我在我的 VPS 上部署了一個 Docker Swarm 伺服器來處理 Asp.Net Core 應用程式。我想透過 Nginx Web 伺服器來提供這個應用程式。
假設我的 Web 應用程式是我透過 .Net Core CLI 命令建立的普通應用程式:
dotnet new webapp mywebapp
Dockerfile(簡化):
FROM mcr.microsoft.com/dotnet/core/sdk:3.0-alpine as builder
WORKDIR /app
COPY . .
RUN dotnet publish -c Release -o publish
WORKDIR /app/publish
ENTRYPOINT ["dotnet", "MyWebApp.dll"]
我的docker-compose.yml看起來像這樣(簡化):
version: '3'
services:
app:
image: edouard/mywebapp:latest
ports:
- 9000:80
我的 nginx 設定如下所示:
server {
listen 443 ssl;
server_name myservername.com;
ssl_certificate /path/to/ssl_certificate;
ssl_certificate_key /path/to/ssl_certificate_key;
location / {
proxy_pass http://localhost:9000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server {
listen 80;
server_name myservername.com;
return 301 https://$host$request_uri;
}
如您所見,我使用 Nginx 作為反向代理伺服器,將所有 HTTP/HTTPS 流量從 80 和 443 端口重定向到本地 9000 端口,Docker Swarm 將其映射到容器內的 80 端口,容器上運行著 Kestrel 伺服器。
上https://myservername.com,一切都運作良好。但事情是這樣的:人們還可以存取我的網路應用程式http://myservername.com:9000!這是我不想要的。
我想我必須配置防火牆,以便只允許流向 80 和 443 連接埠的流量(注意讓 22 連接埠用於 SSH 等)。我已經閱讀了一些教程來了解如何做到這一點,但是,Docker Swarm 也在處理防火牆!
當我啟動時sudo iptables -L -v:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3417 873K DOCKER-USER all -- any any anywhere anywhere
3417 873K DOCKER-INGRESS all -- any any anywhere anywhere
31 9043 DOCKER-ISOLATION-STAGE-1 all -- any any anywhere anywhere
0 0 ACCEPT all -- any docker0 anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- any docker0 anywhere anywhere
0 0 ACCEPT all -- docker0 !docker0 anywhere anywhere
0 0 ACCEPT all -- docker0 docker0 anywhere anywhere
18 7620 ACCEPT all -- any docker_gwbridge anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- any docker_gwbridge anywhere anywhere
13 1423 ACCEPT all -- docker_gwbridge !docker_gwbridge anywhere anywhere
0 0 DROP all -- docker_gwbridge docker_gwbridge anywhere anywhere
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 anywhere anywhere
13 1423 DOCKER-ISOLATION-STAGE-2 all -- docker_gwbridge !docker_gwbridge anywhere anywhere
31 9043 RETURN all -- any any anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any docker0 anywhere anywhere
0 0 DROP all -- any docker_gwbridge anywhere anywhere
13 1423 RETURN all -- any any anywhere anywhere
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
3417 873K RETURN all -- any any anywhere anywhere
Chain DOCKER-INGRESS (1 references)
pkts bytes target prot opt in out source destination
1567 101K ACCEPT tcp -- any any anywhere anywhere tcp dpt:9000
1270 698K ACCEPT tcp -- any any anywhere anywhere state RELATED,ESTABLISHED tcp spt:9000
31 9043 RETURN all -- any any anywhere anywhere
我該如何配置防火牆,使其不與 Docker Swarm 互動?我找到了部分答案:
然而,我發現它相當複雜,而且令我驚訝的是 Docker 的部落格上沒有對此問題的官方答案。
版本:
- VPS:Debian 10.2
- Docker 引擎:19.03.5
- nginx:1.16.1
- iptables:1.8.2
感謝您的幫助。
答案1
您可以嘗試綁定 localhost 而不是預設的 0.0.0.0 位址:
services:
app:
image: edouard/mywebapp:latest
ports:
- '127.0.0.1:9000:80'