Docker - 如何配置HTTPs的反向代理
2021-07-08 本文已影响0人
红薯爱帅
1. 概述
本文介绍如何给Sentry配置HTTPs,有两种方法,本文重点介绍第二种。
2. Nginx启动步骤
2.1. 生成TLS证书
mkdir certs
openssl req -newkey rsa:2048 -nodes -sha256 -keyout certs/myrepo.com.key -x509 -days 365 -out certs/myrepo.com.crt
2.2. 创建nginx.conf
log_format增加了两个字段,用于统计后端API的耗时。
- $request_time, request processing time in seconds with a milliseconds resolution; time elapsed
between the first bytes were read from the client and the log write after the last bytes were sent to the client - $upstream_response_time, keeps time spent on
receiving the response from the upstream server; the time is kept in seconds with millisecond resolution.
从上面的描述可以看出,upstream_response_time值大;尤其是在客户端采用POST方式提交较大的数据,响应体比较大的时候。在客户端网络条件差的时候,$request_time还会被放大。
参考:https://www.cnblogs.com/thatsit/p/7078210.html
# 运行nginx的用户
user nginx;
# 启动进程设置成和CPU数量相等
worker_processes 1;
# 全局错误日志及PID文件的位置
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
# 工作模式及连接数上限
events {
# 单个后台work进程最大并发数设置为1024
worker_connections 1024;
}
http {
# 设定mime类型
include /etc/nginx/mime.types;
default_type application/octet-stream;
# 设定日志格式
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent $request_time[$upstream_response_time] "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
# 设置连接超时的事件
keepalive_timeout 65;
# 开启GZIP压缩
#gzip on;
server {
listen 80;
server_name mywebsite.com;
rewrite ^(.*)$ https://${server_name}$1 permanent;
}
server {
listen 443 ssl;
server_name mywebsite.com; #域名
# 增加ssl
ssl_certificate /ssl/sentry.com.crt;
ssl_certificate_key /ssl/sentry.com.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
# 指定密码为openssl支持的格式
ssl_protocols SSLv2 SSLv3 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5; # 密码加密方式
ssl_prefer_server_ciphers on; # 依赖SSLv3和TLSv1协议的服务器密码将优先于客户端密码
# 定义首页索引目录和名称
location / {
proxy_pass http://10.211.28.94:9090;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# 重定向错误页面到 /50x.html
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
}
2.3. 启动Nginx
- 目录结构
$ tree .
.
├── certs
│ ├── sentry.com.crt
│ └── sentry.com.key
├── launch.sh
├── logs
│ ├── access.log
│ └── error.log
└── nginx.conf
- 启动脚本
docker stop infra-nginx
docker run -d --rm \
--name infra-nginx \
-p 443:443\
-p 80:80 \
-v `pwd`/nginx.conf:/etc/nginx/nginx.conf/:ro\
-v `pwd`/logs:/var/log/nginx/:rw\
-v `pwd`/certs/:/ssl/:ro\
nginx
3. 测试
打开本地浏览器,访问https://sentry-service,Nginx会有下面日志
$ tail -f logs/access.log
10.210.10.153 - - [06/Jul/2021:02:44:53 +0000] "POST /api/4/store/?sentry_key=b8fd92aebc66&sentry_version=7 HTTP/1.1" 200 41 0.015[0.003] "http://localhost:8000/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36" "-"
10.210.10.153 - - [06/Jul/2021:02:44:53 +0000] "POST /api/4/store/?sentry_key=b8fd92aebc66&sentry_version=7 HTTP/1.1" 200 41 0.011[0.003] "http://localhost:8000/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36" "-"
