
[email protected]:~/project/nginx-proxy/nginx/conf.d$ cat docker.weii.ink.conf 
upstream docker.weii.ink {
  ## Can be connected with "nginx_networks" network
  # docker
  server unix:///tmp/docker.sock;
}
server {
  server_name docker.weii.ink;
  listen 80 ;
  access_log /var/log/nginx/access.log vhost;
  return 301 https://$server_name$request_uri;
}
server {
  server_name docker.weii.ink;
  listen 443 ssl http2 ;
  access_log /var/log/nginx/access.log vhost;
  
  ssl_certificate      /etc/nginx/certs/docker-server-cert.pem;
  ssl_certificate_key  /etc/nginx/certs/docker-server-key.pem;
  ssl_client_certificate /etc/nginx/certs/docker-ca.pem;
  ssl_verify_client on;

  ssl_session_timeout 5m;
  ssl_session_cache shared:SSL:50m;
  ssl_session_tickets off;
  add_header Strict-Transport-Security "max-age=31536000" always;

  location / {
      proxy_pass http://docker.weii.ink;
  }
} 
[email protected]:~/project/nginx-proxy/nginx/conf.d$ 

然后重启nginx-proxy就成了 注: nginx日志如果提示对unix:///tmp/docker.sock没有权限 那就开放权限docker exec -it nginx-proxy chmod 777 /tmp/docker.sock

验证

1
2
3
4
5
6
[email protected]:~/project/CA/Client$ curl https://docker.weii.ink/images/json --cert cert.pem --key key.pem --cacert ca.pem
[{"Containers":-1,"Created":1568041593,"Id":"sha256:73031733699358abfc15a2953e496e0edddb127123e51a099aa953391c6db542","Labels":{"maintainer":"Jason Wilder [email protected]"},"ParentId":"","RepoDigests":["jwilder/[email protected]:07c0e9866ce0e974b92173542ebdaa2dc03315ec8269e0718dcca5bb3450a430"],"RepoTags":["jwilder/nginx-proxy:alpine"],"SharedSize":-1,"Size":54365911,"VirtualSize":54365911},{"Containers":-1,"Created":1564107108,"Id":"sha256:2b4ddf654e1c413b21c7253125aa0f34a4ff74154558940fa689f8754ec853c5","Labels":null,"ParentId":"","RepoDigests":["portainer/[email protected]:a16919b3e02323e4bd0a8c5023d6fd569525297b9dc9a028d778cb6e13512be5"],"RepoTags":["portainer/portainer:latest"],"SharedSize":-1,"Size":77680455,"VirtualSize":77680455}]
[email protected]:~/project/CA/Client$ docker images
REPOSITORY            TAG                 IMAGE ID            CREATED             SIZE
jwilder/nginx-proxy   alpine              730317336993        2 days ago          54.4MB
portainer/portainer   latest              2b4ddf654e1c        6 weeks ago         77.7MB

后续就可以直接用IDEA链接远程docker进行开发了

updatedupdated2019-09-122019-09-12